眼里只有文件——lsof
一、lsof是什么?
lsof(list opened files),列举系统中已经被打开的文件。在 linux 系统中,一切皆文件。通过文件不仅仅可以访问常规数据,还可以访问网络连接和硬件。所以 lsof 命令不仅可以查看进程打开的文件、目录,还可以查看进程监听的端口等 socket 相关的信息。
二、lsof能做什么?
查看指定端口或端口范围被哪些进程占用,查看指定程序项启动了哪些进程&文件,查看指定服务项相关进程&文件,卸载分区前查看当前分区被哪些进程占用(占用状态卸载失败),查看某个进程打开了哪些文件,文件被进程占用情况下恢复删除文件(通过/proc操作内存恢复磁盘数据)……
三、lsof怎么使用?
$ lsof | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd unknown /proc/1/cwd (readlink: Permission denied)
init 1 root rtd unknown /proc/1/root (readlink: Permission denied)
init 1 root txt unknown /proc/1/exe (readlink: Permission denied)
init 1 root NOFD /proc/1/fd (opendir: Permission denied)
kthreadd 2 root cwd unknown /proc/2/cwd (readlink: Permission denied)
kthreadd 2 root rtd unknown /proc/2/root (readlink: Permission denied)
kthreadd 2 root txt unknown /proc/2/exe (readlink: Permission denied)
kthreadd 2 root NOFD /proc/2/fd (opendir: Permission denied)
migration 3 root cwd unknown /proc/3/cwd (readlink: Permission denied)
COMMAND :程序名称
PID :进程ID
USER :进程所有者
FD :文件描述符
TYPE :文件类型
DEVICE :设备编号
SIZE/OFF :文件大小(byte)
NODE :索引节点
NAME :文件名称
$ lsof -c TCPSvr | head ;lsof -c TCPSvr | tail
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 26195 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
TCPSvr 26195 tangf rtd DIR 8,2 4096 2 /
TCPSvr 26195 tangf txt REG 8,2 73737 3019846 /home/tangf/linux.x64/bin/hsserver
TCPSvr 26195 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
TCPSvr 26195 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
TCPSvr 26195 tangf mem REG 8,2 1922152 4719015 /lib64/libc-2.12.so
TCPSvr 26195 tangf mem REG 8,2 145720 4719016 /lib64/libpthread-2.12.so
TCPSvr 26195 tangf mem REG 8,2 91096 4719027 /lib64/libz.so.1.2.3
TCPSvr 26195 tangf mem REG 8,2 598680 4719028 /lib64/libm-2.12.so
TCPSvr 26230 tangf 270u IPv4 70829746 0t0 UDP 10.20.23.75:46013
TCPSvr 26230 tangf 271rW REG 8,2 0 3156043 /home/tangf/workspace/rm3data/10.20.23.75_46013
TCPSvr 26230 tangf 272u REG 8,2 16 3156024 /home/tangf/workspace/rm3data/report_ine_tf_uft#0_pub.dat
TCPSvr 26230 tangf 273u IPv4 70829748 0t0 UDP 10.20.23.75:46033
TCPSvr 26230 tangf 274rW REG 8,2 0 3156045 /home/tangf/workspace/rm3data/10.20.23.75_46033
TCPSvr 26230 tangf 275u IPv4 70829750 0t0 UDP *:46110
TCPSvr 26230 tangf 276u IPv4 70829751 0t0 UDP *:46116
TCPSvr 26230 tangf 277rW REG 8,2 0 3156050 /home/tangf/workspace/rm3data/10.20.23.75_46116
TCPSvr 26230 tangf 278u REG 8,2 16 3156027 /home/tangf/workspace/rm3data/trade_tf_uft_tf_uft#0_sub.dat
TCPSvr 26230 tangf 280u unix 0xffff880239796080 0t0 70830736 socket
cwd :current working directory;
Lnn :library references (AIX);
jld :jail directory (FreeBSD);
ltx :shared library text (code and data);
Mxx :hex memory-mapped type number xx.
