Using *nix lsof Command To Your Advantage

Discussion in 'Unix' started by pradeep, Jun 7, 2013.

  1. pradeep

    pradeep Team Leader

    Joined:
    Apr 4, 2005
    Messages:
    1,645
    Likes Received:
    87
    Trophy Points:
    0
    Occupation:
    Programmer
    Location:
    Kolkata, India
    Home Page:
    http://blog.pradeep.net.in
    lsof or LiS Open Files is a very powerful command available on most of Unix-like systems, it lists all open files (in *nix everything is a file, drives, sockets, inodes, etc.). The listing can filtered using various parameters like process id, owner of the process, etc. In this article we'll discuss using example to use lsof command in various ways which you might useful according to your needs.

    Usage



    The most basic usage of lsof command is to list all open files.

    Code:
    [pradeep@deepz-desktop]$ lsof | wc -l
    63
    [pradeep@deepz-desktop]$ lsof
    COMMAND  PID    USER   FD      TYPE DEVICE  SIZE/OFF      NODE NAME
    sshd    4853 pradeep  cwd   unknown                            /proc/4853/cwd (readlink: Permission denied)
    sshd    4853 pradeep  rtd   unknown                            /proc/4853/pradeep (readlink: Permission denied)
    sshd    4853 pradeep  txt   unknown                            /proc/4853/exe (readlink: Permission denied)
    bash    4857 pradeep  cwd       DIR   8,17      4096 300947057 /home/pradeep
    bash    4857 pradeep  rtd       DIR    8,1      4096         2 /
    bash    4857 pradeep  txt       REG    8,1    926536    130055 /bin/bash
    bash    4857 pradeep  mem       REG    8,1     26048      2030 /usr/lib/gconv/gconv-modules.cache
    bash    4857 pradeep    0u      CHR  136,2       0t0         5 /dev/pts/2
    bash    4857 pradeep    1u      CHR  136,2       0t0         5 /dev/pts/2
    bash    4857 pradeep    2u      CHR  136,2       0t0         5 /dev/pts/2
    bash    4857 pradeep  255u      CHR  136,2       0t0         5 /dev/pts/2
    lsof    5103 pradeep  cwd       DIR   8,17      4096 300947057 /home/pradeep
    lsof    5103 pradeep  rtd       DIR    8,1      4096         2 /
    lsof    5103 pradeep  txt       REG    8,1    125736      9780 /usr/bin/lsof
    lsof    5103 pradeep  mem       REG    8,1 108805904     32010 /usr/lib/locale/locale-archive
    lsof    5103 pradeep  mem       REG    8,1   1437064    130089 /lib/libc-2.11.3.so
    lsof    5103 pradeep  mem       REG    8,1    128744    130085 /lib/ld-2.11.3.so
    lsof    5103 pradeep    0u      CHR  136,2       0t0         5 /dev/pts/2
    lsof    5103 pradeep    1u      CHR  136,2       0t0         5 /dev/pts/2
    lsof    5103 pradeep    2u      CHR  136,2       0t0         5 /dev/pts/2
    lsof    5103 pradeep    3r      DIR    0,3         0         1 /proc
    lsof    5103 pradeep    4r      DIR    0,3         0 343402229 /proc/5103/fd
    lsof    5103 pradeep    5w     FIFO    0,7       0t0 343402234 pipe
    lsof    5103 pradeep    6r     FIFO    0,7       0t0 343402235 pipe
    lsof    5104 pradeep  cwd       DIR   8,17      4096 300947057 /home/pradeep
    lsof    5104 pradeep  rtd       DIR    8,1      4096         2 /
    lsof    5104 pradeep  txt       REG    8,1    125736      9780 /usr/bin/lsof
    lsof    5104 pradeep  mem       REG    8,1 108805904     32010 /usr/lib/locale/locale-archive
    lsof    5104 pradeep  mem       REG    8,1   1437064    130089 /lib/libc-2.11.3.so
    lsof    5104 pradeep  mem       REG    8,1    128744    130085 /lib/ld-2.11.3.so
    
    We can find out files/executables/partion is being used by whom, here's how:

    Code:
    [pradeep@deepz-desktop:~] lsof /usr/sbin/httpd
    COMMAND   PID   USER  FD   TYPE DEVICE   SIZE  NODE NAME
    httpd    8790   pradeep txt    REG    8,1 312020 68594 /usr/sbin/httpd
    httpd   16682 apache txt    REG    8,1 312020 68594 /usr/sbin/httpd
    httpd   16683 apache txt    REG    8,1 312020 68594 /usr/sbin/httpd
    [pradeep@deepz-desktop:~] lsof /dev/sda2
    COMMAND   PID  USER   FD   TYPE DEVICE      SIZE     NODE NAME
    mysqld   6564 mysql  cwd    DIR    8,2      4096 18382849 /mnt/mysql
    mysqld   6564 mysql    3uW  REG    8,2  18874368 18382956 /mnt/mysql/ibdata1
    mysqld   6564 mysql    8uW  REG    8,2   5242880 18382943 /mnt/mysql/ib_logfile0
    mysqld   6564 mysql    9uW  REG    8,2   5242880 18382949 /mnt/mysql/ib_logfile1
    
    Now, let see what files have been opened by processes by matching their name, say "k" or "bash".

