First, the basic introduction
(1) The lsof command is used to view the files that you have opened, the process of opening the files, the ports that the process opened (TCP, UDP).
(2) Retrieve/recover deleted files.
Second, lsof Grammar
Lsof (optional) filename-a: Lists the processes that open files exist;-c< process name;: Lists the files opened by the specified process;-G: Lists the GID process details;-d< file number;: Lists the processes that occupy the file number; +d< directory > : List files opened in directory, +d< directory: Recursively lists files opened under directory,-n< directory;: Lists files using NFS,-i< conditions;: Lists the eligible processes. (4, 6, protocol,: Port, @ip)-p< process number;: Lists the files opened by the specified process number;-U: Lists the UID number process details;-H: Displays the Help information;-V: Displays the version information.
Instance:
Lsof Abc.txt Show the process of opening file Abc.txt LSOF-C ABC show ABC process now open file Lsof-c-P 1234 List the process with process number 1234 Open File Lsof-g GID shows the process of attribution to GID lsof +d /usr/local/Display directory under the process open files Lsof +d/usr/local/, but the directory under the search directory, a long time lsof-d 4 shows the use of FD 4 process lsof-i to show the conditions of the process lsof-i[46] [PR otocol][@hostname |hostaddr][:service|port]--> IPv4 or IPV6 protocol--TCP or UDP hostname--Internet host N Ame Hostaddr--IPV4 address service----/etc/service in service name (more than one) port--port number (can be more than one)
Third, detailed lsof output results
[[email protected] ~]# cd/mnt/[[email protected] mnt]# lsof/mnt/command PID USER FD TYPE DEVICE size/off NODE nameb Ash 1523 root cwd dir 11,1 4096 1856/mntlsof 1669 root cwd dir 11,1 4096 1856/mntlsof 1670 Root CWD DIR 11,1 4096 1856/mnt
COMMAND: Name of the process
PID: Process identifier
USER: Process Owner
FD: File descriptor in which the application recognizes the file through a file descriptor. such as CWD, TXT, etc.
Type: File types, such as Dir, Reg, etc.
DEVICE: Specifies the name of the disk
Size: sizes of files
Node: Index node (the identity of the file on disk)
Name: Open the exact name of the file
File Description List characters:
CWD: Represents Current work dirctory, the current working directory of the application, which is the directory that the application launches, unless it makes changes to the directory itself. TXT: This type of file is a program code, such as the application binary file itself or a shared library, as shown in the list above /sbin/init program. lnn:library references (AIX); er:fd information error (see NAME column ); jld:jail directory (FreeBSD); ltx:shared library text (Code and data); mxx :hex memory-mapped type number xx. m86:dos merge mapped file; mem:memory-mapped file; mmap:memory-mapped device; pd:parent directory; rtd:root directory; tr:kernel trace file (OpenBSD); v86 vp/ix mapped file; 0: Represents the standard output 1: Represents a standard input 2: Indicates that standard errors generally follow the file state mode after standard output, standard error, and standard input: u: Indicates that the file is open and is in read/write mode. r: Indicates that the file is open and is in read-only mode. w: Indicates that the file is open and in. Spaces: Indicates that the file's status mode is Unknow and is not locked. -: Indicates that the file's state mode is unknow and is locked. at the same time behind the file state mode, also follow the relevant lock: n:for a solaris nfs lock of unknown type; r:for read lock on part of the file; r:for a read lock on the entire file; w:for a write lock on part of the file; (Partial write lock of file) w:for a write lock on the entire file; (write lock for entire file) u:for a read and write lock of any length; U:for a lock of unknown type; x:for an sco openserver xenix lock on part of the file; x:for an sco openserver xenix lock on the entire file; space:if there is no lock.
File type: the
Dir: Represents the directory. CHR: Represents a character type. BLK: Block device type. Unix:unix domain sockets. FIFO: In-First-out (FIFO) queue. IPV4: Internet Protocol (IP) sockets. DEVICE: Specifies the name of the disk
Iv. Recover deleted files (the file has been opened by the process before deletion)
[[email protected] ~]# lsof /var/log/messagescommand pid user FD TYPE DEVICE SIZE/OFF NODE NAMErsyslogd 1252 root 4w reg 253,0 201170 261273 /var/log/messagestail 1550 root 3r REG 253,0 201170 261273 /var/log/messages[[email protected] ~]# rm -rf /var/log/messages [[email protected] ~]# [ [Email protected] ~]# lsof /var/log/messageslsof: status error on /var /log/messages: no such file or directorylsof 4.82 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ latest faq: ftp://lsof.itap.purdue.edu/ pub/tools/unix/lsof/faq latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man usage: [-? Abhlnnooprtuvvx] [+|-c c] [+|-d s] [+d d] [+|-f[gg]] [+|-e s] &NBSP;[-F&NBSP;[F]]&NBSP;[-G&NBSP;[S]]&NBSP;[-I&NBSP;[I]]&NBSP;[+|-L&NBSP;[L]]&NBSP;[+M&NBSP;[M]]&NBSP;[+|-M] &NBSP;[-O&NBSP;[O]]&NBSP;[-P&NBSP;S][+|-R&NBSP;[T]]&NBSP;[-S&NBSP;[P:S]]&NBSP;[-S&NBSP;[T]]&NBSP;[-T&NBSP;[T]] [-u s] [+|-w] [-x [fl]] [--] [names]Use the '-H ' option to get more help information.
[[email protected] ~]# lsof | grep /var/log/messagesrsyslogd 1252 root 4w REG 253,0 201170 261273 /var/log/messages (Deleted) tail 1550 root 3r reg 253,0 201170 261273 /var/log/messages (deleted) [[Email protected] ~]# cat /proc/1252/fd/4 >aaa.txt [[email protected] ~]# cat /proc/1550/fd/3 >bbb.txt[[email protected] ~]# ls -lrt total 420-rw-r--r--. 1 root root 3161 jun 18 19:58 install.log.syslog-rw-r--r--. 1 root root &NBSP;9913&NBSP;JUN&NBSP;18&NBSP;19:59&NBSP;INSTALL.LOG-RW-------. 1 root root 1116 Jun 18 19:59 anaconda-ks.cfg-rw-r--r-- 1 root root 201170 jul 6 20:17 aaa.txt-rw-r--r-- 1 root root 201365 Jul 6 20:18 bbb.txt[[email protected] ~]# diff aaa.txt bbb.txt [[email protected] ~]#[[email protected] ~]# cp aaa.txt /var/log/messages to this file recovery complete!
This article from "High-rise, look at the end of the Road" blog, please be sure to keep this source http://nxyboy.blog.51cto.com/10511646/1945123
The lsof of Linux commands