October 24, 2005

CLI Magic: lsof

Author: Joe Barr

Last week's CLI Magic column was about Trojan Scan, a useful tool (still in alpha development phase) for warding off the bad guys. I noted then that the utility was based on the lsof command -- actually, based on just one of the hundreds of combinations of arguments used to tell lsof exactly what it is you want from it. This week we're going to take a longer look at lsof, and see a few of the other mysteries it can solve.Judging by the size of its man page, lsof is one of the most complex commands available, but don't worry, we're going to keep this simple. We have to, or a real system admin with years of experience using lsof on multiple platforms -- rather than a simple home user like me -- will have to write it.

As a rule, I close the column with a reminder to read the man pages for the topic at hand. This week I'm going to begin with a different tip:

Tip #1 - Use lsof -h instead of man lsof

This is a better way to get your foot in the door with lsof. Why? Because it produces a cheat sheet like this that you can use whenever needed:

lsof -h
lsof 4.74
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f]
[-F [f[[ [-g [s[[ [-i [i[[ [+|-L [l[[ [+m [m[[ [+|-M] [-o [o[[
[-p s] [+|-r [t[[ [-S [t[[ [-T [t[[ [-u s] [+|-w] [-x [fl[[ [--] [names]
Defaults in parentheses; comma-separate set (s) items; dash-separate ranges.
    -?|-h list help          -a AND selections (OR)     -b avoid kernel blocks
-c c  cmd c, /c/[bix]    +c w  COMMAND width (9)
    +d s  dir s files        -d s  select by FD set     +D D  dir D tree *SLOW?*
    -i select IPv[46] files    -l list UID numbers
    -n no host names         -N select NFS files        -o list file offset
    -O avoid overhead *RISK  -P no port names           -R list paRent PID
    -s list file size        -t terse listing           -T disable TCP/TPI info
    -U select Unix socket    -v list version info       -V verbose search
    +|-w  Warnings (+)       -- end option scan
    +f|-f  +filesystem or -file names
    -F [f] select fields; -F? for help
    +|-L [l] list (+) suppress (-) link counts

Tip #2 - Download the source package and read the 00QUICKSTART file included with it.

You can download the latest version of lsof from here. It's much easier to read and learn from the 00QUICKSTART file than lsof's man page. Ok, no more tips. From here we're on our own.

You'll rarely want to use lsof alone, without any options at all. Why? Because running lsof with no options will list all open files that belong to active processes. It produces more than 4,000 lines of output on my system, so anything I might be interested in finding would take forever to find.

As noted last week, Trojan Scan uses lsof -Pni to get a listing of all current Internet connections by port number and IP address. Let's take a look at a few other categories of information that lsof can provide.

Let's say you wanted to list all the open files for a particular user. You can do it by user ID or by user name. Like this:

lsof -u warthawg


lsof -u 1234

You can also confine lsof to listing open files on a single device or partition, like this:

lsof /dev/hda1

One word of caution. If you list the open files that the primary user on a system has open, or the open files on the most heavily used disk, you're still likely to get thousands of lines of output.

But one of the things that makes lsof so powerful is its ability to use logical AND/OR operatives to create more complex commands that produce more focused output.

Let's try that by combining the user and device selections from our first two efforts. Like this:

lsof -u 1234 -a /dev/hda1

Note that reversing the order, putting the device name first, does not seem to work. But in the sequence shown above, it works just fine.

Maybe you're curious about what a particular application, or process, has open. To find out, use:

lsof -p 17265

The only problem with specifying the PID as above, is that an application may have dozens of processes running. If you want to see all the open processes for a given application, you can specify the first few characters of the name of the process, and lsof will list all those that match. Evolution seems a likely candidate for this type of lsof, so give it a try with this:

lsof -c evol

Of course, that may result in the dreaded "too much information" condition. If so, use the -a logical operator to AND it with files on a particular device.

If you're paranoid, you might want to know who is connected to your machine on a range of ports. Providing you know your IP address, you can find out like this:

lsof -i @

Note that you may need to be logged in as root, or use sudo, for some of lsof's functions.

That wraps up your introduction to lsof in all its glory, but there is much more to learn. I refer you to the man pages, but only after you've perused the lsof -h and the 00QUICKSTART file noted above. If you're an lsof expert, please feel free to add your favorite usage in comments.

Click Here!