Use lsof to view linux system information

Source: Internet
Author: User
Tags pkill
1. lsof introduction lsof is a very practical system-level monitoring and diagnosis tool in linux. It means ListOpenFiles. it is easy to remember that it is a combination of "ls + ~ It can be used to list the file information opened by various processes. remember: "Everything is a file" in linux, including but not limited to pipes and sockets. 1. lsof introduction
Lsof is a very practical system-level monitoring and diagnostic tool in linux.
It means List Open Files. it is easy to remember that it is a combination of "ls + ~
It can be used to list information about files opened by various processes. remember: "Everything is a file" in linux",
Including but not limited to pipes, sockets, directories, devices, and so on.
Therefore, you can use lsof to obtain information about any opened files.
You only need to input lsof to generate a large amount of information. because lsof needs to access the core memory and various files, it must be run as a root user to make full use of its functions.
Lsof sample output:
Root @ YLinux :~ /Lab 0 # lsof
Command pid tid user fd type device size/OFF NODE NAME
Systemd 1 root cwd DIR 8, 6 4096 2/
Systemd 1 root rtd DIR 8, 6 4096 2/
Systemd 1 root txt REG 2273340 1834909/usr/lib/systemd
Systemd 1 root mem REG 210473 1700647/lib/libnss_files-2.15.s
...

2. common lsof usage 2.1 monitor opened files and devices
Check which processes occupy files and devices
# Lsof/dev/tty1
Command pid user fd type device size/OFF NODE NAME
Bash 1770 jian 0u CHR 1045, 1 0t0/dev/tty1
Bash 1770 jian 1u CHR 4, 1 0t0 1045/dev/tty1
Bash 1770 jian 2u CHR 1045/dev/tty1
Bash 1770 jian 255u CHR 1045, 1 0t0/dev/tty1
Startx 1845 jian 0u CHR 1045, 1 0t0/dev/tty1
Startx 1845 jian 1u CHR 1045, 1 0t0/dev/tty1
...

2.2 Monitoring File system
Specify the directory and mount point to see which processes have opened the files:
# Lsof/data/
Command pid user fd type device size/OFF NODE NAME
Bash 15983 jian cwd DIR 4096 8252/data/backup
...
This is useful when a file system in umount fails (this FS is busy is usually reported ).
List the files opened under a directory (such as/home:
# Lsof + D/var/log/
Command pid user fd type device size/OFF NODE NAME
Rsyslogd 488 syslog 1 w REG 1151 268940/var/log/syslog
Rsyslogd 488 syslog 2 w REG 2405 269616/var/log/auth. log
Console-k 144 root 9 w REG 10871 269369/var/log/ConsoleKit/history
List files opened by the specified process name:
# Lsof-c ssh-c init
Command pid user fd type device size/OFF NODE NAME
Init 1 root txt REG 124704 917562/sbin/init
Init 1 root mem REG 1434180 1442625/lib/i386-linux-gnu/libc-2.13.so
Init 1 root mem REG 30684 1442694/lib/i386-linux-gnu/librt-2.13.so
...
Ssh-agent 1528 lakshmanan 1u CHR 1, 3, 0t0 4369/dev/null
Ssh-agent 1528 lakshmanan 2u CHR 1, 3 0t0 4369/dev/null
Ssh-agent 1528 lakshmanan 3u unix 0xdf70e240 0t0 10464/tmp/ssh-sUymKXxw1495/agent.1495

2.3 monitoring process
Specify the process number to view the files opened by the process:
# Lsof-p 2064
Command pid user fd type device size/OFF NODE NAME
Firefox 2064 jian cwd DIR 4096 1571780/home/jian
Firefox 2064 jian rtd DIR 4096 2/
Firefox 2064 jian txt REG 44224 1985670/usr/lib/firefox-12.0/firefox
Firefox 2064 jian mem REG 14707012 925361/usr/share/fonts/chinese/msyhbd. ttf
Firefox 2064 jian mem REG 15067744 925362/usr/share/fonts/chinese/msyh. ttf
Firefox 2064 jian mem REG 16791251 1701681/usr/share/fonts/wenquanyi/wqy-zenhei.ttc
Firefox 2064 jian mem REG 67108904 10203/dev/shm/pulse-shm-3021850167
...
When you want to kill all files and devices opened by a user, you can:
Kill-9 'lsof-t-u lakshmana'
Here-t is used to separately list the process id column. For four methods to kill a process, see:
Http://www.thegeekstuff.com/2009/12/4-ways-to-kill-a-process-kill-killall-pkill-xkill/

2.4 Monitoring Network
Check which processes are in use on the specified port (lsof-I lists all open network connections ):
# Lsof-I: 22
Command pid user fd type device size/OFF NODE NAME
Sshd 1569 root 3u IPv4 10303 0t0 TCP *: ssh (LISTEN)
Sshd 1569 root 4u IPv6 10305 0t0 TCP *: ssh (LISTEN)
...
List all network files opened by a process:
Lsof-I-a-p 234
Or lsof-I-a-c ssh
List all tcp and udp connections:
Lsof-I tcp;
Lsof-I udp;
List all NFS files:
Lsof-N-u lakshmanan-
Check which processes are in use on the specified network Port:
# Lsof-I @192.168.1.91
Command pid user fd type device size/OFF NODE NAME
Skype 1909 jian 54u IPv4 9116 0t0 TCP 192.168.1.91: 40640-> 64.4.23.153: 40047 (ESTABLISHED)
Pidgin 1973 jian 7u IPv4 6599 0t0 TCP 192.168.1.91: 59311-> hx-in-f125.1e100.net: https (ESTABLISHED)
Pidgin 1973 jian 13u IPv4 9260 0t0 TCP 192.168.1.91: 54447-> by2msg3010511. phx. gbl: msnp (ESTABLISHED)
...

