眼裏只有文件——lsof
一、lsof是什麼?
lsof(list opened files),列舉系統中已經被打開的文件。在 linux 系統中,一切皆文件。通過文件不僅僅可以訪問常規數據,還可以訪問網絡連接和硬件。所以 lsof 命令不僅可以查看進程打開的文件、目錄,還可以查看進程監聽的端口等 socket 相關的信息。
二、lsof能做什麼?
查看指定端口或端口範圍被哪些進程佔用,查看指定程序項啓動了哪些進程&文件,查看指定服務項相關進程&文件,卸載分區前查看當前分區被哪些進程佔用(佔用狀態卸載失敗),查看某個進程打開了哪些文件,文件被進程佔用情況下恢復刪除文件(通過/proc操作內存恢復磁盤數據)……
三、lsof怎麼使用?
$ lsof | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd unknown /proc/1/cwd (readlink: Permission denied)
init 1 root rtd unknown /proc/1/root (readlink: Permission denied)
init 1 root txt unknown /proc/1/exe (readlink: Permission denied)
init 1 root NOFD /proc/1/fd (opendir: Permission denied)
kthreadd 2 root cwd unknown /proc/2/cwd (readlink: Permission denied)
kthreadd 2 root rtd unknown /proc/2/root (readlink: Permission denied)
kthreadd 2 root txt unknown /proc/2/exe (readlink: Permission denied)
kthreadd 2 root NOFD /proc/2/fd (opendir: Permission denied)
migration 3 root cwd unknown /proc/3/cwd (readlink: Permission denied)
COMMAND :程序名稱
PID :進程ID
USER :進程所有者
FD :文件描述符
TYPE :文件類型
DEVICE :設備編號
SIZE/OFF :文件大小(byte)
NODE :索引節點
NAME :文件名稱
$ lsof -c TCPSvr | head ;lsof -c TCPSvr | tail
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 26195 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
TCPSvr 26195 tangf rtd DIR 8,2 4096 2 /
TCPSvr 26195 tangf txt REG 8,2 73737 3019846 /home/tangf/linux.x64/bin/hsserver
TCPSvr 26195 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
TCPSvr 26195 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
TCPSvr 26195 tangf mem REG 8,2 1922152 4719015 /lib64/libc-2.12.so
TCPSvr 26195 tangf mem REG 8,2 145720 4719016 /lib64/libpthread-2.12.so
TCPSvr 26195 tangf mem REG 8,2 91096 4719027 /lib64/libz.so.1.2.3
TCPSvr 26195 tangf mem REG 8,2 598680 4719028 /lib64/libm-2.12.so
TCPSvr 26230 tangf 270u IPv4 70829746 0t0 UDP 10.20.23.75:46013
TCPSvr 26230 tangf 271rW REG 8,2 0 3156043 /home/tangf/workspace/rm3data/10.20.23.75_46013
TCPSvr 26230 tangf 272u REG 8,2 16 3156024 /home/tangf/workspace/rm3data/report_ine_tf_uft#0_pub.dat
TCPSvr 26230 tangf 273u IPv4 70829748 0t0 UDP 10.20.23.75:46033
TCPSvr 26230 tangf 274rW REG 8,2 0 3156045 /home/tangf/workspace/rm3data/10.20.23.75_46033
TCPSvr 26230 tangf 275u IPv4 70829750 0t0 UDP *:46110
TCPSvr 26230 tangf 276u IPv4 70829751 0t0 UDP *:46116
TCPSvr 26230 tangf 277rW REG 8,2 0 3156050 /home/tangf/workspace/rm3data/10.20.23.75_46116
TCPSvr 26230 tangf 278u REG 8,2 16 3156027 /home/tangf/workspace/rm3data/trade_tf_uft_tf_uft#0_sub.dat
TCPSvr 26230 tangf 280u unix 0xffff880239796080 0t0 70830736 socket
cwd :current working directory;
Lnn :library references (AIX);
jld :jail directory (FreeBSD);
ltx :shared library text (code and data);
Mxx :hex memory-mapped type number xx.
