قالب وردپرس درنا توس
Home / Tips and Tricks / Using the Linux lsof command

Using the Linux lsof command



  Linux Shell Command Prompt
Fatmawati Achmad Zaenuri / Shutterstock.com

If everything in Linux is a file, there must be more than just files on your hard drive. In this tutorial, you will learn how to use lsof to see all other devices and processes that are treated as files.

Under Linux, everything is a file.

The oft-quoted phrase that everything in Linux is a file somehow true. A file is a collection of bytes. When read into a program or sent to a printer, they seem to generate a stream of bytes . When writing from to they accept a byte stream.

Many other system components accept or generate byte streams, e.g. Keyboards, socket connections, printers and communication processes. Because these devices either accept, generate, or accept and generate byte streams, they can be treated like files at a very low level.

This design concept simplified the implementation of the Unix operating system. This meant that a small set of handlers, tools and APIs could be created to manage a variety of different resources.

The data and program files on your hard disk are pure old filesystem files. With the command ls you can list them and find out some details about them.

How do you learn about all the other processes and devices that are treated as files? We use the command lsof . This lists the open files in the system. That is, everything that is treated is listed as if it were a file.

RELATED: What does "Everything is a file" mean in Linux?

The lsof Command

Many of the processes or devices that may be reported as root by or started by root, require the command sudo with Use . 1

9659006] And because this listing will be very long, we will divert it by less .

  sudo lsof | less 

  lsof in a terminal window

Before the output of lsof appears, GNOME users may receive a warning message in the terminal window.

  lsof: WARNING: can not stat () fuse.gvfsd-fuse file system / run / user / 1000 / gvfs
The output information may be incomplete. 

lsof attempts to process all mounted file systems. This warning message is issued because lsof encountered a virtual GNOME file system (GVFS). This is a special case of a file system in the user space (FUSE). It acts as a bridge between GNOME, its APIs and the kernel. Nobody, not even root, can access any of these file systems, except for the owner who provided it (in this case GNOME). You can ignore this warning.

The edition of lsof is very extensive. The left columns are:

 the left columns of the output in a terminal window

The right columns are:

<img class = "alignnone size-full wp-image-426093" data- page speed-lazy-src = "https://www.howtogeek.com/wp-content/uploads/2019/06/xlsof_3.png.pagespeed.gp+jp+jw+pj+ws+js+rj+rp+rw + ri + cp + md.ic.Pj1Lte8g4M.png "alt =" the right columns of the output in a terminal window [19659024] The lsof columns

All columns do not apply to every open file type, some of them are normally empty.

  • Command : The name of the command associated with the process that opened the file.
  • PID : Process identification number of the process that opened the file.
  • TID : Task (thread) identification number, an empty column means that it is not a task, this is a process.
  • user : user ID or name of B user to which the process belongs, or user ID or login of the person who owns the directory in / proc where lsof will find information about the operation.
  • FD : Displays the file descriptor of the file. File descriptors are described below.
  • Type : Type of node associated with the file. The note types are described below.
  • Device Contains either the comma-separated device numbers for a character special, block special, standard, directory, or NFS file, or a kernel reference address that identifies the file. You may also see the base address or device name of a Linux AX.25 socket device.
  • Size / Off : Displays the size of the file or the offset of the file in bytes.
  • Node : Displays the node number of a local file or the inode number of an NFS file on the server host or the Internet protocol type. STR may appear for a stream or the IRQ or inode number of a Linux AX.25 socket device.
  • Name : Displays the name of the mount point and the file system where the file resides.

FD column

The file descriptor in the FD column can be one of many options. The manpage lists all.

The FD column entry can consist of three parts: a file descriptor, a mode character, and a lock character. Some common file descriptors are:

  • cwd : Current working directory.
  • err : FD information error (see NAME column).
  • ltx : Shared library text (code and data).
  • m86 : DOS merge mapping file. [1969090] mem : Memory mapping file.
  • mmap : Memory mapping device.
  • pd : Parent directory.
  • rtd : root directory.
  • txt : Program text (code and data).
  • A number representing a file descriptor.

