lsof使用详解

编程

使用root登陆 lsof查看打开的各种文件 普通文件 目录 链接  网络文件   还有一大堆的东西如下图

COMMAND 表示进程名

PID             进程id

USER         用户名

FD              打开文件的描述符

           is the File Descriptor number of the file or:


                       cwd           current working directory;
                       Lnn            library references (AIX);
                       err   FD information error (see NAME column);
                       jld   jail directory (FreeBSD);
                       ltx   shared library text (code and data);
                       Mxx  hex memory-mapped type number xx.
                       m86   DOS Merge mapped file;
                       mem   memory-mapped file;
                       mmap memory-mapped device;
                       pd   parent directory;
                       rtd  root directory;
                       tr   kernel trace file (OpenBSD);
                       txt   program text (code and data);
                       v86   VP/ix mapped file;


                  FD  is followed by one of these characters, describing the mode
                  under which the file is open:


                       r for read access;
                       w for write access;
                       u for read and write access;
                       space if mode unknown and no lock
                            character follows;
                       ‘-’ if mode unknown and lock
                            character follows


                       N for a Solaris NFS lock of unknown type;
                       r for read lock on part of the file;
                       R for a read lock on the entire file;
                       w for a write lock on part of the file;
                       W for a write lock on the entire file;
                       u for a read and write lock of any length;
                       U for a lock of unknown type;
                       x  for  an  SCO  OpenServer Xenix lock on part      of the
                  file;
                       X for an SCO OpenServer  Xenix  lock  on  the       entire
                  file;
                       space if there is no lock.


               
TYPE

is  the type of the node associated with the file - e.g., GDIR,
                  GREG, VDIR, VREG, etc.

                  or ‘‘IPv4’’ for an IPv4 socket;
                  or ‘‘IPv6’’ for an open IPv6 network file - even if its address
                  is IPv4, mapped in an IPv6 address;
                  or ‘‘ax25’’ for a Linux AX.25 socket;
                  or ‘‘inet’’ for an Internet domain socket;
                  or ‘‘lla’’ for a HP-UX link level access file;
                  or ‘‘rte’’ for an AF_ROUTE socket;
                  or ‘‘sock’’ for a socket of unknown domain;
                  or ‘‘unix’’ for a UNIX domain socket;
                  or ‘‘x.25’’ for an HP-UX x.25 socket;
                  or ‘‘BLK’’ for a block special file;
                  or ‘‘CHR’’ for a character special file;
                  or ‘‘DEL’’ for a Linux map file that has been deleted;
                  or ‘‘DIR’’ for a directory;
                  or ‘‘DOOR’’ for a VDOOR file;
                  or ‘‘FIFO’’ for a FIFO special file;
                  or ‘‘KQUEUE’’ for a BSD style kernel event queue file;
                  or ‘‘LINK’’ for a symbolic link file;
                  or ‘‘MPB’’ for a multiplexed block file;
                  or ‘‘MPC’’ for a multiplexed character file;
                  or  ‘‘NOFD’’ for a Linux /proc/<PID>/fd directory that can’t be
                  opened -- the directory path appears in the NAME  column,  fol-
                  lowed by an error message;
                  or ‘‘PAS’’ for a /proc/as file;
                  or ‘‘PAXV’’ for a /proc/auxv file;
                  or ‘‘PCRE’’ for a /proc/cred file;
                  or ‘‘PCTL’’ for a /proc control file;
                  or ‘‘PCUR’’ for the current /proc process;
                  or ‘‘PCWD’’ for a /proc current working directory;
                  or ‘‘PDIR’’ for a /proc directory;
                  or ‘‘PETY’’ for a /proc executable type (etype);
                  or ‘‘PFD’’ for a /proc file descriptor;
                  or ‘‘PFDR’’ for a /proc file descriptor directory;
                  or ‘‘PFIL’’ for an executable /proc file;
                  or ‘‘PFPR’’ for a /proc FP register set;
                  or ‘‘PGD’’ for a /proc/pagedata file;
                  or ‘‘PGID’’ for a /proc group notifier file;
                  or ‘‘PIPE’’ for pipes;
                  or ‘‘PLC’’ for a /proc/lwpctl file;
                  or ‘‘PLDR’’ for a /proc/lpw directory;
                  or ‘‘PLDT’’ for a /proc/ldt file;
                  or ‘‘PLPI’’ for a /proc/lpsinfo file;
                  or ‘‘PLST’’ for a /proc/lstatus file
                  or ‘‘PLU’’ for a /proc/lusage file;
                  or ‘‘PLWG’’ for a /proc/gwindows file;
                  or ‘‘PLWI’’ for a /proc/lwpsinfo file;
                  or ‘‘PLWS’’ for a /proc/lwpstatus file;
                  or ‘‘PLWU’’ for a /proc/lwpusage file;
                  or ‘‘PLWX’’ for a /proc/xregs file’
                  or ‘‘PMAP’’ for a /proc map file (map);
                  or ‘‘PMEM’’ for a /proc memory image file;
                  or ‘‘PNTF’’ for a /proc process notifier file;
                  or ‘‘POBJ’’ for a /proc/object file;
                  or ‘‘PODR’’ for a /proc/object directory;
                  or ‘‘POLP’’ for an old format /proc light weight process file;
                  or ‘‘POPF’’ for an old format /proc PID file;
                  or ‘‘POPG’’ for an old format /proc page data file;
                  or ‘‘PORT’’ for a SYSV named pipe;
                  or ‘‘PREG’’ for a /proc register file;
                  or ‘‘PRMP’’ for a /proc/rmap file;
                  or ‘‘PRTD’’ for a /proc root directory;
                  or ‘‘PSGA’’ for a /proc/sigact file;
                  or ‘‘PSIN’’ for a /proc/psinfo file;
                  or ‘‘PSTA’’ for a /proc status file;
                  or ‘‘PSXSEM’’ for a POSIX semaphore file;
                  or ‘‘PSXSHM’’ for a POSIX shared memory file;
                  or ‘‘PUSG’’ for a /proc/usage file;
                  or ‘‘PW’’ for a /proc/watch file;
                  or ‘‘PXMP’’ for a /proc/xmap file;
                  or ‘‘REG’’ for a regular file;