m86 :DOS Merge mapped file;
mem :memory-mapped file;
mmap :memory-mapped device;
pd :parent directory;
rtd :root directory;
tr :kernel trace file (OpenBSD);
txt :program text (code and data);
v86 :VP/ix mapped file;
r :for read access;for read lock on part of the file;
R :for a read lock on the entire file;
w :for write access;for a write lock on part of the file;
W :for a write lock on the entire file;
u :for read and write access;for a read and write lock of any length;
U :for a lock of unknown type;
x :for an SCO OpenServer Xenix lock on part of the file;
X :for an SCO OpenServer Xenix lock on the entire file;
N :for a Solaris NFS lock of unknown type
space :if there is no lock.
REG :普通文件
DIR :目录
CHR :字符设备
BLK :块设备
unix :UNIX domain 套接字
fifo :管道文件
IPv4/IPv6 : IPv4/IPv6 套接字
1、文件&进程&描述符
查看文件被哪些进程打开,这个文件也可以是设备。
$ lsof /bin/bash
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 19795 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 22237 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 22301 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 22357 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 24002 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 24050 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 24106 tangf txt REG 8,2 938768 2883625 /bin/bash
$ lsof /dev/sda
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tail 30871 root 3r BLK 8,0 0xc4a0000 1881 /dev/sda
查看当前目录下哪些文件被打开,+d只查看当前目录,+D递归查看子目录。
$ lsof +d .
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 22301 tangf cwd DIR 8,2 4096 3152207 .
bash 24002 tangf cwd DIR 8,2 4096 3152302 ./SrmQuoteToolLog
lsof 25600 tangf cwd DIR 8,2 4096 3152207 .
lsof 25601 tangf cwd DIR 8,2 4096 3152207 .
$ lsof +D .
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 22301 tangf cwd DIR 8,2 4096 3152207 .
bash 24002 tangf cwd DIR 8,2 4096 3152302 ./SrmQuoteToolLog
bash 24050 tangf cwd DIR 8,2 4096 3152309 ./SrmQuoteToolLog/20200117
tail 25597 tangf cwd DIR 8,2 4096 3152309 ./SrmQuoteToolLog/20200117
tail 25597 tangf 3r REG 8,2 2064 3153222 ./SrmQuoteToolLog/20200117/SrmRecv_Runlog_112659460683.txt
lsof 25602 tangf cwd DIR 8,2 4096 3152207 .
lsof 25603 tangf cwd DIR 8,2 4096 3152207 .
查看特定程序启动了哪些进程。可以结合其他命令进行批量操作,比如xargs。
$ lsof -tc TCPSvr
24236
24297
24299
24301
24303
24305
24307
24309
24311
24313
24315
24317
24319
24321
24323
24325
24327
24446
$ lsof -tc TCPSvr | xargs kill -9
$ lsof -tc TCPSvr
查看指定用户打开文件,结合-i选项,查看指定用户打开哪些网络文件(包括套接字)。用户名称前加“^”,查看非指定用户打开文件。
$ lsof -u tangf | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 19794 tangf cwd unknown /proc/19794/cwd (readlink: Permission denied)
sshd 19794 tangf rtd unknown /proc/19794/root (readlink: Permission denied)
sshd 19794 tangf txt unknown /proc/19794/exe (readlink: Permission denied)
