lsof使用详解
使用root登陆 lsof查看打开的各种文件 普通文件 目录 链接 网络文件 还有一大堆的东西如下图
COMMAND 表示进程名
PID 进程id
USER 用户名
FD 打开文件的描述符
is the File Descriptor number of the file or:
cwd current working directory;
Lnn library references (AIX);
err FD information error (see NAME column);
jld jail directory (FreeBSD);
ltx shared library text (code and data);
Mxx hex memory-mapped type number xx.
m86 DOS Merge mapped file;
mem memory-mapped file;
mmap memory-mapped device;
pd parent directory;
rtd root directory;
tr kernel trace file (OpenBSD);
txt program text (code and data);
v86 VP/ix mapped file;
FD is followed by one of these characters, describing the mode
under which the file is open:
r for read access;
w for write access;
u for read and write access;
space if mode unknown and no lock
character follows;
‘-’ if mode unknown and lock
character follows
N for a Solaris NFS lock of unknown type;
r for read lock on part of the file;
R for a read lock on the entire file;
w for a write lock on part of the file;
W for a write lock on the entire file;
u for a read and write lock of any length;
U for a lock of unknown type;
x for an SCO OpenServer Xenix lock on part of the
file;
X for an SCO OpenServer Xenix lock on the entire
file;
space if there is no lock.
TYPE
is the type of the node associated with the file - e.g., GDIR,
GREG, VDIR, VREG, etc.
or ‘‘IPv4’’ for an IPv4 socket;
or ‘‘IPv6’’ for an open IPv6 network file - even if its address
is IPv4, mapped in an IPv6 address;
or ‘‘ax25’’ for a Linux AX.25 socket;
or ‘‘inet’’ for an Internet domain socket;
or ‘‘lla’’ for a HP-UX link level access file;
or ‘‘rte’’ for an AF_ROUTE socket;
or ‘‘sock’’ for a socket of unknown domain;
or ‘‘unix’’ for a UNIX domain socket;
or ‘‘x.25’’ for an HP-UX x.25 socket;
or ‘‘BLK’’ for a block special file;
or ‘‘CHR’’ for a character special file;
or ‘‘DEL’’ for a Linux map file that has been deleted;
or ‘‘DIR’’ for a directory;
or ‘‘DOOR’’ for a VDOOR file;
or ‘‘FIFO’’ for a FIFO special file;
or ‘‘KQUEUE’’ for a BSD style kernel event queue file;
or ‘‘LINK’’ for a symbolic link file;
or ‘‘MPB’’ for a multiplexed block file;
or ‘‘MPC’’ for a multiplexed character file;
or ‘‘NOFD’’ for a Linux /proc/<PID>/fd directory that can’t be
opened -- the directory path appears in the NAME column, fol-
lowed by an error message;
or ‘‘PAS’’ for a /proc/as file;
or ‘‘PAXV’’ for a /proc/auxv file;
or ‘‘PCRE’’ for a /proc/cred file;
or ‘‘PCTL’’ for a /proc control file;
or ‘‘PCUR’’ for the current /proc process;
or ‘‘PCWD’’ for a /proc current working directory;
or ‘‘PDIR’’ for a /proc directory;
or ‘‘PETY’’ for a /proc executable type (etype);
or ‘‘PFD’’ for a /proc file descriptor;
or ‘‘PFDR’’ for a /proc file descriptor directory;
or ‘‘PFIL’’ for an executable /proc file;
or ‘‘PFPR’’ for a /proc FP register set;
or ‘‘PGD’’ for a /proc/pagedata file;
or ‘‘PGID’’ for a /proc group notifier file;
or ‘‘PIPE’’ for pipes;
or ‘‘PLC’’ for a /proc/lwpctl file;
or ‘‘PLDR’’ for a /proc/lpw directory;
or ‘‘PLDT’’ for a /proc/ldt file;
or ‘‘PLPI’’ for a /proc/lpsinfo file;
or ‘‘PLST’’ for a /proc/lstatus file
or ‘‘PLU’’ for a /proc/lusage file;
or ‘‘PLWG’’ for a /proc/gwindows file;
or ‘‘PLWI’’ for a /proc/lwpsinfo file;
or ‘‘PLWS’’ for a /proc/lwpstatus file;