               ‘‘SMT’’ for a shared memory transport file;
                  or ‘‘STSO’’ for a stream socket;
                  or ‘‘UNNM’’ for an unnamed type file;
                  or  ‘‘XNAM’’  for  an  OpenServer Xenix special file of unknown
                  type;
                  or ‘‘XSEM’’ for an OpenServer Xenix semaphore file;
                  or ‘‘XSD’’ for an OpenServer Xenix shared data file;
                  or the four type number octets if the corresponding name  isn’t
                  known.

DEVICE     contains the device numbers, separated by commas, for a charac-
                  ter special, block special, regular, directory or NFS file;
                  or ‘‘memory’’ for a memory file system node under Tru64 UNIX;
                  or  the  address  of  the private data area of a Solaris socket
                  stream;
                  or a kernel reference address that  identifies  the  file  (The
                  kernel reference address may be used for FIFO’s, for example.);
                  or the base address or device name  of  a  Linux  AX.25  socket
                  device.
                  Usually  only  the  lower  thirty two bits of Tru64 UNIX kernel
                  addresses are displayed.

SIZE, SIZE/OFF, or OFFSET
                  is the size of the file or the file offset in bytes.   A  value
                  is displayed in this column only if it is available.  Lsof dis-
                  plays whatever value - size or offset - is appropriate for  the
                  type of the file and the version of lsof.

                  On  some UNIX dialects lsof can’t obtain accurate or consistent
                  file offset information from its kernel data sources, sometimes
                  just  for  particular  kinds of files (e.g., socket files.)  In
                  other cases, files don’t  have  true  sizes  -  e.g.,  sockets,
                  FIFOs,  pipes  -  so  lsof displays for their sizes the content
                  amounts it finds in  their  kernel  buffer  descriptors  (e.g.,
                  socket buffer size counts or TCP/IP window sizes.)  Consult the
                  lsof FAQ (The FAQ section gives its location.)  for more infor-
                  mation.

                  The  file  size is displayed in decimal; the offset is normally
                  displayed in decimal with a leading ‘‘0t’’  if  it  contains  8
                  digits  or  less; in hexadecimal with a leading ‘‘0x’’ if it is
                  longer than 8 digits.  (Consult the -o o option description for
                  information on when 8 might default to some other value.)

                  Thus  the leading ‘‘0t’’ and ‘‘0x’’ identify an offset when the
                  column may contain both a size and an offset (i.e.,  its  title
                  is SIZE/OFF).