sshd 19794 tangf NOFD /proc/19794/fd (opendir: Permission denied)
bash 19795 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
bash 19795 tangf rtd DIR 8,2 4096 2 /
bash 19795 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 19795 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
bash 19795 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
$ lsof -a -i -u tangf | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24236 tangf 7u IPv4 70753142 0t0 UDP *:8476
TCPSvr 24236 tangf 12u IPv4 70753145 0t0 UDP 10.20.23.75:46321
TCPSvr 24236 tangf 14u IPv4 70753147 0t0 UDP *:14780
TCPSvr 24236 tangf 15u IPv4 70753148 0t0 UDP *:14782
TCPSvr 24236 tangf 19u IPv4 70753150 0t0 UDP 10.20.23.75:46561
TCPSvr 24236 tangf 23u IPv4 70753152 0t0 UDP 10.20.23.75:46562
TCPSvr 24236 tangf 25u IPv4 70753154 0t0 UDP 10.20.23.75:46121
TCPSvr 24236 tangf 27u IPv4 70753156 0t0 UDP *:14790
TCPSvr 24236 tangf 28u IPv4 70753157 0t0 UDP *:14792
$ lsof -a -i -u ^tangf | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 217u IPv4 55501316 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 218u IPv4 55501317 0t0 UDP *:sunrpc
systemd 1 root 219u IPv6 55501318 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 220u IPv6 55501319 0t0 UDP *:sunrpc
avahi-dae 708 avahi 12u IPv4 14333 0t0 UDP *:mdns
avahi-dae 708 avahi 13u IPv4 17521 0t0 UDP *:42105
chronyd 752 chrony 1u IPv4 14931 0t0 UDP localhost:323
chronyd 752 chrony 2u IPv6 14932 0t0 UDP localhost:323
sshd 1160 root 3u IPv4 18343 0t0 TCP *:ssh (LISTEN)
$ lsof -i -u ^tangf | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 217u IPv4 55501316 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 218u IPv4 55501317 0t0 UDP *:sunrpc
systemd 1 root 219u IPv6 55501318 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 220u IPv6 55501319 0t0 UDP *:sunrpc
avahi-dae 708 avahi 12u IPv4 14333 0t0 UDP *:mdns
avahi-dae 708 avahi 13u IPv4 17521 0t0 UDP *:42105
chronyd 752 chrony 1u IPv4 14931 0t0 UDP localhost:323
chronyd 752 chrony 2u IPv6 14932 0t0 UDP localhost:323
sshd 1160 root 3u IPv4 18343 0t0 TCP *:ssh (LISTEN)
查看指定程序相关进程,以及打开了哪些文件。支持反向条件,支持正则表达式。
$ lsof -c TCPSvr | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24236 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
TCPSvr 24236 tangf rtd DIR 8,2 4096 2 /
TCPSvr 24236 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
TCPSvr 24236 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
TCPSvr 24236 tangf mem REG 8,2 1922152 4719015 /lib64/libc-2.12.so
TCPSvr 24236 tangf mem REG 8,2 145720 4719016 /lib64/libpthread-2.12.so
TCPSvr 24236 tangf mem REG 8,2 91096 4719027 /lib64/libz.so.1.2.3
TCPSvr 24236 tangf mem REG 8,2 598680 4719028 /lib64/libm-2.12.so
$ lsof -c /TCPSv[a-z]/ | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24236 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
