Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Unix (http://www.go4expert.com/articles/unix/)
-   -   Using *nix lsof Command To Your Advantage (http://www.go4expert.com/articles/using-nix-lsof-command-advantage-t29685/)

pradeep 8Jun2013 00:55

Using *nix lsof Command To Your Advantage
 
lsof or LiS Open Files is a very powerful command available on most of Unix-like systems, it lists all open files (in *nix everything is a file, drives, sockets, inodes, etc.). The listing can filtered using various parameters like process id, owner of the process, etc. In this article we'll discuss using example to use lsof command in various ways which you might useful according to your needs.

Usage



The most basic usage of lsof command is to list all open files.

Code:

[pradeep@deepz-desktop]$ lsof | wc -l
63
[pradeep@deepz-desktop]$ lsof
COMMAND  PID    USER   FD      TYPE DEVICE  SIZE/OFF      NODE NAME
sshd    4853 pradeep  cwd   unknown                            /proc/4853/cwd (readlink: Permission denied)
sshd    4853 pradeep  rtd   unknown                            /proc/4853/pradeep (readlink: Permission denied)
sshd    4853 pradeep  txt   unknown                            /proc/4853/exe (readlink: Permission denied)
bash    4857 pradeep  cwd       DIR   8,17      4096 300947057 /home/pradeep
bash    4857 pradeep  rtd       DIR    8,1      4096         2 /
bash    4857 pradeep  txt       REG    8,1    926536    130055 /bin/bash
bash    4857 pradeep  mem       REG    8,1     26048      2030 /usr/lib/gconv/gconv-modules.cache
bash    4857 pradeep    0u      CHR  136,2       0t0         5 /dev/pts/2
bash    4857 pradeep    1u      CHR  136,2       0t0         5 /dev/pts/2
bash    4857 pradeep    2u      CHR  136,2       0t0         5 /dev/pts/2
bash    4857 pradeep  255u      CHR  136,2       0t0         5 /dev/pts/2
lsof    5103 pradeep  cwd       DIR   8,17      4096 300947057 /home/pradeep
lsof    5103 pradeep  rtd       DIR    8,1      4096         2 /
lsof    5103 pradeep  txt       REG    8,1    125736      9780 /usr/bin/lsof
lsof    5103 pradeep  mem       REG    8,1 108805904     32010 /usr/lib/locale/locale-archive
lsof    5103 pradeep  mem       REG    8,1   1437064    130089 /lib/libc-2.11.3.so
lsof    5103 pradeep  mem       REG    8,1    128744    130085 /lib/ld-2.11.3.so
lsof    5103 pradeep    0u      CHR  136,2       0t0         5 /dev/pts/2
lsof    5103 pradeep    1u      CHR  136,2       0t0         5 /dev/pts/2
lsof    5103 pradeep    2u      CHR  136,2       0t0         5 /dev/pts/2
lsof    5103 pradeep    3r      DIR    0,3         0         1 /proc
lsof    5103 pradeep    4r      DIR    0,3         0 343402229 /proc/5103/fd
lsof    5103 pradeep    5w     FIFO    0,7       0t0 343402234 pipe
lsof    5103 pradeep    6r     FIFO    0,7       0t0 343402235 pipe
lsof    5104 pradeep  cwd       DIR   8,17      4096 300947057 /home/pradeep
lsof    5104 pradeep  rtd       DIR    8,1      4096         2 /
lsof    5104 pradeep  txt       REG    8,1    125736      9780 /usr/bin/lsof
lsof    5104 pradeep  mem       REG    8,1 108805904     32010 /usr/lib/locale/locale-archive
lsof    5104 pradeep  mem       REG    8,1   1437064    130089 /lib/libc-2.11.3.so
lsof    5104 pradeep  mem       REG    8,1    128744    130085 /lib/ld-2.11.3.so


We can find out files/executables/partion is being used by whom, here's how:

Code:

[pradeep@deepz-desktop:~] lsof /usr/sbin/httpd
COMMAND   PID   USER  FD   TYPE DEVICE   SIZE  NODE NAME
httpd    8790   pradeep txt    REG    8,1 312020 68594 /usr/sbin/httpd
httpd   16682 apache txt    REG    8,1 312020 68594 /usr/sbin/httpd
httpd   16683 apache txt    REG    8,1 312020 68594 /usr/sbin/httpd
[pradeep@deepz-desktop:~] lsof /dev/sda2
COMMAND   PID  USER   FD   TYPE DEVICE      SIZE     NODE NAME
mysqld   6564 mysql  cwd    DIR    8,2      4096 18382849 /mnt/mysql
mysqld   6564 mysql    3uW  REG    8,2  18874368 18382956 /mnt/mysql/ibdata1
mysqld   6564 mysql    8uW  REG    8,2   5242880 18382943 /mnt/mysql/ib_logfile0
mysqld   6564 mysql    9uW  REG    8,2   5242880 18382949 /mnt/mysql/ib_logfile1


Now, let see what files have been opened by processes by matching their name, say "k" or "bash".

