The lsof of Linux commands

First, the basic introduction

(1) The lsof command is used to view the files that you have opened, the process of opening the files, the ports that the process opened (TCP, UDP).

(2) Retrieve/recover deleted files.

Second, lsof Grammar

Lsof (optional) filename-a: Lists the processes that open files exist;-c< process name;: Lists the files opened by the specified process;-G: Lists the GID process details;-d< file number;: Lists the processes that occupy the file number; +d< directory > : List files opened in directory, +d< directory: Recursively lists files opened under directory,-n< directory;: Lists files using NFS,-i< conditions;: Lists the eligible processes. (4, 6, protocol,: Port, @ip)-p< process number;: Lists the files opened by the specified process number;-U: Lists the UID number process details;-H: Displays the Help information;-V: Displays the version information.

Instance:

Lsof Abc.txt Show the process of opening file Abc.txt LSOF-C ABC show ABC process now open file Lsof-c-P 1234 List the process with process number 1234 Open File Lsof-g GID shows the process of attribution to GID lsof +d /usr/local/Display directory under the process open files Lsof +d/usr/local/, but the directory under the search directory, a long time lsof-d 4 shows the use of FD 4 process lsof-i to show the conditions of the process lsof-i[46] [PR otocol][@hostname |hostaddr][:service|port]--> IPv4 or IPV6 protocol--TCP or UDP hostname--Internet host N Ame Hostaddr--IPV4 address service----/etc/service in service name (more than one) port--port number (can be more than one)

Third, detailed lsof output results

[[email protected] ~]# cd/mnt/[[email protected] mnt]# lsof/mnt/command PID USER FD TYPE DEVICE size/off NODE nameb Ash 1523 root cwd dir 11,1 4096 1856/mntlsof 1669 root cwd dir 11,1 4096 1856/mntlsof 1670 Root CWD DIR 11,1 4096 1856/mnt

COMMAND: Name of the process

PID: Process identifier

USER: Process Owner

FD: File descriptor in which the application recognizes the file through a file descriptor. such as CWD, TXT, etc.

Type: File types, such as Dir, Reg, etc.

DEVICE: Specifies the name of the disk

Size: sizes of files

Node: Index node (the identity of the file on disk)

Name: Open the exact name of the file

File Description List characters:

CWD: Represents Current work dirctory, the current working directory of the application, which is the directory that the application launches, unless it makes changes to the directory itself. TXT: This type of file is a program code, such as the application binary file itself or a shared library, as shown in the list above  /sbin/init  program. lnn:library references  (AIX); er:fd information error  (see NAME column ); jld:jail directory  (FreeBSD); ltx:shared library text  (Code and  data);  mxx :hex memory-mapped type number xx. m86:dos merge  mapped file; mem:memory-mapped file; mmap:memory-mapped device; pd:parent  directory; rtd:root directory; tr:kernel trace file  (OpenBSD);  v86   vp/ix mapped file; 0: Represents the standard output  1: Represents a standard input  2: Indicates that standard errors generally follow the file state mode after standard output, standard error, and standard input:  u: Indicates that the file is open and is in read/write mode.  r: Indicates that the file is open and is in read-only mode.  w: Indicates that the file is open and in.   Spaces: Indicates that the file's status mode is Unknow and is not locked.  -: Indicates that the file's state mode is unknow and is locked.    at the same time behind the file state mode, also follow the relevant lock:  n:for a solaris nfs lock of unknown type; r:for read lock on part of the  file; r:for a read lock on the entire file; w:for a  write lock on part of the file; (Partial write lock of file)  w:for a write  lock on the entire file; (write lock for entire file)  u:for a read and write  lock of any length; U:for a lock of unknown type;  x:for an sco openserver xenix lock on part       of the file; x:for an sco openserver xenix lock on the       entire file; space:if there is no lock.

File type: the

Dir: Represents the directory. CHR: Represents a character type. BLK: Block device type. Unix:unix domain sockets. FIFO: In-First-out (FIFO) queue. IPV4: Internet Protocol (IP) sockets. DEVICE: Specifies the name of the disk

Iv. Recover deleted files (the file has been opened by the process before deletion)

[[email protected] ~]# lsof /var/log/messagescommand   pid user    FD   TYPE DEVICE SIZE/OFF   NODE NAMErsyslogd  1252 root    4w   reg  253,0   201170  261273 /var/log/messagestail     1550 root    3r    REG  253,0   201170 261273 /var/log/messages[[email  protected] ~]# rm -rf  /var/log/messages [[email protected] ~]# [ [Email protected] ~]# lsof /var/log/messageslsof: status error on /var /log/messages: no such file or directorylsof 4.82 latest revision:  ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ latest faq: ftp://lsof.itap.purdue.edu/ pub/tools/unix/lsof/faq  latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man usage: [-? Abhlnnooprtuvvx] [+|-c c] [+|-d s] [+d d] [+|-f[gg]] [+|-e s]  [-F [F]] [-G [S]] [-I [I]] [+|-L [L]] [+M [M]] [+|-M]  [-O [O]] [-P S][+|-R [T]] [-S [P:S]] [-S [T]] [-T [T]]  [-u s] [+|-w] [-x [fl]] [--] [names]Use the  '-H '  option  to get more help information.

[[email protected] ~]# lsof | grep /var/log/messagesrsyslogd  1252     root    4w      REG               253,0   201170      261273 /var/log/messages  (Deleted) tail       1550    root    3r      reg               253,0   201170      261273 /var/log/messages  (deleted) [[Email protected] ~]# cat  /proc/1252/fd/4 >aaa.txt [[email protected] ~]# cat /proc/1550/fd/3  >bbb.txt[[email protected] ~]# ls -lrt total 420-rw-r--r--.  1  root root   3161 jun 18 19:58 install.log.syslog-rw-r--r--.  1 root root    9913 JUN 18 19:59 INSTALL.LOG-RW-------.  1 root root    1116 Jun 18 19:59 anaconda-ks.cfg-rw-r--r--  1 root root  201170 jul  6 20:17 aaa.txt-rw-r--r--  1 root root 201365  Jul  6 20:18 bbb.txt[[email protected] ~]# diff aaa.txt  bbb.txt [[email protected] ~]#[[email protected] ~]# cp aaa.txt   /var/log/messages  to this file recovery complete!

This article from "High-rise, look at the end of the Road" blog, please be sure to keep this source http://nxyboy.blog.51cto.com/10511646/1945123

The lsof of Linux commands