                  If  the  -o  option is specified, lsof always displays the file
                  offset (or nothing if no offset is available)  and  labels  the
                  column  OFFSET.  The offset always begins with ‘‘0t’’ or ‘‘0x’’
                  as described above.
                  The lsof user can control the switch from ‘‘0t’’ to ‘‘0x’’ with
                  the -o o option.  Consult its description for more information.

                  If the -s option is specified, lsof always  displays  the  file
                  size (or nothing if no size is available) and labels the column
                  SIZE.  The -o and -s options are mutually exclusive; they can’t
                  both be specified.

                  For  files that don’t have a fixed size - e.g., don’t reside on
                  a disk device - lsof will display appropriate information about
                  the  current size or position of the file if it is available in
                  the kernel structures that define the file.

NLINK      contains the file link count when +L has been specified;


NODE       is the node number of a local file;
                  or the inode number of an NFS file in the server host;
                  or the Internet protocol type - e. g, ‘‘TCP’’;
                  or ‘‘STR’’ for a stream;
                  or ‘‘CCITT’’ for an HP-UX x.25 socket;
                  or the IRQ or inode number of a Linux AX.25 socket device.


NAME       is the name of the mount point and file

lsof [options] filename
常用的参数列表: 
lsof  filename 显示打开指定文件的所有进程
lsof -a 表示两个参数都必须满足时才显示结果
lsof -c string   显示COMMAND列中包含指定字符的进程所有打开的文件
lsof -u username  显示所属user进程打开的文件
lsof -g gid 显示归属gid的进程情况
lsof +d /DIR/ 显示目录下被进程打开的文件
lsof +D /DIR/ 同上,但是会搜索目录下的所有目录,时间相对较长
lsof -d FD 显示指定文件描述符的进程
lsof -n 不将IP转换为hostname,缺省是不加上-n参数
lsof -i 用以显示符合条件的进程情况
lsof -i[46] [protocol][@hostname|hostaddr][:service|port]
            46 --> IPv4 or IPv6
            protocol --> TCP or UDP
            hostname --> Internet host name
            hostaddr --> IPv4地址
            service --> /etc/service中的 service name (可以不只一个)
            port --> 端口号 (可以不只一个)
例如: 查看22端口现在运行的情况 
# lsof -i :22
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
sshd    1409 root    3u  IPv6   5678       TCP *:ssh (LISTEN)
查看所属root用户进程所打开的文件类型为txt的文件: 
# lsof -a -u root -d txt
COMMAND    PID USER  FD      TYPE DEVICE    SIZE    NODE NAME
init       1    root txt       REG    3,3   38432 1763452 /sbin/init
mingetty  1632 root txt       REG    3,3   14366 1763337 /sbin/mingetty
mingetty  1633 root txt       REG    3,3   14366 1763337 /sbin/mingetty
mingetty  1634 root txt       REG    3,3   14366 1763337 /sbin/mingetty
mingetty  1635 root txt       REG    3,3   14366 1763337 /sbin/mingetty
mingetty  1636 root txt       REG    3,3   14366 1763337 /sbin/mingetty
mingetty  1637 root txt       REG    3,3   14366 1763337 /sbin/mingetty
kdm        1638 root txt       REG    3,3  132548 1428194 /usr/bin/kdm
X          1670 root txt       REG    3,3 1716396 1428336 /usr/bin/Xorg
kdm        1671 root txt       REG    3,3  132548 1428194 /usr/bin/kdm
startkde  2427 root txt       REG    3,3  645408 1544195 /bin/bash
... ...  
lsof使用实例
 