Code:

[pradeep@deepz-desktop:~] lsof -c k
COMMAND    PID USER   FD      TYPE DEVICE SIZE NODE NAME
ksoftirqd    3 pradeep  cwd       DIR    8,1 4096    2 /
ksoftirqd    3 pradeep  rtd       DIR    8,1 4096    2 /
ksoftirqd    3 pradeep  txt   unknown                  /proc/3/exe
khelper      6 pradeep  cwd       DIR    8,1 4096    2 /
kthread      7 pradeep  rtd       DIR    8,1 4096    2 /
[pradeep@deepz-desktop:~] lsof -c bash
COMMAND   PID USER   FD   TYPE DEVICE     SIZE    NODE NAME
bash    10537 pradeep  cwd    DIR    8,1     4096  589825 /pradeep
bash    10537 pradeep  rtd    DIR    8,1     4096       2 /
bash    10537 pradeep  txt    REG    8,1   716972 1228822 /bin/bash
bash    10537 pradeep    0u   CHR    3,0             2470 /dev/ttyp0
bash    10537 pradeep    1u   CHR    3,0             2470 /dev/ttyp0
bash    10537 pradeep    2u   CHR    3,0             2470 /dev/ttyp0


We can also see which processes have opened what internet related port to where and the state of the connection.

Code:

pradeep@deepz-desktop:~$ lsof -i
COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
ubuntu-ge 2310 pradeep   12u  IPv4  12690      0t0  TCP deepz-desktop.local:39763->mistletoe.canonical.com:http (CLOSE_WAIT)
firefox   2747 pradeep   61u  IPv4  81682      0t0  TCP deepz-desktop.local:44721->68.232.44.111:https (ESTABLISHED)
firefox   2747 pradeep   66u  IPv4  82132      0t0  TCP deepz-desktop.local:42470->159.111.233.72.static.reverse.ltdomains.com:http (ESTABLISHED)
firefox   2747 pradeep   68u  IPv4  82080      0t0  TCP deepz-desktop.local:42301->.:http (ESTABLISHED)
firefox   2747 pradeep   69u  IPv4  81797      0t0  TCP deepz-desktop.local:55607->.:https (ESTABLISHED)
firefox   2747 pradeep   71u  IPv4  82197      0t0  TCP deepz-desktop.local:55608->.:https (ESTABLISHED)
firefox   2747 pradeep   74u  IPv4  82135      0t0  TCP deepz-desktop.local:42841->68.232.44.121:https (ESTABLISHED)
firefox   2747 pradeep   75u  IPv4  82137      0t0  TCP deepz-desktop.local:42842->68.232.44.121:https (ESTABLISHED)
firefox   2747 pradeep   76u  IPv4  81690      0t0  TCP deepz-desktop.local:44729->68.232.44.111:https (ESTABLISHED)
firefox   2747 pradeep   87u  IPv4  81710      0t0  TCP deepz-desktop.local:42341->.:http (ESTABLISHED)
chrome    4140 pradeep   63u  IPv4  80009      0t0  TCP deepz-desktop.local:49836->maa03s04-in-f16.1e100.net:http (ESTABLISHED)
chrome    4140 pradeep   73u  IPv4  80074      0t0  TCP deepz-desktop.local:39526->ni-in-f95.1e100.net:https (ESTABLISHED)
chrome    4140 pradeep   79u  IPv4  79365      0t0  TCP deepz-desktop.local:45406->maa03s04-in-f14.1e100.net:https (ESTABLISHED)
chrome    4140 pradeep   81u  IPv4  80874      0t0  TCP deepz-desktop.local:36206->maa03s04-in-f14.1e100.net:http (ESTABLISHED)
chrome    4140 pradeep  104u  IPv4  80253      0t0  TCP deepz-desktop.local:45039->ni-in-f125.1e100.net:xmpp-client (ESTABLISHED)
chrome    4140 pradeep  113u  IPv4  80966      0t0  TCP deepz-desktop.local:52340->www.evernote.com:https (ESTABLISHED)
chrome    4140 pradeep  117u  IPv4  80249      0t0  TCP deepz-desktop.local:55953->maa03s04-in-f16.1e100.net:https (ESTABLISHED)
chrome    4140 pradeep  119u  IPv4  80247      0t0  TCP deepz-desktop.local:52342->www.evernote.com:https (ESTABLISHED)
chrome    4140 pradeep  126u  IPv4  81303      0t0  TCP deepz-desktop.local:54104->maa03s04-in-f31.1e100.net:http (ESTABLISHED)
chrome    4140 pradeep  134u  IPv4  80294      0t0  TCP deepz-desktop.local:52350->www.evernote.com:https (ESTABLISHED)
chrome    4140 pradeep  141u  IPv4  80292      0t0  TCP deepz-desktop.local:59960->maa03s04-in-f31.1e100.net:https (ESTABLISHED)
chrome    4140 pradeep  160u  IPv4  80867      0t0  TCP deepz-desktop.local:45433->maa03s04-in-f14.1e100.net:https (ESTABLISHED)
chrome    4140 pradeep  161u  IPv4  81495      0t0  TCP deepz-desktop.local:51164->maa03s04-in-f15.1e100.net:https (ESTABLISHED)