TCPSvr 24236 tangf rtd DIR 8,2 4096 2 /
TCPSvr 24236 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
TCPSvr 24236 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
TCPSvr 24236 tangf mem REG 8,2 1922152 4719015 /lib64/libc-2.12.so
TCPSvr 24236 tangf mem REG 8,2 145720 4719016 /lib64/libpthread-2.12.so
TCPSvr 24236 tangf mem REG 8,2 91096 4719027 /lib64/libz.so.1.2.3
TCPSvr 24236 tangf mem REG 8,2 598680 4719028 /lib64/libm-2.12.so
$ lsof -c bash | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 19795 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
bash 19795 tangf rtd DIR 8,2 4096 2 /
bash 19795 tangf txt REG 8,2 938768 2883625 /bin/bash
bash 19795 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
bash 19795 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
bash 19795 tangf mem REG 8,2 1922152 4719015 /lib64/libc-2.12.so
bash 19795 tangf mem REG 8,2 138280 4718719 /lib64/libtinfo.so.5.7
bash 19795 tangf mem REG 8,2 184616 7078967 /usr/lib64/gconv/GB18030.so
bash 19795 tangf mem REG 8,2 99158576 7078918 /usr/lib/locale/locale-archive
$ lsof -c ^bash | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd unknown /proc/1/cwd (readlink: Permission denied)
init 1 root rtd unknown /proc/1/root (readlink: Permission denied)
init 1 root txt unknown /proc/1/exe (readlink: Permission denied)
init 1 root NOFD /proc/1/fd (opendir: Permission denied)
kthreadd 2 root cwd unknown /proc/2/cwd (readlink: Permission denied)
kthreadd 2 root rtd unknown /proc/2/root (readlink: Permission denied)
kthreadd 2 root txt unknown /proc/2/exe (readlink: Permission denied)
kthreadd 2 root NOFD /proc/2/fd (opendir: Permission denied)
migration 3 root cwd unknown /proc/3/cwd (readlink: Permission denied)
查看指定进程打开哪些文件。
$ lsof -p 24236 | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24236 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
TCPSvr 24236 tangf rtd DIR 8,2 4096 2 /
TCPSvr 24236 tangf mem REG 8,2 156872 4719014 /lib64/ld-2.12.so
TCPSvr 24236 tangf mem REG 8,2 22536 4719021 /lib64/libdl-2.12.so
TCPSvr 24236 tangf mem REG 8,2 1922152 4719015 /lib64/libc-2.12.so
TCPSvr 24236 tangf mem REG 8,2 145720 4719016 /lib64/libpthread-2.12.so
TCPSvr 24236 tangf mem REG 8,2 91096 4719027 /lib64/libz.so.1.2.3
TCPSvr 24236 tangf mem REG 8,2 598680 4719028 /lib64/libm-2.12.so
查看指定文件名描述符相关进程,多个文件描述符之间使用“,”隔开。
$ lsof -a -p $$ -d0,1,2
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 24106 tangf 0u CHR 136,9 0t0 12 /dev/pts/9
bash 24106 tangf 1u CHR 136,9 0t0 12 /dev/pts/9
bash 24106 tangf 2u CHR 136,9 0t0 12 /dev/pts/9
-P 选项表示不解析端口号,-n 选项表示不解析主机名,这两个选项主要的目的是为了提升 lsof 命令的执行速度。wc -l 命令则用来统计 lsof 命令输出的行数。
$ lsof -P -n | wc -l
2691
2、网络相关文件查看
使用-i选项,查看网络相关信息
lsof -i [4|6][protocol][@hostname|IP][:service|port]
