lsof (list open files) is a tool to list open files on the current system. In the Linux environment, everything exists in the form of files, and through files, you can access not only regular data, but also network connections and hardware. Therefore, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system allocates a file descriptor for the application in the background, no matter what the nature of the file is, the file descriptor is for the application. Interaction with the underlying operating system provides a common interface. Because the list of descriptors for an application's open files provides a lot of information about the application itself, being able to view this list with the lsof tool can be helpful for system monitoring and troubleshooting.
1. Command format:
lsof [parameters] [files]
2. Command function:
It is used to view the files opened by your process, the process that opened the file, and the ports (TCP, UDP) opened by the process. Get back/recover deleted files. It is a very convenient system monitoring tool, because lsof needs to access the core memory and various files, so it needs to be executed by the root user.
A file opened by lsof can be:
1. Ordinary file
2. Directory
3. Network file system files
4. Character or device file
5. (function) shared library
6. Pipes, named pipes
7. Symlinks
8. Network files (for example: NFS file, network socket, unix domain name socket)
9. There are other types of files, etc.
3. Command parameters:
-a List processes that have open files
-c <process name> List files opened by the specified process
-g list GID process details
-d <file number> List processes occupying this file number
+d<directory> List open files in a directory
+D<directory> recursively list open files in a directory
-n <directory> List files using NFS
-i <condition> List eligible processes. (4, 6, protocol, :port, @ip )
-p<process number> List files opened by the specified process number
-u List process details with UID number
-h show help information
-v show version information
4. Example of use:
Example 1: without any parameters
Order:
lsof
output:
init 1 root cwd DIR 8,2 4096 2 /
init 1 root rtd DIR 8,2 4096 2 /
init 1 root txt REG 8,2 43496 6121706 /sbin/init
init 1 root mem REG 8,2 143600 7823908 /lib64/ld-2.5.so
init 1 root mem REG 8,2 1722304 7823915 /lib64/libc-2.5.so
init 1 root mem REG 8,2 23360 7823919 /lib64/libdl-2.5.so
init 1 root mem REG 8,2 95464 7824116 /lib64/libselinux.so.1
init 1 root mem REG 8,2 247496 7823947 /lib64/libsepol.so.1
init 1 root 10u FIFO 0,17 1233 /dev/initctl
migration 2 root cwd DIR 8,2 4096 2 /
migration 2 root rtd DIR 8,2 4096 2 /
migration 2 root txt unknown /proc/2/exe
ksoftirqd 3 root cwd DIR 8,2 4096 2 /
ksoftirqd 3 root rtd DIR 8,2 4096 2 /
ksoftirqd 3 root txt unknown /proc/3/exe
migration 4 root cwd DIR 8,2 4096 2 /
migration 4 root rtd DIR 8,2 4096 2 /
migration 4 root txt unknown /proc/4/exe
ksoftirqd 5 root cwd DIR 8,2 4096 2 /
ksoftirqd 5 root rtd DIR 8,2 4096 2 /
ksoftirqd 5 root txt unknown /proc/5/exe
events/0 6 root cwd DIR 8,2 4096 2 /
events/0 6 root rtd DIR 8,2 4096 2 /
events/0 6 root txt unknown /proc/6/exe
events/1 7 root cwd DIR 8,2 4096 2 /
illustrate:
The meaning of lsof outputting each column information is as follows:
COMMAND: the name of the process
PID: Process identifier
PPID: parent process identifier (requires the -R parameter to be specified)
USER: process owner
PGID: the group the process belongs to
FD: file descriptor, the application identifies the file by the file descriptor. Such as cwd, txt, etc.
(1) cwd: indicates the current work dirctory, that is: the current working directory of the application, which is the directory where the application is started, unless it itself makes changes to this directory
(2) txt: This type of file is program code, such as the application binary itself or a shared library, such as the /sbin/init program shown in the list above
(3)lnn:library references (AIX);
(4)er:FD information error (see NAME column);
5) jld : jail directory (FreeBSD);
(6)ltx:shared library text (code and data);
(7)mxx :hex memory-mapped type number xx.
(8)m86:DOS Merge mapped file;
(9)mem:memory-mapped file;
(10)mmap:memory-mapped device;
(11)pd:parent directory;
(12)rtd:root directory;
(13)tr:kernel trace file (OpenBSD);
(14)v86 VP/ix mapped file;
(15) 0: means standard output
(16) 1: means standard input
(17) 2: means standard error
Generally, standard output, standard error, and standard input are followed by file status modes: r, w, u, etc.
(1) u: Indicates that the file is open and in read/write mode
(2) r: Indicates that the file is opened and in read-only mode
(3) w: Indicates that the file is opened and is in
(4) Space: Indicates that the status mode of the file is unknown and not locked
(5)-: Indicates that the status mode of the file is unknown and locked
At the same time, behind the file status mode, there are also related locks.
