lsof finds, shows, and searches data streams
|
Practice
lsof prints much more information than you'll ever need in most cases. Usually it makes sense to condense the data stream to show only the relevant details by using a filter. Often grep is used for this; alternatively you can fall back to a pager like less or more :
$ lsof | less -j22p <keyword>
By using -j22 , less doesn't show the matches at the upper edge of the window any more, but instead in row 22, which is roughly equivalent to the screen center of a full-screen terminal window. This enables you to also see the context of a match. The option -p <keyword> defines the search pattern, analogous to grep.
lsof also offers options to filter the output. Using the switch -c <pattern> , you can limit the considered processes, for example. The pattern can consist of a character string (i.e., process or program name) or a regular expression – the latter has to be enclosed by slashes (/ ).
With lsof /dev/sdc1 , you can quickly find out which process(es) access a device or a partition. If you want to know which processes use lock files under /var/lock/ , you can type lsof +D /var/lock/ . If the output is still to extensive, limit it to processes that begin with sys and cup , for example:
$ lsof -c sys -c cup [...]
As mentioned above, lsof combines options that control output with logical OR by default. If you only want to see rows that match two options at the same time, activate the AND mode with lsof -a .
If you only want to investigate processes started by a certain user, for example, those started by root, use the -u option. You can pass the username (root ), as well as the UID (0 ), using the -u option. To terminate all processes by a certain user identified by lsof, use the option -t . This will print an output that can be used as an argument for kill :
$ kill $(lsof -tu <user>)
In quite a few cases, you'll need information about which files have been opened by a certain process in a certain way. For this, find out the process's PID (for instance with Ps ), and use this as an argument for -p to lsof:
$ lsof -p <PID>
This provides all of the given process's opened files, including the used libraries. To exclude the latter, filter the output by grep -v ,/lib/' if necessary.
A speciality of lsof is the so-called repeat mode, which you can activate with the -r option: In this case an output takes place in fixed intervals, by default every 15 seconds. With -r <seconds> , you can change the interval, but it has to be at least two seconds.
Networking
Since Linux treats network connections as files, lsof can handle them in similar fashion as normal file access. By calling lsof with the -i option, it lists all current network connections. As a normal user, you will just see the connections of email clients, the web browser, or a Dropbox client if you have one. As root, this looks completely different because of running processes like the printing system via CUPS, the DHCP client, the zeroconf client Avahi, and probably the Network Time Protocol daemon (ntpd).
The option -i 6 limits the lsof output to connections using the IPv6 protocol; -i 4 shows only IPv4 connections. Together with -a and a PID, you can quickly find all network connections of a certain process.
$ lsof -a -i -p <PID>
lsof can also identify processes listening on a certain port. For this, you have to use the option -i again but provide the port number preceded by a colon as an argument. For instance, lsof -i :22 lists all SSH connections.
All TCP connections can be viewed with lsof -i TCP . By adding :ESTABLISHED , you can limit the output with lsof -i -sTCP:ESTABLISHED to established connections. Analogously, this works with lsof -i UDP for UDP connections, with lsof -i -sTCP:LISTEN for open ports, or with lsof -i<IP>[:<Port>] for connections to certain remote stations and ports.
« Previous 1 2 3 Next »
Buy this article as PDF
Pages: 5
(incl. VAT)