Brief introduction
lsof (list open files) list the current system is a tool to open the file. In the linux environment, everything exists in the form of a file, the file can be accessed only through regular data, you can also access the network connectivity and hardware. So as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) socket and so on, the system in the background is assigned a file descriptor for the application, regardless of the nature of this document, the file descriptor for the application It provides a common interface interaction between the underlying operating system. Because the application opens a file descriptor list provides a wealth of information about the application itself, it is possible to view the list by lsof tool for monitoring and troubleshooting the system will be helpful
In the terminal input lsof to display the open file system, because lsof needs access to core memory, and various files, so you must run it will be able to fully play its function as the root user.
Output Meaning
Meaning lsof output of each column information is as follows:
Name PID of the process:: COMMAND process identifier
USER: Process owners
FD: file descriptor, the application file identified by the file descriptor. As cwd, txt, etc. TYPE: file types, such as DIR, REG, etc.
DEVICE: Specifies the name of the disk
SIZE: size of the file
NODE: inode (file identifier on the disk)
NAME: Open the exact name of the file
Cwd file descriptor FD value column indicates the current working directory of the application, which is the application startup directory, unless it is itself a change to this directory, txt file is the type of program code, such as application binary itself or / sbin / init shared library, displayed as a list.
Second, the value represents the file descriptor of the application, which is an integer returned when the file is opened. As the last line of the file / dev / initctl, file descriptor 10. u represents the file to be opened in read / write mode, rather than read-only or write-only ® (w) mode. As well as a capital W means that the application has a write lock on the entire file. The file descriptor used to ensure that you can only open an application instance. When the initial opening each application, file descriptors have three, from 0 to 2, respectively, represent the standard input, output, and error streams. So most applications are open from 3 FD file start.
FD compared with columns, Type column is relatively straightforward. Files and directories are called REG and DIR. And the CHR BLK, respectively, and represent the character block device; or UNIX, the FIFO and the IPv4, respectively UNIX domain sockets, first in first out (FIFO) queue and the Internet Protocol (IP) socket.
Common parameters
lsof train all open files
lsof / filepath / file to see who is using a file
lsof -c abc abc display process is now open files
lsof -p 1234 lists the process ID for the process of the 1234 document open
lsof -g gid display gid ownership of the process of the case
lsof + d / usr / local / directory is displayed under the process open files lsof + d / usr / local / above, but will search the directory under the directory, long time
lsof -d 4 is displayed using fd process 4
lsof -i to show the process of qualifying circumstances lsof -i [46] [protocol] [@ hostname | hostaddr] [: service | port] 46 -> IPv4 or IPv6 protocol -> TCP or UDP hostname -> Internet host name hostaddr -> IPv4 address service -> / etc / service in the service name (can be more than one) port -> port number (may be more than one)
lsof -c mysql File information a program open, notes: -c (command) option will list all files that start with mysql program
Recover deleted files
When the Linux computer is compromised, often the case that the log files are deleted, in order to cover up traces of the attacker. Management errors may also lead to accidentally delete important files, such as cleaning up old log, accidentally deleted the active transaction log database. Sometimes these files can be restored by lsof.
When a process opens a file, as long as the process remains open the file, even if it is removed, it still exists on disk. This means that the process does not know the file has been deleted, it can still provide it to read and write to the file descriptor to open the file. In addition to this process, this file is not visible because it has been deleted the corresponding directory inode.
In / proc directory, which contains various documents reflect the kernel and process tree. / Proc directory is mounted is an area in memory mapped, so these files and directories do not exist on disk, so when we read from and write to these files, actually fetched from memory Related Information. Most of lsof-related information is stored in the PID to the process of naming the directory, which is / proc / 1234 is contained in the information process PID 1234. Each process directory there are all kinds of files, so that they can easily understand the application process memory space, file descriptors list, point to a file on disk symbolic links and other system information.
lsof program uses this information and other information about the internal state of the core to produce its output. So lsof can display information related to the process of file descriptors and file name. That is, we can find information about that file by file descriptor access process. When a file system is accidentally deleted, as long as there is at this time the system process is accessing the file, then we can restore the contents of the file from the / proc directory by lsof.
If by mistake the / var / log / messages file deleted, and then when the method you want to / var / log / messages file recovery is as follows:
First, use lsof to see whether the current process opens / var / logmessages file as follows :
# lsof /var/log/messages
syslogd 1283 root 2w REG 3,3 5381017 1773647 /var/log/messages (deleted)
从上面的信息可以看到 PID 1283(syslogd)打开文件的文件描述符为 2。同时还可以看到/var/log/messages已经标记被删除了。因此我们可以在 /proc/1283/fd/2 (fd下的每个以数字命名的文件表示进程对应的文件描述
符)中查看相应的信息,如下: # head -n 10 /proc/1283/fd/2
Aug 4 13:50:15 holmes86 syslogd 1.4.1: restart.
Aug 4 13:50:15 holmes86 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Aug 4 13:50:15 holmes86 kernel: Linux version 2.6.22.1-8 ([email protected]) (gcc version 4.2.0) #1 SMP Wed Jul 18 11:18:32 EDT 2007
Aug 4 13:50:15 holmes86 kernel: BIOS-provided physical RAM map:
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000000000 - 000000000009f000 (usable) Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000000009f000 - 00000000000a0000 (reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000100000 - 000000001f7d3800 (usable)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000001f7d3800 - 0000000020000000 (reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000e0000000 - 00000000f0007000 (reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000f0008000 - 00000000f000c000 (reserved)
从上面的信息可以看出,查看 /proc/8663/fd/15 就可以得到所要恢复的数据。如果可以通过文件描述符查看相应的数据,那么就可以使用 I/O 重定向将其复制到文件中,如: cat /proc/1283/fd/2 > /var/log/messages 对于许
多应用程序,尤其是日志文件和数据库,这种恢复删除文件的方法非常有用。Everything is a file under linux
1. Ordinary, 2. 3. The network file directory file system 4. The character device file (function) shared library 6. pipes, named pipes 7. 8. symbolic link socket underlying word stream, a network socket, unix domain socket