Linux : lsof 命令

lsof即list open files的缩写,在Linux和其他Unix上都由,Mac XOS上也是

查看打开文件/目录及对应进程

COMMAND        进程命令行字符串



PID            进程ID



USER           用户



FD             txt(进程的程序文件), cwd(进程所在的当前目前), mem(), 

               FDIDuwr 进程内该文件的打开表示符id, 其后的字母表示操作模式



TYPE           REG(一般文件), DIR(目录), CHR(字符设备文件),FIFO(管道),IPv4(IPv4网络套接字)



DEVICE



SIZE/OFF



NODE



NAME           文件路径

样例输出:

COMMAND     PID   TID       USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME

init          1             root  cwd       DIR                8,1     4096          2 /

init          1             root  rtd       DIR                8,1     4096          2 /

init          1             root  txt       REG                8,1   265848    2621507 /sbin/init

init          1             root  mem       REG                8,1    47712    3149879 /lib/x86_64-linux-gnu/libnss

_files-2.19.so

查看某个文件/目录的使用进程,直接在命令后跟文件/目录名即可:

# lsof server_time

COMMAND     PID USER  FD   TYPE DEVICE SIZE/OFF    NODE NAME

server_ti 20999  hgf txt    REG    8,1     9190 1442691 ./server_time
# lsof /home/hgf/net

COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME

bash      10075  hgf  cwd    DIR    8,1     4096 1442896 /home/hgf/net

bash      15706  hgf  cwd    DIR    8,1     4096 1442896 /home/hgf/net

bash      18324  hgf  cwd    DIR    8,1     4096 1442896 /home/hgf/net

bash      18573  hgf  cwd    DIR    8,1     4096 1442896 /home/hgf/net

sudo      20730 root  cwd    DIR    8,1     4096 1442896 /home/hgf/net

su        20740 root  cwd    DIR    8,1     4096 1442896 /home/hgf/net

bash      20741 root  cwd    DIR    8,1     4096 1442896 /home/hgf/net

server_ti 20999  hgf  cwd    DIR    8,1     4096 1442896 /home/hgf/net

lsof      21814 root  cwd    DIR    8,1     4096 1442896 /home/hgf/net

lsof      21815 root  cwd    DIR    8,1     4096 1442896 /home/hgf/net

查看已删除文件

这里的已删除文件指的是文件被某些进程打开,但磁盘上该文件已经被删除了(目录列出的结果上来看)。这些文件实际还是存在于磁盘上,可以通过使用lsof来找出这些文件

# lsof|grep deleted

init          1             root   10w      REG                8,1      969    2360289 /var/log/upstart/systemd-logind.log.1 (deleted)

init          1             root   27w      REG                8,1     1406    2360292 /var/log/upstart/modemmanager.log.1 (deleted)
...
...... server_ti
20999 hgf txt REG 8,1 9190 1442691 /home/hgf/net/server_time (deleted)

此时我们可以从/proc文件系统中在对应的PID目录下复制出程序的文件,

root@ubuntu:/proc/20999# ll

total 0

dr-xr-xr-x   9 hgf  hgf  0 May  7 10:56 ./

dr-xr-xr-x 262 root root 0 Feb  5 00:26 ../

dr-xr-xr-x   2 hgf  hgf  0 May  7 11:09 attr/

-rw-r--r--   1 hgf  hgf  0 May  7 11:09 autogroup

-r--------   1 hgf  hgf  0 May  7 11:09 auxv

-r--r--r--   1 hgf  hgf  0 May  7 11:09 cgroup

--w-------   1 hgf  hgf  0 May  7 11:09 clear_refs

-r--r--r--   1 hgf  hgf  0 May  7 11:09 cmdline

-rw-r--r--   1 hgf  hgf  0 May  7 11:09 comm

-rw-r--r--   1 hgf  hgf  0 May  7 11:09 coredump_filter

-r--r--r--   1 hgf  hgf  0 May  7 11:09 cpuset

lrwxrwxrwx   1 hgf  hgf  0 May  7 10:56 cwd -> /home/hgf/net/

-r--------   1 hgf  hgf  0 May  7 11:09 environ

lrwxrwxrwx   1 hgf  hgf  0 May  7 10:56 exe -> /home/hgf/net/server_time (deleted)

dr-x------   2 hgf  hgf  0 May  7 10:56 fd/

...