一、查找谁在使用文件系统
在卸载文件系统时,如果该文件系统中有任何打开的文件,操作通常将会失败。那么通过lsof可以找出那些进程在使用当前要卸载的文件系统,如下: 
# lsof  /GTES11/
COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
bash    4208 root  cwd    DIR    3,1 4096    2 /GTES11/
vim     4230 root  cwd    DIR    3,1 4096    2 /GTES11/
在这个示例中,用户root正在其/GTES11目录中进行一些操作。一个 bash是实例正在运行,并且它当前的目录为/GTES11,另一个则显示的是vim正在编辑/GTES11下的文件。要成功地卸载/GTES11,应该在通知用户以确保情况正常之后,中止这些进程。 这个示例说明了应用程序的当前工作目录非常重要,因为它仍保持着文件资源,并且可以防止文件系统被卸载。这就是为什么大部分守护进程(后台进程)将它们的目录更改为根目录、或服务特定的目录(如 sendmail 示例中的 /var/spool/mqueue)的原因,以避免该守护进程阻止卸载不相关的文件系统。 
二、恢复删除的文件
当Linux计算机受到入侵时,常见的情况是日志文件被删除,以掩盖攻击者的踪迹。管理错误也可能导致意外删除重要的文件,比如在清理旧日志时,意外地删除了数据库的活动事务日志。有时可以通过lsof来恢复这些文件。 
当进程打开了某个文件时,只要该进程保持打开该文件,即使将其删除,它依然存在于磁盘中。这意味着,进程并不知道文件已经被删除,它仍然可以向打开该文件时提供给它的文件描述符进行读取和写入。除了该进程之外,这个文件是不可见的,因为已经删除了其相应的目录索引节点。 
在/proc 目录下,其中包含了反映内核和进程树的各种文件。/proc目录挂载的是在内存中所映射的一块区域,所以这些文件和目录并不存在于磁盘中,因此当我们对这些文件进行读取和写入时,实际上是在从内存中获取相关信息。大多数与 lsof 相关的信息都存储于以进程的 PID 命名的目录中,即 /proc/1234 中包含的是 PID 为 1234 的进程的信息。每个进程目录中存在着各种文件,它们可以使得应用程序简单地了解进程的内存空间、文件描述符列表、指向磁盘上的文件的符号链接和其他系统信息。lsof 程序使用该信息和其他关于内核内部状态的信息来产生其输出。所以lsof 可以显示进程的文件描述符和相关的文件名等信息。也就是我们通过访问进程的文件描述符可以找到该文件的相关信息。 
  
当系统中的某个文件被意外地删除了,只要这个时候系统中还有进程正在访问该文件,那么我们就可以通过lsof从/proc目录下恢复该文件的内容。 假如由于误操作将/var/log/messages文件删除掉了,那么这时要将/var/log/messages文件恢复的方法如下: 
首先使用lsof来查看当前是否有进程打开/var/logmessages文件,如下: 
# lsof |grep /var/log/messages
syslogd   1283      root    2w      REG        3,3  5381017    1773647 /var/log/messages (deleted)
从上面的信息可以看到 PID 1283(syslogd)打开文件的文件描述符为 2。同时还可以看到/var/log/messages已经标记被删除了。因此我们可以在 /proc/1283/fd/2 (fd下的每个以数字命名的文件表示进程对应的文件描述符)中查看相应的信息,如下: 
# head -n 10 /proc/1283/fd/2
Aug  4 13:50:15 holmes86 syslogd 1.4.1: restart.
Aug  4 13:50:15 holmes86 kernel: klogd 1.4.1, log source = /proc/kmsg started.
Aug  4 13:50:15 holmes86 kernel: Linux version 2.6.22.1-8 (root@everestbuilder.linux-ren.org) (gcc version 4.2.0) #1 SMP Wed Jul 18 11:18:32 EDT 2007
Aug  4 13:50:15 holmes86 kernel: BIOS-provided physical RAM map:
Aug  4 13:50:15 holmes86 kernel:  BIOS-e820: 0000000000000000 - 000000000009f000 (usable)
Aug  4 13:50:15 holmes86 kernel:  BIOS-e820: 000000000009f000 - 00000000000a0000 (reserved)
Aug  4 13:50:15 holmes86 kernel:  BIOS-e820: 0000000000100000 - 000000001f7d3800 (usable)
Aug  4 13:50:15 holmes86 kernel:  BIOS-e820: 000000001f7d3800 - 0000000020000000 (reserved)
Aug  4 13:50:15 holmes86 kernel:  BIOS-e820: 00000000e0000000 - 00000000f0007000 (reserved)
Aug  4 13:50:15 holmes86 kernel:  BIOS-e820: 00000000f0008000 - 00000000f000c000 (reserved)
从上面的信息可以看出,查看 /proc/8663/fd/15 就可以得到所要恢复的数据。如果可以通过文件描述符查看相应的数据,那么就可以使用 I/O 重定向将其复制到文件中,如: 
cat /proc/1283/fd/2 > /var/log/messages 
对于许多应用程序,尤其是日志文件和数据库,这种恢复删除文件的方法非常有用。

lsof -c init

lsof -i  :22


————————————————
版权声明:本文为CSDN博主「xiaoduan2016」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/duan1522630316/java/article/details/21805845

以上是 lsof使用详解 的全部内容, 来源链接: utcz.com/z/517519.html

回到顶部