lsof即list open files的缩写,在Linux和其他Unix上都由,Mac XOS上也是
COMMAND 进程命令行字符串 PID 进程ID USER 用户 FD txt(进程的程序文件), cwd(进程所在的当前目前), mem(), FDIDuwr 进程内该文件的打开表示符id, 其后的字母表示操作模式 TYPE REG(一般文件), DIR(目录), CHR(字符设备文件),FIFO(管道),IPv4(IPv4网络套接字) DEVICE SIZE/OFF NODE NAME 文件路径
样例输出:
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 8,1 4096 2 / init 1 root rtd DIR 8,1 4096 2 / init 1 root txt REG 8,1 265848 2621507 /sbin/init init 1 root mem REG 8,1 47712 3149879 /lib/x86_64-linux-gnu/libnss _files-2.19.so
查看某个文件/目录的使用进程,直接在命令后跟文件/目录名即可:
# lsof server_time COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME server_ti 20999 hgf txt REG 8,1 9190 1442691 ./server_time
# lsof /home/hgf/net COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 10075 hgf cwd DIR 8,1 4096 1442896 /home/hgf/net bash 15706 hgf cwd DIR 8,1 4096 1442896 /home/hgf/net bash 18324 hgf cwd DIR 8,1 4096 1442896 /home/hgf/net bash 18573 hgf cwd DIR 8,1 4096 1442896 /home/hgf/net sudo 20730 root cwd DIR 8,1 4096 1442896 /home/hgf/net su 20740 root cwd DIR 8,1 4096 1442896 /home/hgf/net bash 20741 root cwd DIR 8,1 4096 1442896 /home/hgf/net server_ti 20999 hgf cwd DIR 8,1 4096 1442896 /home/hgf/net lsof 21814 root cwd DIR 8,1 4096 1442896 /home/hgf/net lsof 21815 root cwd DIR 8,1 4096 1442896 /home/hgf/net
这里的已删除文件指的是文件被某些进程打开,但磁盘上该文件已经被删除了(目录列出的结果上来看)。这些文件实际还是存在于磁盘上,可以通过使用lsof来找出这些文件
# lsof|grep deleted init 1 root 10w REG 8,1 969 2360289 /var/log/upstart/systemd-logind.log.1 (deleted) init 1 root 27w REG 8,1 1406 2360292 /var/log/upstart/modemmanager.log.1 (deleted)
...
...... server_ti 20999 hgf txt REG 8,1 9190 1442691 /home/hgf/net/server_time (deleted)
此时我们可以从/proc文件系统中在对应的PID目录下复制出程序的文件,
root@ubuntu:/proc/20999# ll total 0 dr-xr-xr-x 9 hgf hgf 0 May 7 10:56 ./ dr-xr-xr-x 262 root root 0 Feb 5 00:26 ../ dr-xr-xr-x 2 hgf hgf 0 May 7 11:09 attr/ -rw-r--r-- 1 hgf hgf 0 May 7 11:09 autogroup -r-------- 1 hgf hgf 0 May 7 11:09 auxv -r--r--r-- 1 hgf hgf 0 May 7 11:09 cgroup --w------- 1 hgf hgf 0 May 7 11:09 clear_refs -r--r--r-- 1 hgf hgf 0 May 7 11:09 cmdline -rw-r--r-- 1 hgf hgf 0 May 7 11:09 comm -rw-r--r-- 1 hgf hgf 0 May 7 11:09 coredump_filter -r--r--r-- 1 hgf hgf 0 May 7 11:09 cpuset lrwxrwxrwx 1 hgf hgf 0 May 7 10:56 cwd -> /home/hgf/net/ -r-------- 1 hgf hgf 0 May 7 11:09 environ lrwxrwxrwx 1 hgf hgf 0 May 7 10:56 exe -> /home/hgf/net/server_time (deleted) dr-x------ 2 hgf hgf 0 May 7 10:56 fd/ ... root@ubuntu:/proc/20999# cp exe ~/
如果是程序打开的一个文件而不是程序本身,则可以在fd目录中找到对应的描述符编号
root@ubuntu:/home/hgf/file# md5sum some.dat 6d12400811c3d945b3ca9ebe8ef86490 some.dat root@ubuntu:/home/hgf/file# lsof some.dat 2>/dev/null COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME openfile 26020 hgf 3u REG 8,1 657457152 1442908 some.dat root@ubuntu:/home/hgf/file# ls /proc/26020/fd/3 /proc/26020/fd/3 root@ubuntu:/home/hgf/file# ls -l /proc/26020/fd/3 lrwx------ 1 hgf hgf 64 May 7 11:23 /proc/26020/fd/3 -> /home/hgf/file/some.dat root@ubuntu:/home/hgf/file# rm some.dat root@ubuntu:/home/hgf/file# ls -l /proc/26020/fd/3 lrwx------ 1 hgf hgf 64 May 7 11:23 /proc/26020/fd/3 -> /home/hgf/file/some.dat (deleted) root@ubuntu:/home/hgf/file# cp /proc/26020/fd/3 ~/data.dat root@ubuntu:/home/hgf/file# md5sum ~/data.dat 6d12400811c3d945b3ca9ebe8ef86490 /root/data.dat
可以看到checksum是一样的
显示输出和netstat得到的结果基本一样,比起netstat命令少输入几个字符
root@ubuntu:~# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME avahi-dae 617 avahi 13u IPv4 9209 0t0 UDP *:mdns avahi-dae 617 avahi 14u IPv6 9210 0t0 UDP *:mdns avahi-dae 617 avahi 15u IPv4 9211 0t0 UDP *:43412 avahi-dae 617 avahi 16u IPv6 9212 0t0 UDP *:53055 cups-brow 706 root 8u IPv4 1912 0t0 UDP *:ipp cupsd 14751 root 10u IPv6 662057 0t0 TCP ip6-localhost:ipp (LISTEN) cupsd 14751 root 11u IPv4 662058 0t0 TCP localhost:ipp (LISTEN) dnsmasq 14951 nobody 4u IPv4 1051360 0t0 UDP ubuntu:domain dnsmasq 14951 nobody 5u IPv4 1051361 0t0 TCP ubuntu:domain (LISTEN) ubuntu-ge 15063 hgf 9u IPv4 1100396 0t0 TCP 10.211.55.4:56814->mistletoe.canonical.com:http (ESTABLISHED) dhclient 29249 root 6u IPv4 1098611 0t0 UDP *:bootpc dhclient 29249 root 20u IPv4 1099042 0t0 UDP *:58036 dhclient 29249 root 21u IPv6 1099043 0t0 UDP *:22173
查看IPv4上的TCP连接与打开端口,同时取消域名查询(-n)直接显示IP地址
root@ubuntu:~# lsof -i 4tcp -n COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd 14751 root 11u IPv4 662058 0t0 TCP 127.0.0.1:ipp (LISTEN) dnsmasq 14951 nobody 5u IPv4 1051361 0t0 TCP 127.0.1.1:domain (LISTEN) ubuntu-ge 15063 hgf 9u IPv4 1100396 0t0 TCP 10.211.55.4:56814->91.189.89.144:http (CLOSE_WAIT)