m86 :DOS Merge mapped file;
mem :memory-mapped file;
mmap :memory-mapped device;
pd :parent directory;
rtd :root directory;
tr :kernel trace file (OpenBSD);
txt :program text (code and data);
v86 :VP/ix mapped file;
r :for read access;for read lock on part of the file;
R :for a read lock on the entire file;
w :for write access;for a write lock on part of the file;
W :for a write lock on the entire file;
u :for read and write access;for a read and write lock of any length;
U :for a lock of unknown type;
x :for an SCO OpenServer Xenix lock on part of the file;
X :for an SCO OpenServer Xenix lock on the entire file;
N :for a Solaris NFS lock of unknown type
space :if there is no lock.
REG :普通文件
DIR :目錄
CHR :字符設備
BLK :塊設備
unix :UNIX domain 套接字
fifo :管道文件
IPv4/IPv6 : IPv4/IPv6 套接字
1、文件&進程&描述符
查看文件被哪些進程打開,這個文件也可以是設備。
$ lsof /bin/bash
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 19795 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 22237 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 22301 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 22357 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 24002 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 24050 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 24106 tangf txt REG 8,2 938768 2883625 /bin/bash
$ lsof /dev/sda
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tail 30871 root 3r BLK 8,0 0xc4a0000 1881 /dev/sda
查看當前目錄下哪些文件被打開,+d只查看當前目錄,+D遞歸查看子目錄。
$ lsof +d .
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 22301 tangf cwd DIR 8,2 4096 3152207 .
bash 24002 tangf cwd DIR 8,2 4096 3152302 ./SrmQuoteToolLog
lsof 25600 tangf cwd DIR 8,2 4096 3152207 .
lsof 25601 tangf cwd DIR 8,2 4096 3152207 .
$ lsof +D .
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 22301 tangf cwd DIR 8,2 4096 3152207 .
bash 24002 tangf cwd DIR 8,2 4096 3152302 ./SrmQuoteToolLog
bash 24050 tangf cwd DIR 8,2 4096 3152309 ./SrmQuoteToolLog/20200117
tail 25597 tangf cwd DIR 8,2 4096 3152309 ./SrmQuoteToolLog/20200117
tail 25597 tangf 3r REG 8,2 2064 3153222 ./SrmQuoteToolLog/20200117/SrmRecv_Runlog_112659460683.txt
lsof 25602 tangf cwd DIR 8,2 4096 3152207 .
lsof 25603 tangf cwd DIR 8,2 4096 3152207 .
查看特定程序啓動了哪些進程。可以結合其他命令進行批量操作,比如xargs。
$ lsof -tc TCPSvr
24236
24297
24299
24301
24303
24305
24307
24309
24311
24313
24315
24317
24319
24321
24323
24325
24327
24446
$ lsof -tc TCPSvr | xargs kill -9
$ lsof -tc TCPSvr
查看指定用戶打開文件,結合-i選項,查看指定用戶打開哪些網絡文件(包括套接字)。用戶名稱前加“^”,查看非指定用戶打開文件。
$ lsof -u tangf | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 19794 tangf cwd unknown /proc/19794/cwd (readlink: Permission denied)
sshd 19794 tangf rtd unknown /proc/19794/root (readlink: Permission denied)
sshd 19794 tangf txt unknown /proc/19794/exe (readlink: Permission denied)
