Author: Joe Barr
As a rule, I close the column with a reminder to read the man pages for the topic at hand. This week I’m going to begin with a different tip:
|Tip #1 – Use
This is a better way to get your foot in the door with lsof. Why? Because it produces a cheat sheet like this that you can use whenever needed:
lsof -h lsof 4.74 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f] [-F [f[[ [-g [s[[ [-i [i[[ [+|-L [l[[ [+m [m[[ [+|-M] [-o [o[[ [-p s] [+|-r [t[[ [-S [t[[ [-T [t[[ [-u s] [+|-w] [-x [fl[[ [--] [names] Defaults in parentheses; comma-separate set (s) items; dash-separate ranges. -?|-h list help -a AND selections (OR) -b avoid kernel blocks -c c cmd c, /c/[bix] +c w COMMAND width (9) +d s dir s files -d s select by FD set +D D dir D tree *SLOW?* -i select IPv files -l list UID numbers -n no host names -N select NFS files -o list file offset -O avoid overhead *RISK -P no port names -R list paRent PID -s list file size -t terse listing -T disable TCP/TPI info -U select Unix socket -v list version info -V verbose search +|-w Warnings (+) -- end option scan +f|-f +filesystem or -file names -F [f] select fields; -F? for help +|-L [l] list (+) suppress (-) link counts
|Tip #2 – Download the source package and read the 00QUICKSTART file included with it.|
You can download the latest version of lsof from here. It’s much easier to read and learn from the 00QUICKSTART file than lsof’s man page. Ok, no more tips. From here we’re on our own.
You’ll rarely want to use lsof alone, without any options at all. Why? Because running
lsof with no options will list all open files that belong to active processes. It produces more than 4,000 lines of output on my system, so anything I might be interested in finding would take forever to find.
As noted last week, Trojan Scan uses
lsof -Pni to get a listing of all current Internet connections by port number and IP address. Let’s take a look at a few other categories of information that lsof can provide.
Let’s say you wanted to list all the open files for a particular user. You can do it by user ID or by user name. Like this:
lsof -u warthawg
lsof -u 1234
You can also confine lsof to listing open files on a single device or partition, like this:
One word of caution. If you list the open files that the primary user on a system has open, or the open files on the most heavily used disk, you’re still likely to get thousands of lines of output.
But one of the things that makes lsof so powerful is its ability to use logical AND/OR operatives to create more complex commands that produce more focused output.
Let’s try that by combining the user and device selections from our first two efforts. Like this:
lsof -u 1234 -a /dev/hda1
Note that reversing the order, putting the device name first, does not seem to work. But in the sequence shown above, it works just fine.
Maybe you’re curious about what a particular application, or process, has open. To find out, use:
lsof -p 17265
The only problem with specifying the PID as above, is that an application may have dozens of processes running. If you want to see all the open processes for a given application, you can specify the first few characters of the name of the process, and lsof will list all those that match. Evolution seems a likely candidate for this type of lsof, so give it a try with this:
lsof -c evol
Of course, that may result in the dreaded “too much information” condition. If so, use the
-a logical operator to AND it with files on a particular device.
If you’re paranoid, you might want to know who is connected to your machine on a range of ports. Providing you know your IP address, you can find out like this:
lsof -i @192.168.0.101:1-1024
Note that you may need to be logged in as root, or use sudo, for some of lsof’s functions.
That wraps up your introduction to lsof in all its glory, but there is much more to learn. I refer you to the man pages, but only after you’ve perused the
lsof -h and the 00QUICKSTART file noted above. If you’re an lsof expert, please feel free to add your favorite usage in comments.