lsof命令用於查看你進程打開的文件,端口(TCP、UDP),找回/恢復刪除的文件,打開文件的進程。
(1)用法:
用法: lsof [參數] [文件]
(2)功能:
功能: lsof 命令可顯示系統打開的文件.(因為 lsof 需要訪問核心內存和各種文件,所以必須以 root 用戶的身份運行它才能夠充分地發揮其功能。)
在linux環境下,任何事物都以文件的形式存在,通過文件不僅僅可以訪問常規數據,還可以訪問網絡連接和硬件。所以如傳輸控制協議 (TCP) 和用戶數據報協議 (UDP) 套接字等,系統在后台都為該應用程序分配了一個文件描述符,無論這個文件的本質如何,該文件描述符為應用程序與基礎操作系統之間的交互提供了通用接口。
因為應用程序打開文件的描述符列表提供了大量關於這個應用程序本身的信息,因此通過lsof工具能夠查看這個列表對系統監測以及排錯將是很有幫助的。
(3)選項參數:
1) +D<目錄> 遞歸列出目錄下被打開的文件
2) -u s 列出login name或UID為 s的程序
3) -c<進程名> 列出指定進程所打開的文件
4) -i<條件> 列出符合條件的進程。(4、6、協議、:端口、 @ip )
5) -n -n<目錄> 列出使用NFS的文件
(4)實例:
1)[sunjimeng@localhost ~]$ lsof |more -20 無任何參數,顯示當前系統已經打開的正在使用的所有文件
[sunjimeng@localhost ~]$ lsof |more -20 COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
進程名稱 標志符 線程id 所有者 文件描述符 文件類型 磁盤名稱 文件大小 索引節點 文件名稱 systemd 1 root cwd unknown /proc/1/cwd (readlink: Permission denied) systemd 1 root rtd unknown /proc/1/root (readlink: Permission denied) systemd 1 root txt unknown /proc/1/exe (readlink: Permission denied) systemd 1 root NOFD /proc/1/fd (opendir: Permission denied) kthreadd 2 root cwd unknown /proc/2/cwd (readlink: Permission denied) kthreadd 2 root rtd unknown /proc/2/root (readlink: Permission denied) kthreadd 2 root txt unknown /proc/2/exe (readlink: Permission denied) kthreadd 2 root NOFD /proc/2/fd (opendir: Permission denied) ksoftirqd 3 root cwd unknown /proc/3/cwd (readlink: Permission denied) ksoftirqd 3 root rtd unknown /proc/3/root (readlink: Permission denied) ksoftirqd 3 root txt unknown /proc/3/exe (readlink: Permission denied) ksoftirqd 3 root NOFD /proc/3/fd (opendir: Permission denied) kworker/0 5 root cwd unknown /proc/5/cwd (readlink: Permission denied) kworker/0 5 root rtd unknown /proc/5/root (readlink: Permission denied) kworker/0 5 root txt unknown /proc/5/exe (readlink: Permission denied) kworker/0 5 root NOFD /proc/5/fd (opendir: Permission denied) migration 7 root cwd unknown /proc/7/cwd (readlink: Permission denied) migration 7 root rtd unknown /proc/7/root (readlink: Permission denied) //是根目錄到軟連接 migration 7 root txt unknown /proc/7/exe (readlink: Permission denied) --More--
FW的詳解:
1)cwd(current work dirctory): 應用程序的當前工作目錄,應用程序啟動的目錄,除非它本身對這個目錄進行更改。
2)txt: 該類型的文件是程序代碼,如應用程序二進制文件本身或共享庫
3)rtd: root directory
4)0: 表示標准輸出
5)1: 表示標准輸入
6)2: 表示標准錯誤
TYPE:文件類型,如DIR、REG等,常見的文件類型:
(1)DIR:表示目錄
(2)CHR:表示字符類型
(3)BLK:塊設備類型
(4)UNIX: UNIX 域套接字
(5)FIFO:先進先出 (FIFO) 隊列
(6)IPv4:網際協議 (IP) 套接字
DEVICE:指定磁盤的名稱
SIZE: 文件的大小
NODE: 索引節點(文件在磁盤上的標識)
NAME: 打開文件的確切名稱
2)[root@localhost root]# lsof /bin/bash 查看與指定文件相關的進程的信息,即找出使用此文件的進程
[root@localhost root]# lsof /bin/bash lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ksmtuned 807 root txt REG 8,3 960384 34340720 /usr/bin/bash bash 35234 sunjimeng txt REG 8,3 960384 34340720 /usr/bin/bash bash 38651 root txt REG 8,3 960384 34340720 /usr/bin/bash
3)[root@localhost /]# lsof +D /home/sunjimeng/.local/share 遞歸查看某個目錄的文件信息
[root@localhost /]# lsof +D /home/sunjimeng/.local/share lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nautilus 3387 sunjimeng mem REG 8,3 32768 71239928 /home/sunjimeng/.local/share/gvfs-metadata/home-ddf07f21.log nautilus 3387 sunjimeng mem REG 8,3 764 71239927 /home/sunjimeng/.local/share/gvfs-metadata/home nautilus 3387 sunjimeng 15r REG 8,3 764 71239927 /home/sunjimeng/.local/share/gvfs-metadata/home nautilus 3387 sunjimeng 16r REG 8,3 32768 71239928 /home/sunjimeng/.local/share/gvfs-metadata/home-ddf07f21.log evolution 3426 sunjimeng 11u REG 8,3 14336 104003229 /home/sunjimeng/.local/share/evolution/addressbook/system/contacts.db tracker-s 3447 sunjimeng 15w REG 8,3 210635 71234252 /home/sunjimeng/.local/share/tracker/data/tracker-store.journal