sshd 19794 tangf NOFD /proc/19794/fd (opendir: Permission denied)
bash 19795 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
bash 19795 tangf rtd DIR 8,2 4096 2 /
bash 19795 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 19795 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
bash 19795 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
$ lsof -a -i -u tangf | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24236 tangf 7u IPv4 70753142 0t0 UDP *:8476
TCPSvr 24236 tangf 12u IPv4 70753145 0t0 UDP 10.20.23.75:46321
TCPSvr 24236 tangf 14u IPv4 70753147 0t0 UDP *:14780
TCPSvr 24236 tangf 15u IPv4 70753148 0t0 UDP *:14782
TCPSvr 24236 tangf 19u IPv4 70753150 0t0 UDP 10.20.23.75:46561
TCPSvr 24236 tangf 23u IPv4 70753152 0t0 UDP 10.20.23.75:46562
TCPSvr 24236 tangf 25u IPv4 70753154 0t0 UDP 10.20.23.75:46121
TCPSvr 24236 tangf 27u IPv4 70753156 0t0 UDP *:14790
TCPSvr 24236 tangf 28u IPv4 70753157 0t0 UDP *:14792
$ lsof -a -i -u ^tangf | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 217u IPv4 55501316 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 218u IPv4 55501317 0t0 UDP *:sunrpc
systemd 1 root 219u IPv6 55501318 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 220u IPv6 55501319 0t0 UDP *:sunrpc
avahi-dae 708 avahi 12u IPv4 14333 0t0 UDP *:mdns
avahi-dae 708 avahi 13u IPv4 17521 0t0 UDP *:42105
chronyd 752 chrony 1u IPv4 14931 0t0 UDP localhost:323
chronyd 752 chrony 2u IPv6 14932 0t0 UDP localhost:323
sshd 1160 root 3u IPv4 18343 0t0 TCP *:ssh (LISTEN)
$ lsof -i -u ^tangf | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 217u IPv4 55501316 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 218u IPv4 55501317 0t0 UDP *:sunrpc
systemd 1 root 219u IPv6 55501318 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 220u IPv6 55501319 0t0 UDP *:sunrpc
avahi-dae 708 avahi 12u IPv4 14333 0t0 UDP *:mdns
avahi-dae 708 avahi 13u IPv4 17521 0t0 UDP *:42105
chronyd 752 chrony 1u IPv4 14931 0t0 UDP localhost:323
chronyd 752 chrony 2u IPv6 14932 0t0 UDP localhost:323
sshd 1160 root 3u IPv4 18343 0t0 TCP *:ssh (LISTEN)
查看指定程序相關進程,以及打開了哪些文件。支持反向條件,支持正則表達式。
$ lsof -c TCPSvr | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24236 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
TCPSvr 24236 tangf rtd DIR 8,2 4096 2 /
TCPSvr 24236 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
TCPSvr 24236 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
TCPSvr 24236 tangf mem REG 8,2 1922152 4719015 /lib64/libc-2.12.so
TCPSvr 24236 tangf mem REG 8,2 145720 4719016 /lib64/libpthread-2.12.so
TCPSvr 24236 tangf mem REG 8,2 91096 4719027 /lib64/libz.so.1.2.3
TCPSvr 24236 tangf mem REG 8,2 598680 4719028 /lib64/libm-2.12.so
$ lsof -c /TCPSv[a-z]/ | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24236 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