4、6 :IP 协议的版本
protocol :网络协议的名称,如 TCP、UDP
hostname、IP :表示主机域名或IP地址
service :指 /etc/services 中的名称,如 smtp、sshd(多个服务用“,”分隔
port :端口号(多个端口号可以使用“,”分隔或者“-”指定区间)
查找指定端口相关进程
$ lsof -i :14793
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24446 tangf 264u IPv4 70762403 0t0 UDP 10.20.23.75:14793
$ lsof -i TCP:9462,9464
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24297 tangf 33u IPv4 70761689 0t0 TCP *:9462 (LISTEN)
TCPSvr 24299 tangf 31u IPv4 70753850 0t0 TCP *:9464 (LISTEN)
$ lsof -i UDP:14793-14803
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24305 tangf 27u IPv4 70762382 0t0 UDP 10.20.23.75:14801
TCPSvr 24446 tangf 264u IPv4 70762403 0t0 UDP 10.20.23.75:14793
TCPSvr 24446 tangf 267u IPv4 70762405 0t0 UDP 10.20.23.75:14803
查找指定协议版本进程
$ lsof -i 4 | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1302 rpc 6u IPv4 12012 0t0 UDP *:sunrpc
rpcbind 1302 rpc 7u IPv4 12016 0t0 UDP *:3com-amp3
rpcbind 1302 rpc 8u IPv4 12017 0t0 TCP *:sunrpc (LISTEN)
cupsd 1503 root 7u IPv4 12646 0t0 TCP localhost:ipp (LISTEN)
cupsd 1503 root 9u IPv4 12649 0t0 UDP *:ipp
master 1731 root 12u IPv4 13517 0t0 TCP localhost:smtp (LISTEN)
sshd 2062 root 3u IPv4 15956 0t0 TCP *:ssh (LISTEN)
rpc.statd 3784 rpcuser 5u IPv4 64098835 0t0 UDP *:telnets
rpc.statd 3784 rpcuser 8u IPv4 64098841 0t0 UDP *:22179
$ lsof -i 6 | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1302 rpc 9u IPv6 12019 0t0 UDP *:sunrpc
rpcbind 1302 rpc 10u IPv6 12021 0t0 UDP *:3com-amp3
rpcbind 1302 rpc 11u IPv6 12022 0t0 TCP *:sunrpc (LISTEN)
cupsd 1503 root 6u IPv6 12645 0t0 TCP localhost:ipp (LISTEN)
master 1731 root 13u IPv6 13519 0t0 TCP localhost:smtp (LISTEN)
sshd 2062 root 4u IPv6 15958 0t0 TCP *:ssh (LISTEN)
rpc.statd 3784 rpcuser 10u IPv6 64098849 0t0 UDP *:43158
rpc.statd 3784 rpcuser 11u IPv6 64098853 0t0 TCP *:30531 (LISTEN)
rsyslogd 26013 root 2u IPv6 70817243 0t0 TCP *:shell (LISTEN)
查找指定服务名称相关进程,多个服务之间用","隔开。-n选项,使用IP,不使用域名显示。
$ lsof -i :ssh,smtp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 1731 root 12u IPv4 13517 0t0 TCP localhost:smtp (LISTEN)
master 1731 root 13u IPv6 13519 0t0 TCP localhost:smtp (LISTEN)
sshd 2062 root 3u IPv4 15956 0t0 TCP *:ssh (LISTEN)
sshd 2062 root 4u IPv6 15958 0t0 TCP *:ssh (LISTEN)
sshd 19790 root 3u IPv4 70594719 0t0 TCP 10.20.23.75:ssh->192.168.155.54:isdc (ESTABLISHED)
sshd 19794 tangf 3u IPv4 70594719 0t0 TCP 10.20.23.75:ssh->192.168.155.54:isdc (ESTABLISHED)
sshd 20211 root 3u IPv4 70618093 0t0 TCP 10.20.23.75:ssh->192.168.155.54:quartus-tcl (ESTABLISHED)
sshd 20215 tangf 3u IPv4 70618093 0t0 TCP 10.20.23.75:ssh->192.168.155.54:quartus-tcl (ESTABLISHED)
sshd 22232 root 3u IPv4 70631225 0t0 TCP 10.20.23.75:ssh->192.168.155.54:sns-dispatcher (ESTABLISHED)
sshd 22236 tangf 3u IPv4 70631225 0t0 TCP 10.20.23.75:ssh->192.168.155.54:sns-dispatcher (ESTABLISHED)