    Code:
    [pradeep@deepz-desktop:~] lsof -c k
    COMMAND    PID USER   FD      TYPE DEVICE SIZE NODE NAME
    ksoftirqd    3 pradeep  cwd       DIR    8,1 4096    2 /
    ksoftirqd    3 pradeep  rtd       DIR    8,1 4096    2 /
    ksoftirqd    3 pradeep  txt   unknown                  /proc/3/exe
    khelper      6 pradeep  cwd       DIR    8,1 4096    2 /
    kthread      7 pradeep  rtd       DIR    8,1 4096    2 /
    [pradeep@deepz-desktop:~] lsof -c bash
    COMMAND   PID USER   FD   TYPE DEVICE     SIZE    NODE NAME
    bash    10537 pradeep  cwd    DIR    8,1     4096  589825 /pradeep
    bash    10537 pradeep  rtd    DIR    8,1     4096       2 /
    bash    10537 pradeep  txt    REG    8,1   716972 1228822 /bin/bash
    bash    10537 pradeep    0u   CHR    3,0             2470 /dev/ttyp0
    bash    10537 pradeep    1u   CHR    3,0             2470 /dev/ttyp0
    bash    10537 pradeep    2u   CHR    3,0             2470 /dev/ttyp0
    
    We can also see which processes have opened what internet related port to where and the state of the connection.

    Code:
    pradeep@deepz-desktop:~$ lsof -i
    COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
    ubuntu-ge 2310 pradeep   12u  IPv4  12690      0t0  TCP deepz-desktop.local:39763->mistletoe.canonical.com:http (CLOSE_WAIT)
    firefox   2747 pradeep   61u  IPv4  81682      0t0  TCP deepz-desktop.local:44721->68.232.44.111:https (ESTABLISHED)
    firefox   2747 pradeep   66u  IPv4  82132      0t0  TCP deepz-desktop.local:42470->159.111.233.72.static.reverse.ltdomains.com:http (ESTABLISHED)
    firefox   2747 pradeep   68u  IPv4  82080      0t0  TCP deepz-desktop.local:42301->.:http (ESTABLISHED)
    firefox   2747 pradeep   69u  IPv4  81797      0t0  TCP deepz-desktop.local:55607->.:https (ESTABLISHED)
    firefox   2747 pradeep   71u  IPv4  82197      0t0  TCP deepz-desktop.local:55608->.:https (ESTABLISHED)
    firefox   2747 pradeep   74u  IPv4  82135      0t0  TCP deepz-desktop.local:42841->68.232.44.121:https (ESTABLISHED)
    firefox   2747 pradeep   75u  IPv4  82137      0t0  TCP deepz-desktop.local:42842->68.232.44.121:https (ESTABLISHED)
    firefox   2747 pradeep   76u  IPv4  81690      0t0  TCP deepz-desktop.local:44729->68.232.44.111:https (ESTABLISHED)
    firefox   2747 pradeep   87u  IPv4  81710      0t0  TCP deepz-desktop.local:42341->.:http (ESTABLISHED)
    chrome    4140 pradeep   63u  IPv4  80009      0t0  TCP deepz-desktop.local:49836->maa03s04-in-f16.1e100.net:http (ESTABLISHED)
    chrome    4140 pradeep   73u  IPv4  80074      0t0  TCP deepz-desktop.local:39526->ni-in-f95.1e100.net:https (ESTABLISHED)
    chrome    4140 pradeep   79u  IPv4  79365      0t0  TCP deepz-desktop.local:45406->maa03s04-in-f14.1e100.net:https (ESTABLISHED)
    chrome    4140 pradeep   81u  IPv4  80874      0t0  TCP deepz-desktop.local:36206->maa03s04-in-f14.1e100.net:http (ESTABLISHED)
    chrome    4140 pradeep  104u  IPv4  80253      0t0  TCP deepz-desktop.local:45039->ni-in-f125.1e100.net:xmpp-client (ESTABLISHED)
    chrome    4140 pradeep  113u  IPv4  80966      0t0  TCP deepz-desktop.local:52340->www.evernote.com:https (ESTABLISHED)
    chrome    4140 pradeep  117u  IPv4  80249      0t0  TCP deepz-desktop.local:55953->maa03s04-in-f16.1e100.net:https (ESTABLISHED)
    chrome    4140 pradeep  119u  IPv4  80247      0t0  TCP deepz-desktop.local:52342->www.evernote.com:https (ESTABLISHED)
    chrome    4140 pradeep  126u  IPv4  81303      0t0  TCP deepz-desktop.local:54104->maa03s04-in-f31.1e100.net:http (ESTABLISHED)
    chrome    4140 pradeep  134u  IPv4  80294      0t0  TCP deepz-desktop.local:52350->www.evernote.com:https (ESTABLISHED)
    chrome    4140 pradeep  141u  IPv4  80292      0t0  TCP deepz-desktop.local:59960->maa03s04-in-f31.1e100.net:https (ESTABLISHED)
    chrome    4140 pradeep  160u  IPv4  80867      0t0  TCP deepz-desktop.local:45433->maa03s04-in-f14.1e100.net:https (ESTABLISHED)
    chrome    4140 pradeep  161u  IPv4  81495      0t0  TCP deepz-desktop.local:51164->maa03s04-in-f15.1e100.net:https (ESTABLISHED)
    