TCPSvr 24236 tangf rtd DIR 8,2 4096 2 /
TCPSvr 24236 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
TCPSvr 24236 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
TCPSvr 24236 tangf mem REG 8,2 1922152 4719015 /lib64/libc-2.12.so
TCPSvr 24236 tangf mem REG 8,2 145720 4719016 /lib64/libpthread-2.12.so
TCPSvr 24236 tangf mem REG 8,2 91096 4719027 /lib64/libz.so.1.2.3
TCPSvr 24236 tangf mem REG 8,2 598680 4719028 /lib64/libm-2.12.so
$ lsof -c bash | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 19795 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
bash 19795 tangf rtd DIR 8,2 4096 2 /
bash 19795 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 19795 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
bash 19795 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
bash 19795 tangf mem REG 8,2 1922152 4719015 /lib64/libc-2.12.so
bash 19795 tangf mem REG 8,2 138280 4718719 /lib64/libtinfo.so.5.7
bash 19795 tangf mem REG 8,2 184616 7078967 /usr/lib64/gconv/GB18030.so
bash 19795 tangf mem REG 8,2 99158576 7078918 /usr/lib/locale/locale-archive
$ lsof -c ^bash | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd unknown /proc/1/cwd (readlink: Permission denied)
init 1 root rtd unknown /proc/1/root (readlink: Permission denied)
init 1 root txt unknown /proc/1/exe (readlink: Permission denied)
init 1 root NOFD /proc/1/fd (opendir: Permission denied)
kthreadd 2 root cwd unknown /proc/2/cwd (readlink: Permission denied)
kthreadd 2 root rtd unknown /proc/2/root (readlink: Permission denied)
kthreadd 2 root txt unknown /proc/2/exe (readlink: Permission denied)
kthreadd 2 root NOFD /proc/2/fd (opendir: Permission denied)
migration 3 root cwd unknown /proc/3/cwd (readlink: Permission denied)
查看指定進程打開哪些文件。
$ lsof -p 24236 | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24236 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
TCPSvr 24236 tangf rtd DIR 8,2 4096 2 /
TCPSvr 24236 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
TCPSvr 24236 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
TCPSvr 24236 tangf mem REG 8,2 1922152 4719015 /lib64/libc-2.12.so
TCPSvr 24236 tangf mem REG 8,2 145720 4719016 /lib64/libpthread-2.12.so
TCPSvr 24236 tangf mem REG 8,2 91096 4719027 /lib64/libz.so.1.2.3
TCPSvr 24236 tangf mem REG 8,2 598680 4719028 /lib64/libm-2.12.so
查看指定文件名描述符相關進程,多個文件描述符之間使用“,”隔開。
$ lsof -a -p $$ -d0,1,2
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 24106 tangf 0u CHR 136,9 0t0 12 /dev/pts/9
bash 24106 tangf 1u CHR 136,9 0t0 12 /dev/pts/9
bash 24106 tangf 2u CHR 136,9 0t0 12 /dev/pts/9
-P 選項表示不解析端口號,-n 選項表示不解析主機名,這兩個選項主要的目的是爲了提升 lsof 命令的執行速度。wc -l 命令則用來統計 lsof 命令輸出的行數。
$ lsof -P -n | wc -l
2691
2、網絡相關文件查看
使用-i選項,查看網絡相關信息
lsof -i [4|6][protocol][@hostname|IP][:service|port]