sshd 22296 root 3u IPv4 70632620 0t0 TCP 10.20.23.75:ssh->192.168.155.54:tqdata (ESTABLISHED)
sshd 22300 tangf 3u IPv4 70632620 0t0 TCP 10.20.23.75:ssh->192.168.155.54:tqdata (ESTABLISHED)
sshd 22352 root 3u IPv4 70635367 0t0 TCP 10.20.23.75:ssh->192.168.155.54:rsisysaccess (ESTABLISHED)
sshd 22356 tangf 3u IPv4 70635367 0t0 TCP 10.20.23.75:ssh->192.168.155.54:rsisysaccess (ESTABLISHED)
sshd 23997 root 3r IPv4 70743097 0t0 TCP 10.20.23.75:ssh->192.168.155.54:5335 (ESTABLISHED)
sshd 24001 tangf 3u IPv4 70743097 0t0 TCP 10.20.23.75:ssh->192.168.155.54:5335 (ESTABLISHED)
sshd 24045 root 3r IPv4 70744254 0t0 TCP 10.20.23.75:ssh->192.168.155.54:net-projection (ESTABLISHED)
sshd 24049 tangf 3u IPv4 70744254 0t0 TCP 10.20.23.75:ssh->192.168.155.54:net-projection (ESTABLISHED)
sshd 24101 root 3r IPv4 70746362 0t0 TCP 10.20.23.75:ssh->192.168.155.54:securitychase (ESTABLISHED)
sshd 24105 tangf 3u IPv4 70746362 0t0 TCP 10.20.23.75:ssh->192.168.155.54:securitychase (ESTABLISHED)
sshd 25860 root 3r IPv4 70808547 0t0 TCP 10.20.23.75:ssh->192.168.155.54:6766 (ESTABLISHED)
$ lsof -i [email protected]
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24303 tangf 8u IPv4 70753827 0t0 TCP 10.20.23.75:46590 (LISTEN)
TCPSvr 24303 tangf 17u IPv4 70762361 0t0 TCP 10.20.23.75:46590->10.20.23.75:microsan (ESTABLISHED)
TCPSvr 24307 tangf 11u IPv4 70762359 0t0 TCP 10.20.23.75:microsan->10.20.23.75:46590 (ESTABLISHED)
$ lsof -i TCP@localhost:smtp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 1731 root 12u IPv4 13517 0t0 TCP localhost:smtp (LISTEN)
master 1731 root 13u IPv6 13519 0t0 TCP localhost:smtp (LISTEN)
$ lsof -i TCP@localhost:smtp -n
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 1731 root 12u IPv4 13517 0t0 TCP 127.0.0.1:smtp (LISTEN)
master 1731 root 13u IPv6 13519 0t0 TCP [::1]:smtp (LISTEN)
默认选项之间是或关系,如果多个条件是与关系需要加“-a”选项
$ lsof -a -p 24446 -i [email protected]:46101
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24446 tangf 241u IPv4 70761687 0t0 UDP 10.20.23.75:46101
$ lsof -i TCP:9462-9464 -i UDP:14793-14803
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24297 tangf 33u IPv4 70761689 0t0 TCP *:9462 (LISTEN)
TCPSvr 24299 tangf 31u IPv4 70753850 0t0 TCP *:9464 (LISTEN)
TCPSvr 24301 tangf 27u IPv4 70753862 0t0 TCP *:9463 (LISTEN)
TCPSvr 24305 tangf 27u IPv4 70762382 0t0 UDP 10.20.23.75:14801
TCPSvr 24446 tangf 264u IPv4 70762403 0t0 UDP 10.20.23.75:14793
TCPSvr 24446 tangf 267u IPv4 70762405 0t0 UDP 10.20.23.75:14803
$ lsof -p 26213 -i TCP | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 26195 tangf 33u IPv4 70829752 0t0 TCP *:9462 (LISTEN)
TCPSvr 26197 tangf 31u IPv4 70827552 0t0 TCP *:9464 (LISTEN)
TCPSvr 26199 tangf 28u IPv4 70828481 0t0 TCP *:9463 (LISTEN)