or ‘‘PLWU’’ for a /proc/lwpusage file;
or ‘‘PLWX’’ for a /proc/xregs file’
or ‘‘PMAP’’ for a /proc map file (map);
or ‘‘PMEM’’ for a /proc memory image file;
or ‘‘PNTF’’ for a /proc process notifier file;
or ‘‘POBJ’’ for a /proc/object file;
or ‘‘PODR’’ for a /proc/object directory;
or ‘‘POLP’’ for an old format /proc light weight process file;
or ‘‘POPF’’ for an old format /proc PID file;
or ‘‘POPG’’ for an old format /proc page data file;
or ‘‘PORT’’ for a SYSV named pipe;
or ‘‘PREG’’ for a /proc register file;
or ‘‘PRMP’’ for a /proc/rmap file;
or ‘‘PRTD’’ for a /proc root directory;
or ‘‘PSGA’’ for a /proc/sigact file;
or ‘‘PSIN’’ for a /proc/psinfo file;
or ‘‘PSTA’’ for a /proc status file;
or ‘‘PSXSEM’’ for a POSIX semaphore file;
or ‘‘PSXSHM’’ for a POSIX shared memory file;
or ‘‘PUSG’’ for a /proc/usage file;
or ‘‘PW’’ for a /proc/watch file;
or ‘‘PXMP’’ for a /proc/xmap file;
or ‘‘REG’’ for a regular file;
‘‘SMT’’ for a shared memory transport file;
or ‘‘STSO’’ for a stream socket;
or ‘‘UNNM’’ for an unnamed type file;
or ‘‘XNAM’’ for an OpenServer Xenix special file of unknown
type;
or ‘‘XSEM’’ for an OpenServer Xenix semaphore file;
or ‘‘XSD’’ for an OpenServer Xenix shared data file;
or the four type number octets if the corresponding name isn’t
known.
DEVICE contains the device numbers, separated by commas, for a charac-
ter special, block special, regular, directory or NFS file;
or ‘‘memory’’ for a memory file system node under Tru64 UNIX;
or the address of the private data area of a Solaris socket
stream;
or a kernel reference address that identifies the file (The
kernel reference address may be used for FIFO’s, for example.);
or the base address or device name of a Linux AX.25 socket
device.
Usually only the lower thirty two bits of Tru64 UNIX kernel
addresses are displayed.
SIZE, SIZE/OFF, or OFFSET
is the size of the file or the file offset in bytes. A value
is displayed in this column only if it is available. Lsof dis-
plays whatever value - size or offset - is appropriate for the
type of the file and the version of lsof.
On some UNIX dialects lsof can’t obtain accurate or consistent
file offset information from its kernel data sources, sometimes
just for particular kinds of files (e.g., socket files.) In
other cases, files don’t have true sizes - e.g., sockets,
FIFOs, pipes - so lsof displays for their sizes the content
amounts it finds in their kernel buffer descriptors (e.g.,
socket buffer size counts or TCP/IP window sizes.) Consult the
lsof FAQ (The FAQ section gives its location.) for more infor-
mation.
The file size is displayed in decimal; the offset is normally
displayed in decimal with a leading ‘‘0t’’ if it contains 8
digits or less; in hexadecimal with a leading ‘‘0x’’ if it is
longer than 8 digits. (Consult the -o o option description for
information on when 8 might default to some other value.)
Thus the leading ‘‘0t’’ and ‘‘0x’’ identify an offset when the
column may contain both a size and an offset (i.e., its title
is SIZE/OFF).
If the -o option is specified, lsof always displays the file
offset (or nothing if no offset is available) and labels the
column OFFSET. The offset always begins with ‘‘0t’’ or ‘‘0x’’
as described above.