3. More Tips 3.1 Monitoring ?? /B>
View specified? Too many? Nica ?? Sof-u ^ lakshmanan can exclude a user ):
# Lsof-u messagebus
Command pid user fd type device size/OFF NODE NAME
Export-daem 1805 messagebus cwd DIR 8, 6 4096 2/
Export-daem 1805 messagebus rtd DIR 8, 6 4096 2/
Alibaba-daem 1805 messagebus txt REG 1235361 1834948/usr/bin/Alibaba-daemon
Middleware-daem 1805 messagebus mem REG 210473 1700647/lib/libnss_files-2.15.so
Middleware-daem 1805 messagebus mem REG 190145 1700642/lib/libnss_nis-2.15.so
Middleware-daem 1805 messagebus mem REG 490366 1700636/lib/libnsl-2.15.so
...

3.2 Monitoring Applications
View files opened by a specified program:
# Lsof-c firefox
Command pid user fd type device size/OFF NODE NAME
Firefox 2064 jian cwd DIR 4096 1571780/home/jian
Firefox 2064 jian rtd DIR 4096 2/
Firefox 2064 jian txt REG 44224 1985670/usr/lib/firefox-12.0/firefox
Firefox 2064 jian mem REG 14707012 925361/usr/share/fonts/chinese/msyhbd. ttf
Firefox 2064 jian mem REG 15067744 925362/usr/share/fonts/chinese/msyh. ttf
Firefox 2064 jian mem REG 16791251 1701681/usr/share/fonts/wenquanyi/wqy-zenhei.ttc
...

4. command mode skills 4.1 combined logical query conditions
If multiple query conditions are met, the "-a" parameter is used. the default value is-o.
# Lsof-a-c bash-u root
Command pid user fd type device size/OFF NODE NAME
Bash 1986 root cwd DIR 4096 1701593/root/lab
Bash 1986 root rtd DIR 4096 2/
Bash 1986 root txt REG 1994157 1700632/bin/bash
Bash 1986 root mem REG 9690800 405214/usr/lib/locale-archive
Bash 1986 root mem REG 210473 1700647/lib/libnss_files-2.15.so

4.2 repeated execution mode of lsof command:
Number of seconds for repeated lsof execution based on the given parameter delay
+ R indicates that when no file is opened, the repeat mode ends automatically.
-R indicates that the file will be executed no matter whether it exists or is opened until you interrupt it.
The output of each loop uses '=' as the separator. you can also use '-R' |' + r' to specify the delay time.
# Lsof-u lakshmanan-c init-a-r5
========
========
Command pid user fd type device size/OFF NODE NAME
Inita. sh 2971 lakshmanan cwd DIR 4096 393218/home/lakshmanan
Inita. sh 2971 lakshmanan rtd DIR 8, 1 4096 2/
Inita. sh 2971 lakshmanan txt REG 83848 524315/bin/dash
Inita. sh 2971 lakshmanan mem REG 1434180 1442625/lib/i386-linux-gnu/libc-2.13.so
Inita. sh 2971 lakshmanan mem REG 117960 1442612/lib/i386-linux-gnu/ld-2.13.so
Inita. sh 2971 lakshmanan 0u CHR 136,4 0t0 7/dev/pts/4
Inita. sh 2971 lakshmanan 1u CHR 136,4 0t0 7/dev/pts/4
Inita. sh 2971 lakshmanan 2u CHR 136,4 0t0 7/dev/pts/4
Inita. sh 2971 lakshmanan 10r REG 393578/home/lakshmanan/inita. sh
========
The above output is not output in the first five seconds. after "inita. sh" is started, the output starts.

5. Final skills
The disk space alarm df-h -- max = 1 is inconsistent with du-hx -- max = 1,
The most common situation is the following:
Lsof | grep-I delete
Look at the deleted files: some deleted files, but the process does not reload, the space is still occupied, you can understand it as similar to the concept that the process handle in windows is not released ~ But in windows, if a file is used by a process, you can't delete it. Although linux does not delete the file, it will not be completely released until the process has used the file, to prevent the process from crashing, this is the difference in the operating system's resource management ~
For exampleNginxMany temporary files occupy the/tmp Directory. after deletion, the files still occupy space,
You can:
Pkill-9 nginx &/etc/init. d/nginx restart
Okay, this article is over now. There are a lot more lsof information, but you can only help you here if you are familiar with it,
If you still need other content, google it yourself, cool...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.