TCPSvr 26201 tangf 8u IPv4 70826636 0t0 TCP 10.20.23.75:46590 (LISTEN)
TCPSvr 26201 tangf 17u IPv4 70827122 0t0 TCP 10.20.23.75:46590->10.20.23.75:27318 (ESTABLISHED)
TCPSvr 26205 tangf 12u IPv4 70827120 0t0 TCP 10.20.23.75:27318->10.20.23.75:46590 (ESTABLISHED)
TCPSvr 26207 tangf 17u IPv4 70827123 0t0 TCP *:9468 (LISTEN)
TCPSvr 26209 tangf 17u IPv4 70826653 0t0 TCP *:9120 (LISTEN)
TCPSvr 26213 tangf cwd DIR 8,2 4096 3019206 /home/tangf/workspace
$ lsof -a -p 26213 -i TCP | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 26213 tangf 9u IPv4 70826632 0t0 TCP *:9461 (LISTEN)
-U 选项输出打开的 UNIX domain socket 文件
$ lsof -a -c TCPSvr -U
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
TCPSvr 24236 tangf 9u unix 0xffff880131669980 0t0 70753143 socket
TCPSvr 24297 tangf 44u unix 0xffff88015de25380 0t0 70762357 socket
TCPSvr 24299 tangf 42u unix 0xffff88015de25080 0t0 70753851 socket
TCPSvr 24301 tangf 38u unix 0xffff88016069ecc0 0t0 70753863 socket
TCPSvr 24303 tangf 15u unix 0xffff88023abc23c0 0t0 70753829 socket
TCPSvr 24305 tangf 45u unix 0xffff8802375eac80 0t0 70762470 socket
TCPSvr 24307 tangf 12u unix 0xffff880239796680 0t0 70762370 socket
TCPSvr 24309 tangf 29u unix 0xffff880233bed680 0t0 70753868 socket
TCPSvr 24311 tangf 31u unix 0xffff88016069e6c0 0t0 70753858 socket
TCPSvr 24313 tangf 9u unix 0xffff8801048bfc80 0t0 70753860 socket
TCPSvr 24315 tangf 20u unix 0xffff88016069e3c0 0t0 70753866 socket
TCPSvr 24317 tangf 13u unix 0xffff8802394d16c0 0t0 70753820 socket
TCPSvr 24319 tangf 10u unix 0xffff880239796080 0t0 70755378 socket
TCPSvr 24321 tangf 20u unix 0xffff8801048bf080 0t0 70753879 socket
TCPSvr 24323 tangf 26u unix 0xffff8802394d13c0 0t0 70755647 socket
TCPSvr 24325 tangf 10u unix 0xffff880239796380 0t0 70753890 socket
TCPSvr 24327 tangf 32u unix 0xffff8802394d1cc0 0t0 70761512 socket
TCPSvr 24446 tangf 281u unix 0xffff88015de25680 0t0 70762464 socket
3、恢复删除文件
如果不小心删除了文件,但知道这个文本被某个进程所打开,就可以通过 lsof 命令来恢复该文件,具体的原理为:
当进程打开了某个文件时,只要该进程保持打开该文件,即使将文件删除,它依然存在于磁盘中。进程并不知道文件已经被删除,它仍然可以通过打开该文件时提供给它的文件描述符进行读取和写入。除了该进程之外,这个文件是不可见的,因为已经删除了其相应的目录索引节点。进程打开的文件描述符就存放在 /proc/PID/fd 目录下。/proc 目录挂载的是在内存中所映射的一块区域,所以这些文件和目录并不存在于磁盘中,因此当我们对这些文件进行读取和写入时,实际上是在从内存中获取相关信息。lsof 程序就是使用这些信息和其他关于内核内部状态的信息来产生其输出。所以 lsof 可以显示进程的文件描述符和相关的文件名等信息。也就是说我们通过访问进程的文件描述符可以找到该文件的相关信息。
文件test.txt被进程27235占用,文件描述符5,只读模式打开。
$ lsof -c TcpSvr | grep test.txt
TcpSvr 27235 tangf 5r REG 8,2 32 3014834 /home/tangf/test.txt
$ cat test.txt
1 1
2
3 3
4
5
6
7
8
9
0
a
s
c
v
删除test.txt文件
$ rm test.txt
$ ll test.txt
ls: 无法访问test.txt: 没有那个文件或目录
通过进程内存空间文件描述符访问磁盘数据,并将其重定向到删除文件中,已达到恢复删除数据的目的。
$ cat /proc/27235/fd/5
1 1
2
3 3
4
5
6
7
8
9
0
a
s
c
v
$ cat /proc/27235/fd/5 > test.txt
数据恢复到删除前
$ cat test.txt
1 1
2
3 3
4
5
6
7
8
9
0
a
s
c
v
$ ll test.txt
-rw-rw-r--. 1 tangf tangf 32 1月 17 21:07 test.txt