Wednesday, March 14, 2012

10 lsof Command Examples

Category: SkyHi @ Wednesday, March 14, 2012
The lsof command or “list open files” command in Linux is a powerful tool. In Linux and Unix everything behind the scenes are just files. This includes IP sockets, pipes, unix sockets, directories, devices, even inodes are just files. This means that lsof can actually tell you a lot of information of what is going on on your system.

Synopsis

lsof [ -?abChlnNOPRstUvVX ] [ -A A ] [ -c c ] [ +|-d d ] [ +|-D D ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ +|-L [l] ] [ -m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -- ] [names]

Example 1: Show all opened files

Type the following command
lsof | more
Sample outputs
COMMAND     PID      USER   FD      TYPE     DEVICE      SIZE       NODE NAME
init          1      root  cwd       DIR      253,4      4096          2 /
init          1      root  rtd       DIR      253,4      4096          2 /
init          1      root  txt       REG      253,4     38652   41746599 /sbin/init
init          1      root  mem       REG      253,4    129900   16252964 /lib/ld-2.5.so
init          1      root  mem       REG      253,4   1693812   16252965 /lib/libc-2.5.so
init          1      root  mem       REG      253,4     20668   16253168 /lib/libdl-2.5.so
init          1      root  mem       REG      253,4    245376   16253222 /lib/libsepol.so.1
init          1      root  mem       REG      253,4     93508   16253815 /lib/libselinux.so.1
init          1      root   10u     FIFO       0,17                 1277 /dev/initctl
...

Example 2: Show all opened internet sockets

Using the -i flag lsof will list the internet sockets currently opened
lsof -i
Sample outputs
COMMAND     PID   USER   FD   TYPE   DEVICE SIZE NODE NAME
sshd       2537   root    3u  IPv6     5348       TCP *:rockwell-csp2 (LISTEN)
mysqld     2625  mysql   11u  IPv4     5463       TCP *:mysql (LISTEN)
httpd      2731 apache    3u  IPv6 30048993       TCP *:http (LISTEN)
...

Example 3: Shows all networking related to a given port 80

lsof -i :80
Sample outputs
COMMAND   PID   USER   FD   TYPE   DEVICE SIZE NODE NAME
httpd    2731 apache    3u  IPv6 30048993       TCP *:http (LISTEN)
httpd    2731 apache   58u  IPv6 39448263       TCP server.com:http->adsl-dynamic-pool-xxx.hcm.fpt.vn:23527 (ESTABLISHED)
httpd    2731 apache   60u  IPv6 39448302       TCP server.com:http->crawl-66-249-69-83.googlebot.com:35190 (ESTABLISHED)
httpd    2731 apache   61u  IPv6 39448336       TCP server.com:http->v16-13.opera-mini.net:37548 (ESTABLISHED)
httpd    2731 apache   62u  IPv6 39448388       TCP server.com:http->v16-13.opera-mini.net:37561 (ESTABLISHED)
httpd    2731 apache   64u  IPv6 39447543       TCP server.com:http->adsl.viettel.vn:13636 (FIN_WAIT2)

Example 4: Show all TCP/UDP connections

lsof -i TCP
Sample outputs
sshd       2537   root    3u  IPv6     5348       TCP *:rockwell-csp2 (LISTEN)
mysqld     2625  mysql   11u  IPv4     5463       TCP *:mysql (LISTEN)
httpd      2731 apache    3u  IPv6 30048993       TCP *:http (LISTEN)
...

Example 5: List open files associated with process ID

The flag +p will display all open files associated with specific process ID, example with process ID is 2625
lsof +p 2625
Sample outputs
COMMAND  PID  USER   FD   TYPE     DEVICE      SIZE     NODE NAME
mysqld  2625 mysql  cwd    DIR      253,4      4096 21495811 /var/lib/mysql
mysqld  2625 mysql  rtd    DIR      253,4      4096        2 /
mysqld  2625 mysql  txt    REG      253,4   7020300 50999198 /usr/libexec/mysqld
mysqld  2625 mysql  DEL    REG      253,4           16253135 /lib/libcrypto.so.0.9.8e.#prelink#.64u8kX
mysqld  2625 mysql  mem    REG      253,4           16252984 /lib/libm-2.5.so (path inode=16253122)
mysqld  2625 mysql  DEL    REG      253,4           50996047 /usr/lib/libgssapi_krb5.so.2.2.#prelink#.YYIHuy
mysqld  2625 mysql  mem    REG      253,4           16252990 /lib/libselinux.so.1 (path inode=16253815)
mysqld  2625 mysql  mem    REG      253,4           16256252 /lib/libsepol.so.1 (path inode=16253222)
mysqld  2625 mysql  mem    REG      253,4     50848 16253138 /lib/libnss_files-2.5.so
mysqld  2625 mysql  mem    REG      253,4           16253825 /lib/librt-2.5.so (path inode=16253220)
mysqld  2625 mysql  mem    REG      253,4           16252942 /lib/ld-2.5.so (path inode=16252964)
mysqld  2625 mysql  mem    REG      253,4           50996107 /usr/lib/libstdc++.so.6.0.8 (path inode=50989584)
mysqld  2625 mysql  mem    REG      253,4           50996061 /usr/lib/libkrb5.so.3.3 (path inode=50999803)
mysqld  2625 mysql  mem    REG      253,4           16252980 /lib/libdl-2.5.so (path inode=16253168)
...