(1)N:for a Solaris NFS lock of unknown type;
(2)r:for read lock on part of the file;
(3)R:for a read lock on the entire file;
(4) w: for a write lock on part of the file; (part of the file write lock)
(5) W: for a write lock on the entire file; (write lock on the entire file)
(6)u:for a read and write lock of any length;
(7)U:for a lock of unknown type;
(8)x:for an SCO OpenServer Xenix lock on part of the file;
(9)X:for an SCO OpenServer Xenix lock on the entire file;
(10)space:if there is no lock.
TYPE: file type, such as DIR, REG, etc., common file types
(1) DIR: indicates the directory
(2) CHR: Indicates the character type
(3) BLK: block device type
(4) UNIX: UNIX domain socket
(5) FIFO: first in first out (FIFO) queue
(6) IPv4: Internet Protocol (IP) sockets
DEVICE: Specifies the name of the disk
SIZE: the size of the file
NODE: inode (identification of the file on disk)
NAME: The exact name of the open file
Example 2: See who is using a file, that is, find the process related to a file
Order:
lsof /bin/bash
output:
illustrate:
Example 3: Recursively view file information in a directory
Order:
lsof test/test3
output:
illustrate:
When +D is used, all subdirectories and files in the corresponding directory will be listed
Example 4: A method of traversing and viewing all file information in a directory without using the +D option
Order:
lsof |grep 'test/test3'
output:
vi 24976 root cwd DIR 8,2 4096 2258872 /opt/soft/test/test3
vi 24976 root 4u REG 8,2 12288 2258882 /opt/soft/test/test3/.log2013.log.swp
[root@localhost soft]#
illustrate:
Example 5: List file information opened by a user
Order:
lsof -u username
illustrate:
-u option, u is actually the abbreviation of user
Example 6: List file information opened by a program process
Order:
lsof -c mysql
illustrate:
The -c option will list the files of all programs starting with the mysql process. In fact, you can also write lsof | grep mysql, but the first method is obviously a few fewer characters than the second method.
Example 7: List multiple open file information of multiple processes
Order:
lsof -c mysql -c apache
Example 8: List file information opened by a user and a process
Order:
lsof -u test -c mysql
illustrate:
Users and processes may or may not be related
Example 9: List open file information except for a certain user
Order:
lsof -u ^root
illustrate:
^ This symbol before the user name will prevent the process opened by the root user from being displayed
Example 10: Display the file to be opened by a process number
Order:
lsof -p 1
Example 11: List file information corresponding to multiple process numbers
Order:
lsof -p 1,2,3
Example 12: List file information opened by other process IDs except for a certain process ID
Order:
lsof -p ^1
Example 13: List all network connections
Order:
lsof -i
Example 14: List all tcp network connection information
Order:
lsof -i tcp
Example 15: List all udp network connection information
Order:
lsof -i udp
Example 16: List who is using a certain port
Order:
lsof -i :3306
Example 17: List who is using a specific udp port
Order:
lsof -i udp:55
Or: a specific tcp port
Order:
lsof -i tcp:80
Example 18: List all active network ports of a user
Order:
lsof -a -u test -i
Example 19: List all network file systems
Order:
lsof -N
Example 20: Domain name socket file
Order:
lsof -u
Example 21: File information opened by a user group
Order:
lsof -g 5555
Example 22: List the corresponding file information according to the file description
Order:
lsof -d description(like 2)
For example: lsof -d txt
For example: lsof -d 1
For example: lsof -d 2
illustrate:
0 means standard input, 1 means standard output, and 2 means standard error, so we can know: so the FD of files opened by most applications starts from 3
Example 23: List file information according to file description range
Order:
lsof -d 2-3
Example 24: List file information whose COMMAND column contains the string "sshd" and the file descriptor type is txt
Order:
lsof -c sshd -a -d txt
output:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2756 root txt REG 8,2 409488 1027867 /usr/sbin/sshd
sshd 24155 root txt REG 8,2 409488 1027867 /usr/sbin/sshd
sshd 24905 root txt REG 8,2 409488 1027867 /usr/sbin/sshd
sshd 24937 root txt REG 8,2 409488 1027867 /usr/sbin/sshd
[root@localhost soft]#
[root@localhost soft]#
Example 25: List all IPV4 network files opened by process ID 1234
Order:
lsof -i 4 -a -p 1234
Example 26: List all file information related to the ports currently connected to the host peida.linux: 20, 21, 22, 25, 53, 80, and continuously execute the lsof command every 3 seconds
Order:
lsof -i @ peida.linux: 20,21,22,25,53,80 -r 3