4、6 :IP 協議的版本
protocol :網絡協議的名稱,如 TCP、UDP
hostname、IP :表示主機域名或IP地址
service :指 /etc/services 中的名稱,如 smtp、sshd(多個服務用“,”分隔
port :端口號(多個端口號可以使用“,”分隔或者“-”指定區間)
查找指定端口相關進程
$ lsof -i :14793
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24446 tangf 264u IPv4 70762403 0t0 UDP 10.20.23.75:14793
$ lsof -i TCP:9462,9464
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24297 tangf 33u IPv4 70761689 0t0 TCP *:9462 (LISTEN)
TCPSvr 24299 tangf 31u IPv4 70753850 0t0 TCP *:9464 (LISTEN)
$ lsof -i UDP:14793-14803
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24305 tangf 27u IPv4 70762382 0t0 UDP 10.20.23.75:14801
TCPSvr 24446 tangf 264u IPv4 70762403 0t0 UDP 10.20.23.75:14793
TCPSvr 24446 tangf 267u IPv4 70762405 0t0 UDP 10.20.23.75:14803
查找指定協議版本進程
$ lsof -i 4 | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1302 rpc 6u IPv4 12012 0t0 UDP *:sunrpc
rpcbind 1302 rpc 7u IPv4 12016 0t0 UDP *:3com-amp3
rpcbind 1302 rpc 8u IPv4 12017 0t0 TCP *:sunrpc (LISTEN)
cupsd 1503 root 7u IPv4 12646 0t0 TCP localhost:ipp (LISTEN)
cupsd 1503 root 9u IPv4 12649 0t0 UDP *:ipp
master 1731 root 12u IPv4 13517 0t0 TCP localhost:smtp (LISTEN)
sshd 2062 root 3u IPv4 15956 0t0 TCP *:ssh (LISTEN)
rpc.statd 3784 rpcuser 5u IPv4 64098835 0t0 UDP *:telnets
rpc.statd 3784 rpcuser 8u IPv4 64098841 0t0 UDP *:22179
$ lsof -i 6 | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1302 rpc 9u IPv6 12019 0t0 UDP *:sunrpc
rpcbind 1302 rpc 10u IPv6 12021 0t0 UDP *:3com-amp3
rpcbind 1302 rpc 11u IPv6 12022 0t0 TCP *:sunrpc (LISTEN)
cupsd 1503 root 6u IPv6 12645 0t0 TCP localhost:ipp (LISTEN)
master 1731 root 13u IPv6 13519 0t0 TCP localhost:smtp (LISTEN)
sshd 2062 root 4u IPv6 15958 0t0 TCP *:ssh (LISTEN)
rpc.statd 3784 rpcuser 10u IPv6 64098849 0t0 UDP *:43158
rpc.statd 3784 rpcuser 11u IPv6 64098853 0t0 TCP *:30531 (LISTEN)
rsyslogd 26013 root 2u IPv6 70817243 0t0 TCP *:shell (LISTEN)
查找指定服務名稱相關進程,多個服務之間用","隔開。-n選項,使用IP,不使用域名顯示。
$ lsof -i :ssh,smtp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 1731 root 12u IPv4 13517 0t0 TCP localhost:smtp (LISTEN)
master 1731 root 13u IPv6 13519 0t0 TCP localhost:smtp (LISTEN)
sshd 2062 root 3u IPv4 15956 0t0 TCP *:ssh (LISTEN)
sshd 2062 root 4u IPv6 15958 0t0 TCP *:ssh (LISTEN)
sshd 19790 root 3u IPv4 70594719 0t0 TCP 10.20.23.75:ssh->192.168.155.54:isdc (ESTABLISHED)
sshd 19794 tangf 3u IPv4 70594719 0t0 TCP 10.20.23.75:ssh->192.168.155.54:isdc (ESTABLISHED)
sshd 20211 root 3u IPv4 70618093 0t0 TCP 10.20.23.75:ssh->192.168.155.54:quartus-tcl (ESTABLISHED)
sshd 20215 tangf 3u IPv4 70618093 0t0 TCP 10.20.23.75:ssh->192.168.155.54:quartus-tcl (ESTABLISHED)
sshd 22232 root 3u IPv4 70631225 0t0 TCP 10.20.23.75:ssh->192.168.155.54:sns-dispatcher (ESTABLISHED)