4)[root@localhost dir1]# lsof |grep '/home/sunjimeng/Document/dir1' 不用+D參數得到與某個文件有關的進程信息的方法
[root@localhost dir1]# lsof +D /home/sunjimeng/Document/dir1 lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 38651 root cwd DIR 8,3 30 36004773 /home/sunjimeng/Document/dir1 lsof 41562 root cwd DIR 8,3 30 36004773 /home/sunjimeng/Document/dir1 lsof 41563 root cwd DIR 8,3 30 36004773 /home/sunjimeng/Document/dir1 [root@localhost dir1]# lsof |grep '/home/sunjimeng/Document/dir1' lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. bash 38651 root cwd DIR 8,3 30 36004773 /home/sunjimeng/Document/dir1 lsof 41628 root cwd DIR 8,3 30 36004773 /home/sunjimeng/Document/dir1 grep 41629 root cwd DIR 8,3 30 36004773 /home/sunjimeng/Document/dir1 lsof 41630 root cwd DIR 8,3 30 36004773 /home/sunjimeng/Document/dir1
5)[root@localhost /]# lsof -u sunjimeng |more -20 列出某個用戶打開的所有文件相關的進程信息
[root@localhost /]# lsof -u sunjimeng |more -20 lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME gnome-key 2967 sunjimeng cwd DIR 8,3 6 71227180 /var/gdm gnome-key 2967 sunjimeng rtd DIR 8,3 4096 128 / gnome-key 2967 sunjimeng txt REG 8,3 1038688 35649707 /usr/bin/gnome-keyring-daemon gnome-key 2967 sunjimeng mem REG 8,3 50496 68402049 /usr/lib64/gio/modules/libdconfsettings.so gnome-key 2967 sunjimeng mem REG 8,3 106065056 34340715 /usr/lib/locale/locale-archive gnome-key 2967 sunjimeng mem REG 8,3 153184 67393930 /usr/lib64/liblzma.so.5.0.99 gnome-key 2967 sunjimeng mem REG 8,3 398272 67393933 /usr/lib64/libpcre.so.1.2.0 gnome-key 2967 sunjimeng mem REG 8,3 44088 67328582 /usr/lib64/librt-2.17.so gnome-key 2967 sunjimeng mem REG 8,3 110808 67328580 /usr/lib64/libresolv-2.17.so gnome-key 2967 sunjimeng mem REG 8,3 147120 67393944 /usr/lib64/libselinux.so.1 gnome-key 2967 sunjimeng mem REG 8,3 90632 67393947 /usr/lib64/libz.so.1.2.7 gnome-key 2967 sunjimeng mem REG 8,3 32296 67394691 /usr/lib64/libffi.so.6.0.1 gnome-key 2967 sunjimeng mem REG 8,3 15616 67394699 /usr/lib64/libgmodule-2.0.so.0.4000.0 gnome-key 2967 sunjimeng mem REG 8,3 2107760 67328552 /usr/lib64/libc-2.17.so gnome-key 2967 sunjimeng mem REG 8,3 141616 67328578 /usr/lib64/libpthread-2.17.so gnome-key 2967 sunjimeng mem REG 8,3 19736 67394316 /usr/lib64/libcap-ng.so.0.0.0 gnome-key 2967 sunjimeng mem REG 8,3 19384 67394141 /usr/lib64/libgpg-error.so.0.10.0 gnome-key 2967 sunjimeng mem REG 8,3 19512 67328558 /usr/lib64/libdl-2.17.so gnome-key 2967 sunjimeng mem REG 8,3 534488 67394280 /usr/lib64/libgcrypt.so.11.8.2 --More--
6)[root@localhost /]# lsof -c sleep 列出與程序有關的文件
[root@localhost /]# lsof -c sleep lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sleep 42253 root cwd DIR 8,3 4096 128 / sleep 42253 root rtd DIR 8,3 4096 128 / sleep 42253 root txt REG 8,3 33088 34268435 /usr/bin/sleep sleep 42253 root mem REG 8,3 106065056 34340715 /usr/lib/locale/locale-archive sleep 42253 root mem REG 8,3 2107760 67328552 /usr/lib64/libc-2.17.so sleep 42253 root mem REG 8,3 164336 67328545 /usr/lib64/ld-2.17.so sleep 42253 root 0r CHR 1,3 0t0 1045 /dev/null sleep 42253 root 1u unix 0xffff880080995a00 0t0 18112 socket sleep 42253 root 2u unix 0xffff880080995a00 0t0 18112 socket
