lsof a utility command every system admin and developer love. The lsof command stands for list open file descriptors and as the name suggest, it is used to find open files by process. Since almost everything in UNIX are file, you can use lsof command to find an open regular file, a directory, a symbolic link, a block special file, a NFS mounted file, a socket stream, a shared library, a character special file, a regular pipe, a named pipe, an internet socket, a UNIX domain socket and many others. It's an incredibly useful tool to do debugging and troubleshooting in UNIX and Linux environment. Since most of the production system runs on the UNIX-based operating system, knowledge of this tool become even more important.
lsof command generally comes pre-installed in many UNIX system. If you are getting -bash: lsof: command not found an error while using lsof then it could be that lsof is not in your PATH. just check /usr/bin or /usr/sbin folder for this command. If you don't find there then you can install it from source or you can ask your UNIX admin to do that for you.
1) How to list all open files by all process
syntax: lsof
Simply running lsof without any argument print all opened file and process. This is not particularly useful but a good starting point.
Example:
dev@linuxforfreshers.com:~$ lsof | tail -10
tail 23119 dev 1u CHR 136,52 0t0 55 /dev/pts/52
tail 23119 dev 2u CHR 136,52 0t0 55 /dev/pts/52
lsof 23120 dev cwd DIR 8,6 4096 5767170 /home/dev
lsof 23120 dev rtd DIR 8,6 4096 2 /
lsof 23120 dev txt REG 8,6 163224 28574379 /usr/bin/lsof
lsof 23120 dev mem REG 8,6 7216688 28580440 /usr/lib/locale/locale-archive
lsof 23120 dev mem REG 8,6 1840928 2622444 /lib/x86_64-linux-gnu/libc-2.19.so
lsof 23120 dev mem REG 8,6 149120 2622402 /lib/x86_64-linux-gnu/ld-2.19.so
lsof 23120 dev 4r FIFO 0,10 0t0 2094341 pipe
lsof 23120 dev 7w FIFO 0,10 0t0 2094342 pipe
2) How to list all process which has opened a file
Syntax: lsof /home/someuser/somefile
will list all the process which has opened this file. you can see the command, PID, user and full file path to find out the process.
Example:
dev@linuxforfreshers.com:~$ lsof /home/dev/ | grep ssh
ssh 8222 dev cwd DIR 8,6 4096 5767170 /home/dev
ssh.expec 8266 dev cwd DIR 8,6 4096 5767170 /home/dev
ssh.expec 8268 dev cwd DIR 8,6 4096 5767170 /home/dev
ssh.expec 8274 dev cwd DIR 8,6 4096 5767170 /home/dev
3) How to find all opened files by a user
You can use lsof -u command to list all opened file by a user as shown below
Syntax: lsof -u username
Example:
dev@linuxforfreshers.com:~$ lsof -u dev| tail -10
lsof 23353 dev txt REG 8,6 163224 28574379 /usr/bin/lsof
lsof 23353 dev mem REG 8,6 43616 2622456 /lib/x86_64-linux-gnu/libnss_files-2.19.so
lsof 23353 dev mem REG 8,6 47760 2622438 /lib/x86_64-linux-gnu/libnss_nis-2.19.so
lsof 23353 dev mem REG 8,6 97296 2622400 /lib/x86_64-linux-gnu/libnsl-2.19.so
lsof 23353 dev mem REG 8,6 39824 2622399 /lib/x86_64-linux-gnu/libnss_compat-2.19.so
lsof 23353 dev mem REG 8,6 7216688 28580440 /usr/lib/locale/locale-archive
lsof 23353 dev mem REG 8,6 1840928 2622444 /lib/x86_64-linux-gnu/libc-2.19.so
lsof 23353 dev mem REG 8,6 149120 2622402 /lib/x86_64-linux-gnu/ld-2.19.so
lsof 23353 dev 4r FIFO 0,10 0t0 2119980 pipe
lsof 23353 dev 7w FIFO 0,10 0t0 2119981 pipe
4) How to list all files opened by a particular command
You can use lsof -c option to provide name of command and list down all the files opened by that command, for example, to list all file opened by mysql process, you can do this :
Syntax : lsof -c process_name
Example :
root@linuxforfreshers.com:~# lsof -c mysql | tail -10
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
mysqld 2149 mysql 54u REG 8,6 1024 16515193 /var/lib/mysql/mysql/time_zone.MYI
mysqld 2149 mysql 55u REG 8,6 0 16515194 /var/lib/mysql/mysql/time_zone.MYD
mysqld 2149 mysql 56u REG 8,6 1024 16515202 /var/lib/mysql/mysql/time_zone_leap_second.MYI
mysqld 2149 mysql 57u REG 8,6 0 16515203 /var/lib/mysql/mysql/time_zone_leap_second.MYD
mysqld 2149 mysql 58u REG 8,6 1024 16515190 /var/lib/mysql/mysql/time_zone_name.MYI
mysqld 2149 mysql 59u REG 8,6 0 16515191 /var/lib/mysql/mysql/time_zone_name.MYD
mysqld 2149 mysql 60u REG 8,6 1024 16515196 /var/lib/mysql/mysql/time_zone_transition.MYI
mysqld 2149 mysql 61u REG 8,6 0 16515197 /var/lib/mysql/mysql/time_zone_transition.MYD