sshd 22236 tangf 3u IPv4 70631225 0t0 TCP 10.20.23.75:ssh->192.168.155.54:sns-dispatcher (ESTABLISHED)
sshd 22296 root 3u IPv4 70632620 0t0 TCP 10.20.23.75:ssh->192.168.155.54:tqdata (ESTABLISHED)
sshd 22300 tangf 3u IPv4 70632620 0t0 TCP 10.20.23.75:ssh->192.168.155.54:tqdata (ESTABLISHED)
sshd 22352 root 3u IPv4 70635367 0t0 TCP 10.20.23.75:ssh->192.168.155.54:rsisysaccess (ESTABLISHED)
sshd 22356 tangf 3u IPv4 70635367 0t0 TCP 10.20.23.75:ssh->192.168.155.54:rsisysaccess (ESTABLISHED)
sshd 23997 root 3r IPv4 70743097 0t0 TCP 10.20.23.75:ssh->192.168.155.54:5335 (ESTABLISHED)
sshd 24001 tangf 3u IPv4 70743097 0t0 TCP 10.20.23.75:ssh->192.168.155.54:5335 (ESTABLISHED)
sshd 24045 root 3r IPv4 70744254 0t0 TCP 10.20.23.75:ssh->192.168.155.54:net-projection (ESTABLISHED)
sshd 24049 tangf 3u IPv4 70744254 0t0 TCP 10.20.23.75:ssh->192.168.155.54:net-projection (ESTABLISHED)
sshd 24101 root 3r IPv4 70746362 0t0 TCP 10.20.23.75:ssh->192.168.155.54:securitychase (ESTABLISHED)
sshd 24105 tangf 3u IPv4 70746362 0t0 TCP 10.20.23.75:ssh->192.168.155.54:securitychase (ESTABLISHED)
sshd 25860 root 3r IPv4 70808547 0t0 TCP 10.20.23.75:ssh->192.168.155.54:6766 (ESTABLISHED)
$ lsof -i [email protected]
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24303 tangf 8u IPv4 70753827 0t0 TCP 10.20.23.75:46590 (LISTEN)
TCPSvr 24303 tangf 17u IPv4 70762361 0t0 TCP 10.20.23.75:46590->10.20.23.75:microsan (ESTABLISHED)
TCPSvr 24307 tangf 11u IPv4 70762359 0t0 TCP 10.20.23.75:microsan->10.20.23.75:46590 (ESTABLISHED)
$ lsof -i TCP@localhost:smtp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 1731 root 12u IPv4 13517 0t0 TCP localhost:smtp (LISTEN)
master 1731 root 13u IPv6 13519 0t0 TCP localhost:smtp (LISTEN)
$ lsof -i TCP@localhost:smtp -n
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 1731 root 12u IPv4 13517 0t0 TCP 127.0.0.1:smtp (LISTEN)
master 1731 root 13u IPv6 13519 0t0 TCP [::1]:smtp (LISTEN)
默認選項之間是或關係,如果多個條件是與關係需要加“-a”選項
$ lsof -a -p 24446 -i [email protected]:46101
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24446 tangf 241u IPv4 70761687 0t0 UDP 10.20.23.75:46101
$ lsof -i TCP:9462-9464 -i UDP:14793-14803
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24297 tangf 33u IPv4 70761689 0t0 TCP *:9462 (LISTEN)
TCPSvr 24299 tangf 31u IPv4 70753850 0t0 TCP *:9464 (LISTEN)
TCPSvr 24301 tangf 27u IPv4 70753862 0t0 TCP *:9463 (LISTEN)
TCPSvr 24305 tangf 27u IPv4 70762382 0t0 UDP 10.20.23.75:14801
TCPSvr 24446 tangf 264u IPv4 70762403 0t0 UDP 10.20.23.75:14793
TCPSvr 24446 tangf 267u IPv4 70762405 0t0 UDP 10.20.23.75:14803
$ lsof -p 26213 -i TCP | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 26195 tangf 33u IPv4 70829752 0t0 TCP *:9462 (LISTEN)
TCPSvr 26197 tangf 31u IPv4 70827552 0t0 TCP *:9464 (LISTEN)
TCPSvr 26199 tangf 28u IPv4 70828481 0t0 TCP *:9463 (LISTEN)
