lsof (list open files) is a tool that lists open files on the current system. In the Linux environment, everything exists in the form of files. Through files, you can access not only regular data, but also network connections and hardware. Therefore, for example, Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system allocates a file descriptor to the application in the background. Regardless of the nature of the file, the file descriptor is used by the application. Provides a common interface for interaction with the underlying operating system. Because the descriptor list of files opened by an application provides a lot of information about the application itself, being able to view this list through the lsof tool can be helpful for system monitoring and troubleshooting.
1. Command format:
lsof [parameter][file]
2. Command function:
Used to view the files opened by your process, the process that opened the file, and the ports (TCP, UDP) opened by the process. Retrieve/recover deleted files. It is a very convenient system monitoring tool. Because lsof needs to access core memory and various files, it needs to be executed by the root user.
The files opened by lsof can be:
1. Ordinary documents
2. Directory
3. Network file system files
4. Character or device files
5. (Function) shared library
6. Pipes, named pipes
7. Symbolic links
8. Network files (for example: NFS file, network socket, unix domain name socket)
9. There are other types of files, etc.
3.Command parameters:
-a lists processes that have open files
-c<process name> lists files opened by the specified process
-g List GID number process details
-d<file number> lists the processes occupying the file number
+d<directory> lists open files in the directory
+D<directory> recursively lists open files in the directory
-n<directory> List files using NFS
-i<condition> List processes that meet the condition. (4, 6, protocol, :port, @ip)
-p<process number> List files opened by the specified process number
-u List UID number process details
-h displays help information
-v displays version information
4. Usage examples:
Example 1: No parameters
Order:
lsof
[root@localhost ~]# lsof
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
init 1 root cwd DIR 8,2 4096 2 /
init 1 root rtd DIR 8,2 4096 2 /
init 1 root txt REG 8,2 43496 6121706 /sbin/init
init 1 root mem REG 8,2 143600 7823908 /lib64/ld-2.5.so
init 1 root mem REG 8,2 1722304 7823915 /lib64/libc-2.5.so
init 1 root mem REG 8,2 23360 7823919 /lib64/libdl-2.5.so
init 1 root mem REG 8,2 95464 7824116 /lib64/libselinux.so.1
init 1 root mem REG 8,2 247496 7823947 /lib64/libsepol.so.1
init 1 root 10u FIFO 0,17 1233 /dev/initctl
migration 2 root cwd DIR 8,2 4096 2 /
migration 2 root rtd DIR 8,2 4096 2 /
migration 2 root txt unknown /proc/2/exe
ksoftirqd 3 root cwd DIR 8,2 4096 2 /
ksoftirqd 3 root rtd DIR 8,2 4096 2 /
ksoftirqd 3 root txt unknown /proc/3/exe
migration 4 root cwd DIR 8,2 4096 2 /
migration 4 root rtd DIR 8,2 4096 2 /
migration 4 root txt unknown /proc/4/exe
ksoftirqd 5 root cwd DIR 8,2 4096 2 /
ksoftirqd 5 root rtd DIR 8,2 4096 2 /
ksoftirqd 5 root txt unknown /proc/5/exe
events/0 6 root cwd DIR 8,2 4096 2 /
events/0 6 root rtd DIR 8,2 4096 2 /
events/0 6 root txt unknown /proc/6/exe
events/1 7 root cwd DIR 8,2 4096 2 /T
illustrate:
The meaning of each column of information output by lsof is as follows:
COMMAND: the name of the process
PID: process identifier
PPID: Parent process identifier (requires specifying the -R parameter)
USER: process owner
PGID: group to which the process belongs
FD: File descriptor, the application identifies the file through the file descriptor. Such as cwd, txt, etc.
(1) cwd: represents the current work directory, that is: the current working directory of the application. This is the directory where the application is started, unless it itself changes this directory.
(2) txt: This type of file is program code, such as the application binary itself or a shared library, such as the /sbin/init program shown in the list above. In addition, when searching for public accounts, Linux should learn how to reply "monkey" in the background and get a surprise gift package.
(3)lnn:library references (AIX);
(4)er:FD information error (see NAME column);
(5)jld:jail directory (FreeBSD);
(6)ltx:shared library text (code and data);
(7)mxx :hex memory-mapped type number xx.
(8)m86:DOS Merge mapped file;
(9)mem:memory-mapped file;
(10)mmap:memory-mapped device;
(11)pd:parent directory;
(12)rtd:root directory;
(13)tr:kernel trace file (OpenBSD);
(14)v86 VP/ix mapped file;
(15) 0: indicates standard output
(16) 1: Indicates standard input
(17) 2: Indicates standard error
Generally, standard output, standard error, and standard input are followed by file status modes: r, w, u, etc.
(1)u: Indicates that the file is open and in read/write mode
(2) r: Indicates that the file is opened and in read-only mode
(3) w: Indicates that the file is opened and in
(4) Space: indicates that the status mode of the file is unknown and is not locked.
(5) -: Indicates that the status mode of the file is unknown and is locked.
At the same time, after the file status mode, there are also related locks.