Example 6: Show what a given user has open

The flag -u will show what a given user has open
lsof -u apache
Sample outputs
COMMAND   PID   USER   FD   TYPE     DEVICE      SIZE     NODE NAME
httpd    2731 apache  cwd    DIR      253,4      4096        2 /
httpd    2731 apache  rtd    DIR      253,4      4096        2 /
httpd    2731 apache  txt    REG      253,4   3120954 51157630 /usr/local/apache/bin/httpd
httpd    2731 apache  mem    REG      253,4    375710 51157607 /usr/local/apache/lib/libaprutil-1.so.0.3.10
httpd    2731 apache  mem    REG      253,4     45432 16253184 /lib/libcrypt-2.5.so
httpd    2731 apache  mem    REG      253,4      7748 16253849 /lib/libcom_err.so.2.1
httpd    2731 apache  mem    REG      253,4      7880 16253845 /lib/libkeyutils-1.2.so
httpd    2731 apache  mem    REG      253,4    937178 51157689 /usr/local/apache/modules/mod_security2.so
httpd    2731 apache  mem    REG      253,4    129208 16253851 /lib/libpcre.so.0.0.1
...

Example 7: Pointing to a file shows what’s interacting with that file

Example, type the following command
lsof /var/log/messages
Sample outputs
COMMAND   PID USER   FD   TYPE DEVICE    SIZE     NODE NAME
syslogd  2424 root    2w   REG  253,4 1437387 21463252 /var/log/messages
lfd     20823 root    6r   REG  253,4 1437387 21463252 /var/log/messages

Example 8: Display who is accessing a device

lsof /dev/tty1
Sample outputs
COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
mingetty 3032 root    0u   CHR    4,1       854 /dev/tty1
mingetty 3032 root    1u   CHR    4,1       854 /dev/tty1
mingetty 3032 root    2u   CHR    4,1       854 /dev/tty1

Example 9: What files and network connections a command

The flag -c to display files and network connections a command, example display files and network connections syslog command
lsof -c syslog
Sample outputs
COMMAND  PID USER   FD   TYPE     DEVICE    SIZE     NODE NAME
syslogd 2424 root  cwd    DIR      253,4    4096        2 /
syslogd 2424 root  rtd    DIR      253,4    4096        2 /
syslogd 2424 root  txt    REG      253,4   35832 41746614 /sbin/syslogd
syslogd 2424 root  mem    REG      253,4         16252949 /lib/libc-2.5.so (path inode=16252965)
syslogd 2424 root  mem    REG      253,4   50848 16253138 /lib/libnss_files-2.5.so
syslogd 2424 root  mem    REG      253,4         16252942 /lib/ld-2.5.so (path inode=16252964)
syslogd 2424 root    0u  unix 0xf7804040             5125 /dev/log
syslogd 2424 root    2w   REG      253,4 1439314 21463252 /var/log/messages
syslogd 2424 root    3w   REG      253,4   46447 21463260 /var/log/secure
syslogd 2424 root    4w   REG      253,4 3725001 21463266 /var/log/maillog
syslogd 2424 root    5w   REG      253,4  582424 21463282 /var/log/cron
syslogd 2424 root    6w   REG      253,4       0 21463270 /var/log/spooler
syslogd 2424 root    7w   REG      253,4       0 21463275 /var/log/boot.log

Example 10: Show all processes opening files in a directory

lsof +D /usr/bin/
Sample outputs
COMMAND     PID USER   FD   TYPE DEVICE  SIZE     NODE NAME
mysqld_sa  2574 root  255r   REG  253,4 13073 50999014 /usr/bin/mysqld_safe
munin-nod  2968 root  txt    REG  253,4 14984 50993003 /usr/bin/perl
lfd       20823 root  txt    REG  253,4 14984 50993003 /usr/bin/perl

References

The lsof man page



REFERENCES
http://www.lifelinux.com/10-lsof-command-examples/