TCPSvr 26201 tangf 8u IPv4 70826636 0t0 TCP 10.20.23.75:46590 (LISTEN)
TCPSvr 26201 tangf 17u IPv4 70827122 0t0 TCP 10.20.23.75:46590->10.20.23.75:27318 (ESTABLISHED)
TCPSvr 26205 tangf 12u IPv4 70827120 0t0 TCP 10.20.23.75:27318->10.20.23.75:46590 (ESTABLISHED)
TCPSvr 26207 tangf 17u IPv4 70827123 0t0 TCP *:9468 (LISTEN)
TCPSvr 26209 tangf 17u IPv4 70826653 0t0 TCP *:9120 (LISTEN)
TCPSvr 26213 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
$ lsof -a -p 26213 -i TCP | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 26213 tangf 9u IPv4 70826632 0t0 TCP *:9461 (LISTEN)
-U 選項輸出打開的 UNIX domain socket 文件
$ lsof -a -c TCPSvr -U
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24236 tangf 9u unix 0xffff880131669980 0t0 70753143 socket
TCPSvr 24297 tangf 44u unix 0xffff88015de25380 0t0 70762357 socket
TCPSvr 24299 tangf 42u unix 0xffff88015de25080 0t0 70753851 socket
TCPSvr 24301 tangf 38u unix 0xffff88016069ecc0 0t0 70753863 socket
TCPSvr 24303 tangf 15u unix 0xffff88023abc23c0 0t0 70753829 socket
TCPSvr 24305 tangf 45u unix 0xffff8802375eac80 0t0 70762470 socket
TCPSvr 24307 tangf 12u unix 0xffff880239796680 0t0 70762370 socket
TCPSvr 24309 tangf 29u unix 0xffff880233bed680 0t0 70753868 socket
TCPSvr 24311 tangf 31u unix 0xffff88016069e6c0 0t0 70753858 socket
TCPSvr 24313 tangf 9u unix 0xffff8801048bfc80 0t0 70753860 socket
TCPSvr 24315 tangf 20u unix 0xffff88016069e3c0 0t0 70753866 socket
TCPSvr 24317 tangf 13u unix 0xffff8802394d16c0 0t0 70753820 socket
TCPSvr 24319 tangf 10u unix 0xffff880239796080 0t0 70755378 socket
TCPSvr 24321 tangf 20u unix 0xffff8801048bf080 0t0 70753879 socket
TCPSvr 24323 tangf 26u unix 0xffff8802394d13c0 0t0 70755647 socket
TCPSvr 24325 tangf 10u unix 0xffff880239796380 0t0 70753890 socket
TCPSvr 24327 tangf 32u unix 0xffff8802394d1cc0 0t0 70761512 socket
TCPSvr 24446 tangf 281u unix 0xffff88015de25680 0t0 70762464 socket
3、恢復刪除文件
如果不小心刪除了文件,但知道這個文本被某個進程所打開,就可以通過 lsof 命令來恢復該文件,具體的原理爲:
當進程打開了某個文件時,只要該進程保持打開該文件,即使將文件刪除,它依然存在於磁盤中。進程並不知道文件已經被刪除,它仍然可以通過打開該文件時提供給它的文件描述符進行讀取和寫入。除了該進程之外,這個文件是不可見的,因爲已經刪除了其相應的目錄索引節點。進程打開的文件描述符就存放在 /proc/PID/fd 目錄下。/proc 目錄掛載的是在內存中所映射的一塊區域,所以這些文件和目錄並不存在於磁盤中,因此當我們對這些文件進行讀取和寫入時,實際上是在從內存中獲取相關信息。lsof 程序就是使用這些信息和其他關於內核內部狀態的信息來產生其輸出。所以 lsof 可以顯示進程的文件描述符和相關的文件名等信息。也就是說我們通過訪問進程的文件描述符可以找到該文件的相關信息。
文件test.txt被進程27235佔用,文件描述符5,只讀模式打開。
$ lsof -c TcpSvr | grep test.txt
TcpSvr 27235 tangf 5r REG 8,2 32 3014834 /home/tangf/test.txt
$ cat test.txt
1 1
2
3 3
4
5
6
7
8
9
0
a
s
c
v
刪除test.txt文件
$ rm test.txt
$ ll test.txt
ls: 無法訪問test.txt: 沒有那個文件或目錄
通過進程內存空間文件描述符訪問磁盤數據,並將其重定向到刪除文件中,已達到恢復刪除數據的目的。
$ cat /proc/27235/fd/5
1 1
2
3 3
4
5
6
7
8
9
0
a
s
c
v
$ cat /proc/27235/fd/5 > test.txt
數據恢復到刪除前
$ cat test.txt
1 1
2
3 3
4
5
6
7
8
9
0
a
s
c
v
$ ll test.txt
-rw-rw-r--. 1 tangf tangf 32 1月 17 21:07 test.txt