(1)N:for a Solaris NFS lock of unknown type;
(2)r:for read lock on part of the file;
(3)R:for a read lock on the entire file;
(4) w: for a write lock on part of the file; (partial write lock of the file)
(5) W: for a write lock on the entire file; (write lock on the entire file)
(6)u:for a read and write lock of any length;
(7)U:for a lock of unknown type;
(8)x:for an SCO OpenServer Xenix lock on part of the file;
(9)X:for an SCO OpenServer Xenix lock on the entire file;
(10)space:if there is no lock.
TYPE: File type, such as DIR, REG, etc., common file types
(1) DIR: indicates directory
(2) CHR: Indicates character type
(3) BLK: block device type
(4) UNIX: UNIX domain socket
(5) FIFO: first-in-first-out (FIFO) queue
(6) IPv4: Internet Protocol (IP) socket
DEVICE: Specifies the name of the disk
SIZE: The size of the file
NODE: index node (identification of the file on disk)
NAME: The exact name of the open file
Example 2: Check who is using a certain file, that is, find the processes related to a certain file
Order:
lsof /bin/bash
[root@localhost ~]# lsof /bin/bash
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 24159 root txt REG 8,2 801528 5368780 /bin/bash
bash 24909 root txt REG 8,2 801528 5368780 /bin/bash
bash 24941 root txt REG 8,2 801528 5368780 /bin/bash
[root@localhost ~]#
Example 3: Recursively view file information of a directory
Order:
lsof test/test3
[root@localhost ~]# cd /opt/soft/
[root@localhost soft]# lsof test/test3
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 24941 root cwd DIR 8,2 4096 2258872 test/test3
vi 24976 root cwd DIR 8,2 4096 2258872 test/test3
[root@localhost soft]#
illustrate:
If +D is used, all subdirectories and files in the corresponding directory will be listed.
Example 4: How to traverse and view all file information in a directory without using the +D option
Order:
lsof |grep 'test/test3'
[root@localhost soft]# lsof |grep 'test/test3'
bash 24941 root cwd DIR 8,2 4096 2258872 /opt/soft/test/test3
vi 24976 root cwd DIR 8,2 4096 2258872 /opt/soft/test/test3
vi 24976 root 4u REG 8,2 12288 2258882 /opt/soft/test/test3/.log2013.log.swp
[root@localhost soft]#
Example 5: List file information opened by a user
Order:
lsof -u username
illustrate:
-u option, u is actually the abbreviation of user
Example 6: List file information opened by a certain program process
Order:
lsof -c mysql
illustrate:
The -c option will list the files of all programs starting with the mysql process. In fact, you can also write lsof | grep mysql, but the first method obviously requires a few fewer characters than the second method.
Example 7: List multiple open file information of multiple processes
Order:
lsof -c mysql -c apache
Example 8: List file information opened by a user and a process
Order:
lsof -u test -c mysql
illustrate:
Users and processes may or may not be related
Example 9: List open file information except for a certain user
Order:
lsof -u ^root
illustrate:
If the ^ symbol is placed before the user name, the process opened by the root user will not be displayed.
Example 10: Display the file to be opened through a certain process number
Order:
lsof -p 1
Example 11: List file information corresponding to multiple process numbers
Order:
lsof -p 1,2,3
Example 12: List file information opened by other process numbers except a certain process number
Order:
lsof -p ^1
Example 13: List all network connections
Order:
lsof -i
Example 14: List all tcp network connection information
Order:
lsof -i tcp
Example 15: List all udp network connection information
Order:
lsof -i udp
Example 16: List who is using a certain port
Order:
lsof -i :3306
Example 17: List who is using a specific udp port
Order:
lsof -i udp:55
Or: specific tcp port
Order:
lsof -i tcp:80
Example 18: List all active network ports of a user
Order:
lsof -a -u test -i
Example 19: List all network file systems
Order:
lsof -N
Example 20: Domain name socket file
Order:
lsof -u
Example 21: File information opened by a certain user group
Order:
lsof -g 5555
Example 22: List corresponding file information based on file description
Order:
lsof -d description(like 2)
For example: lsof -d txt
For example: lsof -d 1
For example: lsof -d 2
illustrate:
0 represents standard input, 1 represents standard output, and 2 represents standard error. It can be seen that: so the FD of files opened by most applications starts from 3.
Example 23: List file information based on file description range
Order:
lsof -d 2-3
Example 24: List the file information that contains the string "sshd" in the COMMAND column and the file descriptor type is txt
Order:
lsof -c sshd -a -d txt
[root@localhost soft]# lsof -c sshd -a -d txt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 2756 root txt REG 8,2 409488 1027867 /usr/sbin/sshd
sshd 24155 root txt REG 8,2 409488 1027867 /usr/sbin/sshd
sshd 24905 root txt REG 8,2 409488 1027867 /usr/sbin/sshd
sshd 24937 root txt REG 8,2 409488 1027867 /usr/sbin/sshd
[root@localhost soft]#
[root@localhost soft]#
Example 25: List all IPV4 network files opened by the process with process number 1234
Order:
lsof -i 4 -a -p 1234
Example 26: List all file information related to the ports currently connected to the host peida.linux: 20, 21, 22, 25, 53, 80, and continuously execute the lsof command every 3 seconds.
Order:
lsof -i @peida.linux:20,21,22,25,53,80 -r 3