root@ubuntu:/proc/20999# cp exe ~/

 如果是程序打开的一个文件而不是程序本身,则可以在fd目录中找到对应的描述符编号 

root@ubuntu:/home/hgf/file# md5sum some.dat 

6d12400811c3d945b3ca9ebe8ef86490  some.dat

root@ubuntu:/home/hgf/file# lsof some.dat 2>/dev/null

COMMAND    PID USER   FD   TYPE DEVICE  SIZE/OFF    NODE NAME

openfile 26020  hgf    3u   REG    8,1 657457152 1442908 some.dat

root@ubuntu:/home/hgf/file# ls /proc/26020/fd/3

/proc/26020/fd/3

root@ubuntu:/home/hgf/file# ls -l /proc/26020/fd/3

lrwx------ 1 hgf hgf 64 May  7 11:23 /proc/26020/fd/3 -> /home/hgf/file/some.dat



root@ubuntu:/home/hgf/file# rm some.dat 

root@ubuntu:/home/hgf/file# ls -l /proc/26020/fd/3

lrwx------ 1 hgf hgf 64 May  7 11:23 /proc/26020/fd/3 -> /home/hgf/file/some.dat (deleted)



root@ubuntu:/home/hgf/file# cp /proc/26020/fd/3 ~/data.dat

root@ubuntu:/home/hgf/file# md5sum ~/data.dat

6d12400811c3d945b3ca9ebe8ef86490  /root/data.dat

可以看到checksum是一样的

查看打开的网络套接字

显示输出和netstat得到的结果基本一样,比起netstat命令少输入几个字符

root@ubuntu:~# lsof -i

COMMAND     PID   USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME

avahi-dae   617  avahi   13u  IPv4    9209      0t0  UDP *:mdns 

avahi-dae   617  avahi   14u  IPv6    9210      0t0  UDP *:mdns 

avahi-dae   617  avahi   15u  IPv4    9211      0t0  UDP *:43412 

avahi-dae   617  avahi   16u  IPv6    9212      0t0  UDP *:53055 

cups-brow   706   root    8u  IPv4    1912      0t0  UDP *:ipp 

cupsd     14751   root   10u  IPv6  662057      0t0  TCP ip6-localhost:ipp (LISTEN)

cupsd     14751   root   11u  IPv4  662058      0t0  TCP localhost:ipp (LISTEN)

dnsmasq   14951 nobody    4u  IPv4 1051360      0t0  UDP ubuntu:domain 

dnsmasq   14951 nobody    5u  IPv4 1051361      0t0  TCP ubuntu:domain (LISTEN)

ubuntu-ge 15063    hgf    9u  IPv4 1100396      0t0  TCP 10.211.55.4:56814->mistletoe.canonical.com:http (ESTABLISHED)

dhclient  29249   root    6u  IPv4 1098611      0t0  UDP *:bootpc 

dhclient  29249   root   20u  IPv4 1099042      0t0  UDP *:58036 

dhclient  29249   root   21u  IPv6 1099043      0t0  UDP *:22173 

查看IPv4上的TCP连接与打开端口,同时取消域名查询(-n)直接显示IP地址

root@ubuntu:~# lsof -i 4tcp -n

COMMAND     PID   USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME

cupsd     14751   root   11u  IPv4  662058      0t0  TCP 127.0.0.1:ipp (LISTEN)

dnsmasq   14951 nobody    5u  IPv4 1051361      0t0  TCP 127.0.1.1:domain (LISTEN)

ubuntu-ge 15063    hgf    9u  IPv4 1100396      0t0  TCP 10.211.55.4:56814->91.189.89.144:http (CLOSE_WAIT)

 

你可能感兴趣的:(linux)