    We can list processes by user, list files opened by PID.

    Code:
    pradeep@deepz-desktop:~$ lsof +p 4140
    COMMAND  PID    USER   FD   TYPE             DEVICE  SIZE/OFF     NODE NAME
    chrome  4140 pradeep  cwd    DIR               8,21     16384 39321601 /home/pradeep
    chrome  4140 pradeep  rtd    DIR               8,17      4096        2 /
    chrome  4140 pradeep  txt    REG               8,17  89143496  2234872 /opt/google/chrome/chrome
    chrome  4140 pradeep  mem    REG               8,17     10384  1048629 /lib/libnss_mdns4.so.2
    chrome  4140 pradeep  DEL    REG               0,18              80275 /run/shm/.com.google.Chrome.KY4bCi
    chrome  4140 pradeep  mem    REG               8,21    524656 39977018 /home/pradeep/.cache/google-chrome/Profile 1/Cache/index
    chrome  4140 pradeep  mem    REG               8,17  18282384  1707495 /usr/lib/libicudata.so.48.1.1
    chrome  4140 pradeep  mem    REG               8,17   1465096  1707509 /usr/lib/libicuuc.so.48.1.1
    chrome  4140 pradeep  mem    REG               8,17   1866528  1707497 /usr/lib/libicui18n.so.48.1.1
    chrome  4140 pradeep  mem    REG               8,17    217312  1706904 /usr/lib/libdee-1.0.so.4.1.1
    chrome  4140 pradeep  DEL    REG                0,4           17301519 /SYSV00000000
    chrome  4140 pradeep  mem    REG               8,17    331864  1713573 /usr/lib/x86_64-linux-gnu/libgee.so.2.0.0
    chrome  4140 pradeep  mem    REG               8,17    422512  1707407 /usr/lib/libunity.so.9.0.2
    chrome  4140 pradeep  mem    REG               8,17    139240  1713599 /usr/lib/x86_64-linux-gnu/libgnome-keyring.so.0.2.0
    chrome  4140 pradeep  mem    REG               8,21 125837312 39976993 /home/pradeep/.cache/google-chrome/Profile 1/Cache/data_3
    ...
    
    Code:
    pradeep@deepz-desktop:~$ sudo lsof -u www-data
    COMMAND  PID     USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME
    apache2 1224 www-data  cwd    DIR               8,17     4096       2 /
    apache2 1224 www-data  rtd    DIR               8,17     4096       2 /
    apache2 1224 www-data  txt    REG               8,17   474744 1975911 /usr/lib/apache2/mpm-worker/apache2
    apache2 1224 www-data  mem    REG               8,17    52120 1061321 /lib/x86_64-linux-gnu/libnss_files-2.15.so
    apache2 1224 www-data  mem    REG               8,17    47680 1061317 /lib/x86_64-linux-gnu/libnss_nis-2.15.so
    apache2 1224 www-data  mem    REG               8,17    97248 1061330 /lib/x86_64-linux-gnu/libnsl-2.15.so
    apache2 1224 www-data  mem    REG               8,17    35680 1061322 /lib/x86_64-linux-gnu/libnss_compat-2.15.so
    apache2 1224 www-data  mem    REG               8,17    22528 1975854 /usr/lib/apache2/modules/mod_status.so
    apache2 1224 www-data  mem    REG               8,17    14336 1975885 /usr/lib/apache2/modules/mod_setenvif.so
    
    I hope this will be helpful in debugging programs, troubleshooting & security of *nix systems. Enjoy.
     
    shabbir likes this.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice