On my latest Linux lesson I have played as teacher, someone asked me about the use of Lsof and how to take advantage of it.
As Man say, Lsof is a command line utility that lists information about files opened by processes, were an open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket). A specific file or all the files in a file system may be selected by path.
Do not forget everything is a file on Linux ( pipes, sockets, directories, devices, etc.)!!
LSOF OUTPUT SINTAX
Running Lsoft without parameters, show a list of all open files belonging to all active processes
1 2 3 4 5 6 7 8 9 |
<pre class="lang:sh decode:true " >[root@pluto ~]# lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME lsof 3023 root txt REG 253,0 145872 404232 /usr/sbin/lsof lsof 3023 root mem REG 253,0 156928 265566 /lib64/ld-2.12.so lsof 3023 root mem REG 253,0 1926800 265567 /lib64/libc-2.12.so lsof 3023 root 0u CHR 136,0 0t0 3 /dev/pts/0 lsof 3023 root 1u CHR 136,0 0t0 3 /dev/pts/0 lsof 3023 root 2u CHR 136,0 0t0 3 /dev/pts/0 lsof 3023 root 3r DIR 0,3 0 1 /proc</pre> |
Output sintax is pretty easy and list, from left to right, the command running, the process identifier, the process running user, a few field explained below and, finally, the file used.
FD column stands for File descriptor and could be:
- cwd current working directory
- rtd root directory
- txt program text (code and data)
- mem memory-mapped file
Or could be a combo char\numbers like 1u as a file descriptor and followed by u,r,w of it’s mode as:
- r for read access
- w for write access
- u for read and write access
TYPE column stand for files type, as name suggest, and could be:
- DIR – Directory
- REG – Regular file
- CHR – Character special file.
- FIFO – First In First Out
USING LSOF
You can simply list processes which opened a specific file, by providing the file name as arguments of lsof command.
1 2 3 |
[root@pluto ~]# lsof /var/log/messages COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 1469 root 1w REG 0,18 746587 608157 /var/log/messages |
Above example, lists file /var/log/messages used by rsyslogd process (PID 1469).
You can also list all the files opened by a specific process using ‘-p’ option and the process ID. It will be helpful some times to get more information about a specific process:
1 2 3 4 5 6 7 8 9 10 |
[root@pluto ~]# ps aux | grep sys root <strong>1633</strong> 0.0 0.1 259564 1752 ? /sbin/rsyslogd [root@pluto ~]# <strong>lsof -p 1633</strong> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 1633 root 0u unix 0xffff880037cc43c0 0t0 12799 /dev/log rsyslogd 1633 root 1w REG 253,0 127918 650906 /var/log/messages rsyslogd 1633 root 2w REG 253,0 4382 650907 /var/log/secure rsyslogd 1633 root 3r REG 0,3 0 4026532040 /proc/kmsg rsyslogd 1633 root 4w REG 253,0 344 650905 /var/log/maillog rsyslogd 1633 root 5w REG 253,0 3899 650904 /var/log/cron |
Another way to do that using the process name:
1 2 3 4 5 6 7 8 |
[root@pluto ~]# lsof -c rsyslog COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 1633 root 0u unix 0xffff880037cc43c0 0t0 12799 /dev/log rsyslogd 1633 root 1w REG 253,0 127918 650906 /var/log/messages rsyslogd 1633 root 2w REG 253,0 4382 650907 /var/log/secure rsyslogd 1633 root 3r REG 0,3 0 4026532040 /proc/kmsg rsyslogd 1633 root 4w REG 253,0 344 650905 /var/log/maillog rsyslogd 1633 root 5w REG 253,0 3899 650904 /var/log/cron |
You may also need to know which files are opened by a specific user:
1 2 3 4 5 6 7 8 |
[root@pluto ~]# lsof -u tux bash 2498 tux cwd DIR 0,18 920 273 /root bash 2498 tux rtd DIR 0,18 240 256 / bash 2498 tux txt REG 0,18 938832 608967 /bin/bash bash 2498 tux mem REG 0,17 608967 /bin/bash (path dev=0,18) bash 2498 tux mem REG 0,17 608165 /lib64/ld-2.12.so (path dev=0,18) bash 2498 tux 0u CHR 4,1 0t0 4162 /dev/tty1 <strong>vim 2515 tux 4u REG 0,18 12288 618575 /home/tux/.bashrc</strong> |
LSOF FOR SYSADMIN
The above examples are usually helpful for both standard users and sysadmin, but as a sysadmin you also need to know specifically command in order to work with mount-point, NFS and network socket.
To know which files are open in a specific mount-point you can pass it as argument to Lsof:
1 2 3 |
[root@pluto ~]# lsof /app/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME vi 2617 root 4u REG 252,0 12288 19 /app/.demofile.swp |
where /app is actually a mount-point. This command works same with a simply folders.
Using option -N lists all files opened from a NFS share.
1 |
[root@pluto ~]# lsof -N |
that works better in a combo with -u option (stand for user).
1 |
[root@pluto ~]# lsof -N -u tux -a |
Instead of netstat, it is possible to use Lsof for listing all process belong a specific port\socket:
1 2 3 4 5 6 |
[root@pluto ~]#<strong> lsof -i :80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 3221 root 4u IPv6 19397 0t0 TCP *:http (LISTEN) httpd 3224 apache 4u IPv6 19397 0t0 TCP *:http (LISTEN) httpd 3225 apache 4u IPv6 19397 0t0 TCP *:http (LISTEN) httpd 3226 apache 4u IPv6 19397 0t0 TCP *:http (LISTEN) |
or binded on a specific hostname:
1 2 3 4 5 6 |
[root@pluto ~]# lsof -i @localhost COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd 1605 root 6u IPv6 11196 0t0 TCP localhost:ipp (LISTEN) cupsd 1605 root 7u IPv4 11197 0t0 TCP localhost:ipp (LISTEN) master 1941 root 12u IPv4 12126 0t0 TCP localhost:smtp (LISTEN) master 1941 root 13u IPv6 12128 0t0 TCP localhost:smtp (LISTEN) |
When you work with socket or NFS file, for example, repeat mode is nice option to use.
You have to specify -r option followed by delay time.
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[root@pluto ~]# lsof -i @localhost -r1 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd 1605 root 6u IPv6 11196 0t0 TCP localhost:ipp (LISTEN) cupsd 1605 root 7u IPv4 11197 0t0 TCP localhost:ipp (LISTEN) master 1941 root 12u IPv4 12126 0t0 TCP localhost:smtp (LISTEN) master 1941 root 13u IPv6 12128 0t0 TCP localhost:smtp (LISTEN) ======= COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd 1605 root 6u IPv6 11196 0t0 TCP localhost:ipp (LISTEN) cupsd 1605 root 7u IPv4 11197 0t0 TCP localhost:ipp (LISTEN) master 1941 root 12u IPv4 12126 0t0 TCP localhost:smtp (LISTEN) master 1941 root 13u IPv6 12128 0t0 TCP localhost:smtp (LISTEN) ======= |
this run Lsof every 1 second. To interrupt it, press “Ctrl+c”.
Finally. if you need to use a Lsof in conjunction with other command, you have to terse output with option -t to suppress error message and other info.
1 |
[root@pluto ~]# kill -9 `lsof -t /app` |
Lsof it’s an incredible and powerful tool that will quickly help you in day work. By using Man, you could get a lot of other options and you will find your better trick! I hope you enjoyed this article!
Mattia