The mode character can be one of the following:

  • r : Read access.
  • w : Write access.
  • u : Read and write access.
  • & # 39 ;: A space if the mode is unknown and there is no lock character.
  • - : Mode unknown and there is a lock character.

The lock character may be one of the following:

  • r : Locking a portion of the read file. [1969090] R : Read lock on the entire file.
  • w : Write lock for part of the file.
  • W : Write lock for the entire file.
  • u : Read and write lock of any length.
  • U : Unknown lock type.
  • & # 39 ;: A space. No lock.

The TYPE column

There may be over 70 entries in the TYPE column. Some common entries are:

  • REG : Regular file system file.
  • DIR : Directory.
  • FIFO : First In First Out.
  • CHR : Character Special File.
  • BLK : Block Special File.
  • INET : Internet socket.
  • Unix : UNIX domain socket

See Processes That Have Opened a File. [19659005] To view the processes that opened a particular file, specify the name of the file as the parameter for lsof . To view the processes that opened the file kern.log use the following command:

  sudo lsof /var/log/kern.log[19659075[sudolsof/var/log/kernloginaterminalwindow"width="646"height="72"src="/pagespeed_static/1JiBnMqyl6Sgif"onload="pagespeedlazyLoadImagesloadIfVisibleAndMaybeBeacon(this);"onerror="thisonerror=null;pagespeedlazyLoadImagesloadIfVisibleAndMaybeBeacon(this);"/>

lsof replies with the display of the single process rsyslogd started by the user syslog

.  lsof- Output in a terminal window

Show all files opened from a directory

To display the files opened from a directory and the processes that opened them, pass the directory to lsof as a parameter must use the option + D (directory) n.

To view all files that are open in the / var / log / directory, use this command:

  sudo lsof + D / var / log / 

  sudo lsof + D / var / log / in a terminal window

lsof answers with a list of all open files in this directory.

 Output in Terminal Window

Use the following command to display all files opened from the / home directory:

  sudo lsof + D / home 

  sudo lsof + D / home in a terminal window

The files opened from the / home directory are displayed. Note that for shorter descriptions in some columns, the entire list is narrower.

 Not displayed in a terminal window

Listing files opened by a process

Viewing the files that were opened by Use the option -c (command) for a particular process , Note that you can enter more than one search term at a time for lsof .

  sudo lsof -c ssh -c init 

  sudo lsof -c ssh -c init in a terminal window

lsof contains a list of files created by one of the in the Command-line processes were opened.

 lsof output in a terminal window

See user open files

To restrict the display to files opened by a specific user, use the option -u (user). In this example, we'll look at the files opened by processes owned by Mary or started by Mary.

  sudo lsof -u mary 

  sudo lsof -u mary in a terminal window

All listed files were opened on behalf of user Mary. This includes files that have been opened, for example, by the desktop environment or simply because of Mary's login.

 Isof output in a terminal window

Excluding files opened by a user

Use the operator ^ to exclude files opened by a user. Excluding users from the collection makes it easier to find the information you want. You must use the option -u as before and insert the character ^ at the beginning of the user name.

  sudo lsof + D / home -u ^ mary 

  sudo lsof + D / home -u ^ mary in a terminal window

This time the listing for the / home The directory does not contain any of the files opened by the user Mary.

 lsof output in a terminal window

List files opened by a process

To list the files that were opened If opened by a particular process, use the option -p (Process) and enter the process ID as a parameter.

  sudo lsof - p 4610 

  sudo lsof - p 4610 in a terminal window

All files opened with the process ID you specified will be listed for you.

 The output is in a terminal window.

Listing Pro process IDs that opened a file

To view the process IDs for the processes that opened a particular file, use the -t (short) and specify the name of the file in the command line.

  sudo lsof -t /usr/share/mime/mime.cache[19659117[sudolsof-t/usr/share/mime/micecacheinaterminalwindow" width="646" height="57" src="/pagespeed_static/1.JiBnMqyl6S.gif" onload="pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);" onerror="this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);"/> 

The process IDs are displayed in a simple list.