The lsof user can control the switch from ‘‘0t’’ to ‘‘0x’’ with
the -o o option. Consult its description for more information.
If the -s option is specified, lsof always displays the file
size (or nothing if no size is available) and labels the column
SIZE. The -o and -s options are mutually exclusive; they can’t
both be specified.
For files that don’t have a fixed size - e.g., don’t reside on
a disk device - lsof will display appropriate information about
the current size or position of the file if it is available in
the kernel structures that define the file.
NLINK contains the file link count when +L has been specified;
NODE is the node number of a local file;
or the inode number of an NFS file in the server host;
or the Internet protocol type - e. g, ‘‘TCP’’;
or ‘‘STR’’ for a stream;
or ‘‘CCITT’’ for an HP-UX x.25 socket;
or the IRQ or inode number of a Linux AX.25 socket device.
NAME is the name of the mount point and file
lsof [options] filename
常用的参数列表:
lsof filename 显示打开指定文件的所有进程
lsof -a 表示两个参数都必须满足时才显示结果
lsof -c string 显示COMMAND列中包含指定字符的进程所有打开的文件
lsof -u username 显示所属user进程打开的文件
lsof -g gid 显示归属gid的进程情况
lsof +d /DIR/ 显示目录下被进程打开的文件
lsof +D /DIR/ 同上,但是会搜索目录下的所有目录,时间相对较长
lsof -d FD 显示指定文件描述符的进程
lsof -n 不将IP转换为hostname,缺省是不加上-n参数
lsof -i 用以显示符合条件的进程情况
lsof -i[46] [protocol][@hostname|hostaddr][:service|port]
46 --> IPv4 or IPv6
protocol --> TCP or UDP
hostname --> Internet host name
hostaddr --> IPv4地址
service --> /etc/service中的 service name (可以不只一个)
port --> 端口号 (可以不只一个)
例如: 查看22端口现在运行的情况
# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 1409 root 3u IPv6 5678 TCP *:ssh (LISTEN)
查看所属root用户进程所打开的文件类型为txt的文件:
# lsof -a -u root -d txt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
init 1 root txt REG 3,3 38432 1763452 /sbin/init
mingetty 1632 root txt REG 3,3 14366 1763337 /sbin/mingetty
mingetty 1633 root txt REG 3,3 14366 1763337 /sbin/mingetty
mingetty 1634 root txt REG 3,3 14366 1763337 /sbin/mingetty
mingetty 1635 root txt REG 3,3 14366 1763337 /sbin/mingetty
mingetty 1636 root txt REG 3,3 14366 1763337 /sbin/mingetty
mingetty 1637 root txt REG 3,3 14366 1763337 /sbin/mingetty
kdm 1638 root txt REG 3,3 132548 1428194 /usr/bin/kdm
X 1670 root txt REG 3,3 1716396 1428336 /usr/bin/Xorg
kdm 1671 root txt REG 3,3 132548 1428194 /usr/bin/kdm
startkde 2427 root txt REG 3,3 645408 1544195 /bin/bash
... ...