We can list processes by user, list files opened by PID.

Code:

pradeep@deepz-desktop:~$ lsof +p 4140
COMMAND  PID    USER   FD   TYPE             DEVICE  SIZE/OFF     NODE NAME
chrome  4140 pradeep  cwd    DIR               8,21     16384 39321601 /home/pradeep
chrome  4140 pradeep  rtd    DIR               8,17      4096        2 /
chrome  4140 pradeep  txt    REG               8,17  89143496  2234872 /opt/google/chrome/chrome
chrome  4140 pradeep  mem    REG               8,17     10384  1048629 /lib/libnss_mdns4.so.2
chrome  4140 pradeep  DEL    REG               0,18              80275 /run/shm/.com.google.Chrome.KY4bCi
chrome  4140 pradeep  mem    REG               8,21    524656 39977018 /home/pradeep/.cache/google-chrome/Profile 1/Cache/index
chrome  4140 pradeep  mem    REG               8,17  18282384  1707495 /usr/lib/libicudata.so.48.1.1
chrome  4140 pradeep  mem    REG               8,17   1465096  1707509 /usr/lib/libicuuc.so.48.1.1
chrome  4140 pradeep  mem    REG               8,17   1866528  1707497 /usr/lib/libicui18n.so.48.1.1
chrome  4140 pradeep  mem    REG               8,17    217312  1706904 /usr/lib/libdee-1.0.so.4.1.1
chrome  4140 pradeep  DEL    REG                0,4           17301519 /SYSV00000000
chrome  4140 pradeep  mem    REG               8,17    331864  1713573 /usr/lib/x86_64-linux-gnu/libgee.so.2.0.0
chrome  4140 pradeep  mem    REG               8,17    422512  1707407 /usr/lib/libunity.so.9.0.2
chrome  4140 pradeep  mem    REG               8,17    139240  1713599 /usr/lib/x86_64-linux-gnu/libgnome-keyring.so.0.2.0
chrome  4140 pradeep  mem    REG               8,21 125837312 39976993 /home/pradeep/.cache/google-chrome/Profile 1/Cache/data_3
...


Code:

pradeep@deepz-desktop:~$ sudo lsof -u www-data
COMMAND  PID     USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME
apache2 1224 www-data  cwd    DIR               8,17     4096       2 /
apache2 1224 www-data  rtd    DIR               8,17     4096       2 /
apache2 1224 www-data  txt    REG               8,17   474744 1975911 /usr/lib/apache2/mpm-worker/apache2
apache2 1224 www-data  mem    REG               8,17    52120 1061321 /lib/x86_64-linux-gnu/libnss_files-2.15.so
apache2 1224 www-data  mem    REG               8,17    47680 1061317 /lib/x86_64-linux-gnu/libnss_nis-2.15.so
apache2 1224 www-data  mem    REG               8,17    97248 1061330 /lib/x86_64-linux-gnu/libnsl-2.15.so
apache2 1224 www-data  mem    REG               8,17    35680 1061322 /lib/x86_64-linux-gnu/libnss_compat-2.15.so
apache2 1224 www-data  mem    REG               8,17    22528 1975854 /usr/lib/apache2/modules/mod_status.so
apache2 1224 www-data  mem    REG               8,17    14336 1975885 /usr/lib/apache2/modules/mod_setenvif.so


I hope this will be helpful in debugging programs, troubleshooting & security of *nix systems. Enjoy.


All times are GMT +5.5. The time now is 18:32.