 Output in a terminal window.

Using AND and OR searches.

Let's list the files that were opened by the user Mary and related to the SSH processes. We know that we can provide more than one search item on the command line, so this should be easy.

  sudo lsof -u mary -c ssh 

  sudo lsof -u mary -c ssh in a terminal window

Now let's look at the edition of lsof . That does not look right. There are entries in the output that were started by root.

 Isof output in a terminal window

That's not what we expected. What happened?

If you enter multiple search terms lsof returns all files that match the first search term or of the second search term, and so on. In other words, an OR search is performed.

To perform an AND search on of use the option -a (and). This means that only files matching the first search term are listed, and the second search term, etc.

Let's try again and use the -a option.

  sudo lsof -u mary -c ssh -a 

  sudo lsof -u mary -c ssh -a in a terminal window

Now every file in the list has been created by or on behalf of Mary is open and assigned to the SSH command.

 Output in a terminal window

Automatic refresh of the ad

We can use the + | - r (Repeat) option to put lsof in repeat mode. The repeat option can be applied in two ways, either + r or -r . We also need to add the number of seconds to wait to before updating the ad.

If you use the repeat option in either of the two formats, through will display the results as usual. Adds a dashed line at the bottom of the screen. It waits for the number of seconds on the command line and then refreshes the display with new results.

This option continues with -r until you press Ctrl + C. The format + r continues until no more results are displayed or until you press Ctrl + C.

  sudo lsof -u mary -c ssh -a -r5 

  sudo lsof -u mary -c ssh -a -r5 in a terminal window

Notice the dotted line at the bottom of the list. This separates each new display of data as the output is updated.

 Number of Outputs in a Terminal Window

Viewing Files Associated with Internet Connections

The option -i (Internet) This option allows you to view the files opened by processes that are linked to network and Internet connections.

  lsof -i 

  lsof -i in a terminal window

All files opened via network and Internet connections are displayed.

 lsof output in a terminal window

Viewing files associated with Internet connections by process ID

Add the to view the files associated with by a particular process ID Internet connections were opened. -p option and option -a .

Here we search for files that have been opened via an Internet or network connection with an ID of 606.

  sudo lsof - i -a -p 606 

  lsof -i in a terminal window

All files opened with process ID 606 associated with Internet or network connections are displayed.

 lsof output in a terminal window

Viewing files connected to Internet connections and commands

We can use the option -c (command) to search for files that were opened by certain processes. Use the following command to search for files opened through Internet or network connections that are associated with process ssh :

  lsof -i -a -c ssh 

  lsof - i -a - c ssh in a terminal window

All files that have been opened due to the ssh processes are listed in the output.

 lsof output in a terminal window

Viewing with Internet Connections and Linked Files Ports

We can report lsof about files that have Internet or network connections to a specific port were opened. For this we use the character : followed by the port number.

Here we ask lsof to list the files opened via network or internet connections Port 22.

  lsof -i: 22 

  lsof -i: 22 in a terminal window

All listed files were opened by processes associated with port 22 (the default port for SSH connections).

 lsof output in a terminal window

Viewing files associated with Internet connections and logs

We can ask lsof to view the files that were opened by associated processes at the network and Internet connections that use a specific protocol. We can choose between TCP, UDP and SMTP. Let's use the TCP protocol and see what we get.

  sudo lsof -i tcp 

  sudo lsof -i tcp in a terminal window

The only files listed are those that are opened by processes that use the TCP protocol.

 Number of issues in a terminal window.

We only scratched the surface.

This is a good basis for some common use cases for number but there is a lot more than that. How much more can be deduced from the fact that the man page is more than 2,800 lines long.

With the command lsof you can penetrate ever deeper into the layers of open files and pseudo-files. We have provided an overview map. The atlas is on the man page.




Source link