lsof使用实例
一、查找谁在使用文件系统
在卸载文件系统时,如果该文件系统中有任何打开的文件,操作通常将会失败。那么通过lsof可以找出那些进程在使用当前要卸载的文件系统,如下:
# lsof /GTES11/
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 4208 root cwd DIR 3,1 4096 2 /GTES11/
vim 4230 root cwd DIR 3,1 4096 2 /GTES11/
在这个示例中,用户root正在其/GTES11目录中进行一些操作。一个 bash是实例正在运行,并且它当前的目录为/GTES11,另一个则显示的是vim正在编辑/GTES11下的文件。要成功地卸载/GTES11,应该在通知用户以确保情况正常之后,中止这些进程。 这个示例说明了应用程序的当前工作目录非常重要,因为它仍保持着文件资源,并且可以防止文件系统被卸载。这就是为什么大部分守护进程(后台进程)将它们的目录更改为根目录、或服务特定的目录(如 sendmail 示例中的 /var/spool/mqueue)的原因,以避免该守护进程阻止卸载不相关的文件系统。
二、恢复删除的文件
当Linux计算机受到入侵时,常见的情况是日志文件被删除,以掩盖攻击者的踪迹。管理错误也可能导致意外删除重要的文件,比如在清理旧日志时,意外地删除了数据库的活动事务日志。有时可以通过lsof来恢复这些文件。
当进程打开了某个文件时,只要该进程保持打开该文件,即使将其删除,它依然存在于磁盘中。这意味着,进程并不知道文件已经被删除,它仍然可以向打开该文件时提供给它的文件描述符进行读取和写入。除了该进程之外,这个文件是不可见的,因为已经删除了其相应的目录索引节点。
在/proc 目录下,其中包含了反映内核和进程树的各种文件。/proc目录挂载的是在内存中所映射的一块区域,所以这些文件和目录并不存在于磁盘中,因此当我们对这些文件进行读取和写入时,实际上是在从内存中获取相关信息。大多数与 lsof 相关的信息都存储于以进程的 PID 命名的目录中,即 /proc/1234 中包含的是 PID 为 1234 的进程的信息。每个进程目录中存在着各种文件,它们可以使得应用程序简单地了解进程的内存空间、文件描述符列表、指向磁盘上的文件的符号链接和其他系统信息。lsof 程序使用该信息和其他关于内核内部状态的信息来产生其输出。所以lsof 可以显示进程的文件描述符和相关的文件名等信息。也就是我们通过访问进程的文件描述符可以找到该文件的相关信息。
当系统中的某个文件被意外地删除了,只要这个时候系统中还有进程正在访问该文件,那么我们就可以通过lsof从/proc目录下恢复该文件的内容。 假如由于误操作将/var/log/messages文件删除掉了,那么这时要将/var/log/messages文件恢复的方法如下:
首先使用lsof来查看当前是否有进程打开/var/logmessages文件,如下:
# lsof |grep /var/log/messages
syslogd 1283 root 2w REG 3,3 5381017 1773647 /var/log/messages (deleted)
从上面的信息可以看到 PID 1283(syslogd)打开文件的文件描述符为 2。同时还可以看到/var/log/messages已经标记被删除了。因此我们可以在 /proc/1283/fd/2 (fd下的每个以数字命名的文件表示进程对应的文件描述符)中查看相应的信息,如下:
# head -n 10 /proc/1283/fd/2
Aug 4 13:50:15 holmes86 syslogd 1.4.1: restart.
Aug 4 13:50:15 holmes86 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Aug 4 13:50:15 holmes86 kernel: Linux version 2.6.22.1-8 (root@everestbuilder.linux-ren.org) (gcc version 4.2.0) #1 SMP Wed Jul 18 11:18:32 EDT 2007
Aug 4 13:50:15 holmes86 kernel: BIOS-provided physical RAM map:
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000000000 - 000000000009f000 (usable)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000000009f000 - 00000000000a0000 (reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 0000000000100000 - 000000001f7d3800 (usable)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 000000001f7d3800 - 0000000020000000 (reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000e0000000 - 00000000f0007000 (reserved)
Aug 4 13:50:15 holmes86 kernel: BIOS-e820: 00000000f0008000 - 00000000f000c000 (reserved)
从上面的信息可以看出,查看 /proc/8663/fd/15 就可以得到所要恢复的数据。如果可以通过文件描述符查看相应的数据,那么就可以使用 I/O 重定向将其复制到文件中,如:
cat /proc/1283/fd/2 > /var/log/messages
对于许多应用程序,尤其是日志文件和数据库,这种恢复删除文件的方法非常有用。
lsof -c init
lsof -i :22
————————————————
版权声明:本文为CSDN博主「xiaoduan2016」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/duan1522630316/java/article/details/21805845
以上是 lsof使用详解 的全部内容, 来源链接: utcz.com/z/517519.html
