LSOF command

By Linux

Contents

  • lsof command
    • Reference
    • Notes on lsof version
    • Special recommendations
    • lsof usage
    • lsof application examples

lsof command

?? Written by Zak Zhu

Reference

  • Niaoge Private Kitchen (http://cn.linux.vbird.org/linux_basic/0440processcontrol_4.php#proc)
  • 10 examples of dead wood/translation-lsof in Linux (http://kumu-linux.github.io/blog/2013/04/08/lsof/)
  • Different sky Detailed explanation of w/lsof command (http://blog.itpub.net/31397003/viewspace-2147485/)
  • Linux Tools Quick Tutorial–Tool Reference—3.lsof Everything is a file (https: //linuxtools-rst.readthedocs.io/zh_CN/latest/tool/lsof.html)
  • yexiaobai/Use lsof to handle file recovery, handle and space release issues (http://www.voidcn.com /article/p-ggdoqzkj-a.html)
  • The pit of lsof under Aliwolf/centos7 (https://www.iyunv.com/thread-383054-1-1.html)
  • petergz/[Linux] wrong usage scenarios of lsof and the correct way to check the number of open files (https://www.jianshu.com/p/407c2baef92e)
  • teddy. sun/About file-max and file-nr(http://www.opstool.com/article/166)
  • Narad Shrestha/10 lsof Command Examples in Linux(https://www.tecmint. com/10-lsof-command-examples-in-linux/)

lsof version note

The default version of lsof in CentOS6 is 4.82

2

The default version of lsof in CentOS7 is 4.87< /p>

1

The difference between the above two versions is shown in the figure below:

3

4

As you can see from the figure above, if you use lsof | wc -l

in CentOS7 code>command to calculate the total number of Open File Discriptor, then the total number of Open File Discriptor will be obviously too large!!!

special recommendation

So in order to avoid the above problems, it is recommended to use the following command to view the FD:

  1. Count the total number of System Open File Discriptors

    cat /proc/sys/fs/file-nr | awk'{print $1-$2}'

    1 380???180??????65536
    |???????????|???????????|_ Max no. of file descriptors allowed on the system
    |???????????|??????????????? (consistent with file-max)
    |??????? ????|
    |???????????|__ Total free allocated file descriptors
    |
    |__ Total allocated file descriptors

    To compute the number of file descriptors currently being used:
    1380-180 = 1200

  2. Count the total number of The Process Open File Discriptor< /p> 

    ls -l /proc//fd | wc -l

    5

  3. Check which processes use more FD

    Execute pnofile. sh script:

    for pid_path in $(ls -d /proc/[0-9]*)do pid=$(echo ${pid_path} | awk -F'/' '{print $3}') pnofile=$(ls ${pid_path}/fd | wc -l) echo "${pid_path} ${pnofile}" >> /tmp/stdout donecat /tmp/stdout | awk'{print $2,$1}' | sort -rn rm -rf /tmp/stdout

lsof Usage

lsof (list open files) is a tool for viewing current system files. In the Linux environment, everything exists in the form of files. Through files, you can access not only regular data, but also network connections and hardware. Such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system allocates a file descriptor for the application in the background, which provides a lot of information about the application itself.

Below I use version 4.87 of lsof to demonstrate the usage:

1. List all Open Files with lsof Command

lsof

14

FD – stands for File descriptor and may seen some of the values ​​as:

  • cwd # current working directory
  • rtd # root directory
  • txt # program text (code and data)< /li>
  • mem # memory-mapped file

Also in FD column numbers like 1u is actual file descriptor and followed by u,r,w of it's mode as:

  • r # for read access
  • w # for write access
  • u # for read and write access

TYPE – of files and it's identification.

  • DIR # Directory
  • REG # Regular file
  • CHR # Character special file
  • FIFO # First In First Out

2. List User Specific Opened Files< /h4> 

lsof -u root

15

3. Find Processes running on Specific Port

lsof -i TCP:22 
16
 
4. List Open Files of TCP Port ranges 1-1024
 
lsof -i TCP:1-1024


 17


5. Exclude User with'^' Character


lsof -i -u ^root


18


6. Search by PID


lsof- p 1


19


7. Kill all Activity of Particular User


kill -9 $(lsof -t -u zak)




lsof application example


1. recovering deleted files




When a Linux computer is compromised, it is common The situation is that log files are deleted to cover up the traces of the attacker. Management errors may also lead to accidental deletion of important files, such as accidentally deleting the active transaction log of the database when cleaning up old logs. Sometimes these files can be restored by lsof. 