mysqld 2149 mysql 62u REG 8,6 1024 16515199 /var/lib/mysql/mysql/time_zone_transition_type.MYI
mysqld 2149 mysql 63u REG 8,6 0 16515200 /var/lib/mysql/mysql/time_zone_transition_type.MYD
Example 2:
root@linuxforfreshers.com:~# lsof -c chrome| tail -10
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
chrome 22949 dev 74u REG 0,22 4198400 167 /run/shm/.com.google.Chrome.frd729 (deleted)
chrome 22949 dev 75r REG 8,6 333900 3670118 /usr/share/fonts/truetype/msttcorefonts/Times_New_Roman_Bold.ttf
chrome 22949 dev 78r REG 8,6 123828 3670122 /usr/share/fonts/truetype/msttcorefonts/Trebuchet_MS_Bold.ttf
chrome 22949 dev 79r REG 8,6 136032 3670125 /usr/share/fonts/truetype/msttcorefonts/Verdana_Bold.ttf
chrome 22949 dev 80u REG 0,22 4198400 27 /run/shm/.com.google.Chrome.reBCyQ (deleted)
chrome 22949 dev 81r REG 8,6 123828 3670122 /usr/share/fonts/truetype/msttcorefonts/Trebuchet_MS_Bold.ttf
chrome 22949 dev 86u REG 0,22 4198400 172 /run/shm/.com.google.Chrome.opHb4S (deleted)
chrome 22949 dev 87r REG 8,6 330412 3670117 /usr/share/fonts/truetype/msttcorefonts/Times_New_Roman.ttf
chrome 22949 dev 90r REG 8,6 330412 3670117 /usr/share/fonts/truetype/msttcorefonts/Times_New_Roman.ttf
chrome 22949 dev 104u REG 0,22 4198400 193 /run/shm/.com.google.Chrome.Y05n64 (deleted)
5) How to find all files opened by a particular user and command
You can combine users and process name in one lsof command to list down all the files opened by a particular process or a particular user as shown below :
Syntax: $ lsof -u dev -c chrome
root@linuxforfreshers.com:~# lsof -u dev-c chrome | tail -10
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
chrome 22949 dev 74u REG 0,22 4198400 167 /run/shm/.com.google.Chrome.frd729 (deleted)
chrome 22949 dev 75r REG 8,6 333900 3670118 /usr/share/fonts/truetype/msttcorefonts/Times_New_Roman_Bold.ttf
chrome 22949 dev 78r REG 8,6 123828 3670122 /usr/share/fonts/truetype/msttcorefonts/Trebuchet_MS_Bold.ttf
chrome 22949 dev 79r REG 8,6 136032 3670125 /usr/share/fonts/truetype/msttcorefonts/Verdana_Bold.ttf
chrome 22949 dev 80u REG 0,22 4198400 27 /run/shm/.com.google.Chrome.reBCyQ (deleted)
chrome 22949 dev 81r REG 8,6 123828 3670122 /usr/share/fonts/truetype/msttcorefonts/Trebuchet_MS_Bold.ttf
chrome 22949 dev 86u REG 0,22 4198400 172 /run/shm/.com.google.Chrome.opHb4S (deleted)
chrome 22949 dev 87r REG 8,6 330412 3670117 /usr/share/fonts/truetype/msttcorefonts/Times_New_Roman.ttf
chrome 22949 dev 90r REG 8,6 330412 3670117 /usr/share/fonts/truetype/msttcorefonts/Times_New_Roman.ttf
chrome 22949 dev 104u REG 0,22 4198400 193 /run/shm/.com.google.Chrome.Y05n64 (deleted)
6) How to list all open files by a process using PID
As I told, I mostly use lsof command to find all files opened by a particular process. In order to do that sometimes, I usually use grep command to filter lsof output by PID, but you can also use lsof -p option to do the same, as shown below :
$ lsof -p 17783
will list all files opened by the process with PID 17783.
List users and processes, you can also supply multiple PIDs to find files opened by multiple processes e.g. :
$ lsof -p 17783,17754,17984
7) How to list all network connection
You can use lsof - i option to find all open network connections which is nothing but open internet sockets (TCP and UDP), for example
Syntax: $ lsof -i
you can further find all TPC connection by using tcp option as shown below :
$ lsof -i tcp
Similarly, to find all open udp connections you can do :
$ lsof -i udp
will list all process with open internet sockets.
8) How to find which process is using a port
Though you can do this with netstat command as well, you would be surprised to know that you can find all process using a particular TCP or UDP port using lsof command.
Syntax: lsof -i :portnumber
Example:
root@linuxforfreshers.com:~# lsof -i :3306
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld 2149 mysql 10u IPv4 12927 0t0 TCP localhost:mysql (LISTEN)
9) To list all open files on device /dev/sda, use:
Syantax: lsof /dev/sda
10) To find any open file, including an open UNIX domain socket file, with the name /dev/log, use:
Syntax: lsof /dev/log
11) To find an IP version 4 socket file by its associated numeric dot-form address, use:
Syntax: lsof -i@ipaddress
Example: lsof -i@192.168.101.1
No comments:
Post a Comment