[root@localhost /]# lsof |grep sleep //等價 lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. sleep 42993 root cwd DIR 8,3 4096 128 / sleep 42993 root rtd DIR 8,3 4096 128 / sleep 42993 root txt REG 8,3 33088 34268435 /usr/bin/sleep sleep 42993 root mem REG 8,3 106065056 34340715 /usr/lib/locale/locale-archive sleep 42993 root mem REG 8,3 2107760 67328552 /usr/lib64/libc-2.17.so sleep 42993 root mem REG 8,3 164336 67328545 /usr/lib64/ld-2.17.so sleep 42993 root 0r CHR 1,3 0t0 1045 /dev/null sleep 42993 root 1u unix 0xffff880080995a00 0t0 18112 socket sleep 42993 root 2u unix 0xffff880080995a00 0t0 18112 socket
7)[root@localhost /]# lsof -i 列出所有的網絡連接
[root@localhost /]# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chronyd 787 chrony 1u IPv4 16222 0t0 UDP *:ntp chronyd 787 chrony 2u IPv6 16223 0t0 UDP *:ntp chronyd 787 chrony 3u IPv4 16224 0t0 UDP localhost:323 chronyd 787 chrony 5u IPv6 16225 0t0 UDP localhost:323 avahi-dae 790 avahi 12u IPv4 17290 0t0 UDP *:mdns avahi-dae 790 avahi 13u IPv4 17291 0t0 UDP *:44093 sshd 1282 root 3u IPv4 20803 0t0 TCP *:ssh (LISTEN) sshd 1282 root 4u IPv6 20805 0t0 TCP *:ssh (LISTEN) master 2527 root 13u IPv4 22473 0t0 TCP localhost:smtp (LISTEN) master 2527 root 14u IPv6 22474 0t0 TCP localhost:smtp (LISTEN) cupsd 3269 root 11u IPv6 27563 0t0 TCP localhost:ipp (LISTEN) cupsd 3269 root 12u IPv4 27564 0t0 TCP localhost:ipp (LISTEN)
列出使用指定協議的網絡連接:
[root@localhost /]# lsof -i TCP COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1282 root 3u IPv4 20803 0t0 TCP *:ssh (LISTEN) sshd 1282 root 4u IPv6 20805 0t0 TCP *:ssh (LISTEN) master 2527 root 13u IPv4 22473 0t0 TCP localhost:smtp (LISTEN) master 2527 root 14u IPv6 22474 0t0 TCP localhost:smtp (LISTEN) cupsd 3269 root 11u IPv6 27563 0t0 TCP localhost:ipp (LISTEN) cupsd 3269 root 12u IPv4 27564 0t0 TCP localhost:ipp (LISTEN)
8)[root@localhost /]# lsof -n /home/sunjimeng 列出指定目錄下使用NFS文件系統的所有文件
[root@localhost /]# lsof -n /home/sunjimeng lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs Output information may be incomplete. COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME gnome-ses 2990 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng gnome-set 3168 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng gnome-she 3265 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng gsd-print 3282 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng nautilus 3387 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng vmtoolsd 3435 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng tracker-m 3442 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng tracker-s 3447 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng abrt-appl 3450 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng top 15226 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng gnome-ter 35226 sunjimeng cwd DIR 8,3 4096 137 /home/sunjimeng
(5)其他:
lsof可以打開的文件的類型:
1.普通文件
2.目錄
3.網絡文件系統的文件
4.字符或設備文件
5.(函數)共享庫
6.管道,命名管道
7.符號鏈接
8.網絡文件(例如:NFS file、網絡socket,unix域名socket)
9.還有其它類型的文件,等等。