When a process opens a file, as long as the process keeps the file open, even if it is deleted, it still exists on the disk. This means that the process does not know that the file has been deleted, and it can still read and write to the file descriptor provided to it when the file was opened. Except for this process, this file is not visible because its corresponding directory index node has been deleted. 


Under the /proc directory, it contains various files reflecting the kernel and process tree. The /proc directory mounts an area mapped in memory, so these files and directories do not exist on the disk, so when we read and write these files, we actually get them from memory Related Information. Most of the information related to lsof is stored in a directory named after the PID of the process, that is, /proc/1234 contains information about the process with PID 1234. There are various files in each process directory, they can make the application simply understand the process's memory space, file descriptor list, symbolic links pointing to the files on the disk, and other system information. The lsof program uses this information and other information about the internal state of the kernel to produce its output. So lsof can display information such as process file descriptors and related file names. That is, we can find the relevant information of the file by accessing the file descriptor of the process. 


When a file in the system is accidentally deleted, as long as there are processes in the system accessing the file at this time, then we can restore the content of the file from the /proc directory through lsof. 




Next, let’s do an experiment:


    

  • 

    The simulation file is deleted, but there are processes in the system that are accessing the file.
    

     p> 
    

    # 1echo "hello"> /tmp/test# 2less /tmp/test# At this time, in another terminal, Jhon executed the operation to delete the file # 3rm /tmp/test< /pre> 
    7
    •  
  • Restore the Deleted file
     
       
    1. Find the PID and FD of the file using lsof
       
      lsof | grep "deleted" | grep "/tmp /test"
      

      8
      

      2. 

    2. < p>Under the /proc directory, find the FD of the process using the file
      

      cat /proc/32189/fd/4
      

      9 
      

      3. 

    3. 

      Restore files
      

       cat /proc/32189/fd/4> /tmp/test
      

      10< /p>
      4. 

    

    • 



2. The display of df and du is very different




Today, a colleague said that the space in the /tmp directory of the file system is full, but at the time du was counting all the files in the directory, it was very small. Hearing this phenomenon, the first feeling is that a large file should have been deleted, but this file may still be opened by other programs, resulting in the file cannot be cleared. I boarded the server and used lsof to take a look, and it turned out to be the case. The specific troubleshooting process is as follows:


df -h # The following is the output of the command Filesystem Size Used Avail Use% Mounted on/dev/ sda5 8.7G 7.9G 407M 96% /tmp lsof | grep "deleted" | grep "/tmp" | sort -nr -k 7,7 # The following is the command output netstat_2 13571 peien.htg 1w REG 8,5 8321143673 54 /tmp/netstat.log (deleted) ...


The second column of the lsof output above is the PID, and the third column from the bottom is the space occupied


You can see the file/ tmp/netstat.log (deleted) occupies more than 7 gigabytes of space. Although it is deleted, there is still a process to open it. 


Then, use PID to see which program is occupying this file:


ps -ef | grep "13571" | grep -v "grep" # The following content For the command output result 51717 13571 1 0 2011? 00:15:00 /bin/bash /tmp/netstat_20110829.sh 51717 21456 13571 0 09:40? 00:00:00 sleep 10


 After KILL is dropped, it is OK:


kill -9 13571 df -h # The following is the output of the command Filesystem Size Used Avail Use% Mounted on/dev/sda5 8.7G 56M 8.2 G 1% /tmp




3. Solving the file system cannot be uninstalled


    

  • 

    The simulated file system cannot be uninstalled The situation
    

    # 1mount /dev/sr0 /mnt/cdrom# 2less /mnt/cdrom/GPL#When there are files in the file system, unmount the file system Will fail# 3umount /dev/sr0
    

    11
    

    • 

  • 

    Solutions
    

      

    1. 

      Check the process of using files in the file system through lsof
      

      lsof | grep " /mnt/cdrom"
      

      12
      

      2. 

    2. 

      Kill the process that is using the file in the file system
      

      kill -9 10506
      

      3. 

    3. 

      Successfully uninstall the file system 
      

      umount /dev/sr0
      

      13
      

      4. 

    

    • 



Contents




    

  • lsof command

      

    • Reference
      • 

    • lsof version attention
      • 

    • special recommendations
      • 

    • lsof usage
      • 

    • lsof application example
      • 

    

    • 





    

  • lsof command

      

    • Reference< /li>

    • Notes on lsof version
      • 

    • Special recommendations
      • 

    • lsof usage
      • 

    • lsof application examples
      • 

    

    • 

     < /ul>

Leave a Comment

Your email address will not be published.