Of Stack

linux uses the lsof command to see the file open

  • 2021-01-02 22:09:26
  • OfStack

preface

We all know that under linux, "all files" are "all files", so sometimes it is very important to see how files are opened, and here is one command that can help us with this - lsof.

What are the files under linux

Before I introduce the lsof command, let me just say briefly what files linux has:

Common file directory A symbolic link Block-oriented device files Character-oriented device files Pipes and named pipes The socket

The above types of files are not described in detail.

Introduction to practical usage of the lsof command

lsof, short for list open files. It has a lot of parameters, but we'll only cover 1 practical usage here (note that there are cases where the root permission is required).

View all files currently open

In general, typing the lsof command directly produces so many results that it may be difficult to find the information we need. But just to show you what's going on in the next record. 


$ lsof (Select 1 Bar record display) 
COMMAND PID   USER FD  TYPE DEVICE SIZE/OFF NODE NAME
vi 27940   hyb 7u REG  8,15 16384 137573 /home/hyb/.1.txt.swp

The results displayed by lsof, from left to right, represent: program name to open the file, process id, user, file descriptor, file type, device, size, iNode number, file name.

Let's focus for a moment on the columns that we know. This record indicates that the process id, vi 27940, has opened a normal file (REG regular file) in the /home/hyb directory with file description value of 7 and read-write status.1. txt.swap, current size of 16,384 bytes.

Lists files that have been deleted but take up space

In a production environment, we might use df command that fill the disk space, but in fact it is difficult to find again filled the space of the file, this is often due to a large file to be deleted, but it is a process to open, cause I can't find any signs of it by means of ordinary, the most common is the log file. We can find such files through lsof: 


$ lsof |grep deleted
Xorg 1131 root 125u REG  0,5 4 61026 /memfd:xshmfence (deleted)
Xorg 1131 root 126u REG  0,5 4 62913 /memfd:xshmfence (deleted)
Xorg 1131 root 129u REG  0,5 4 74609 /memfd:xshmfence (deleted)

You can see that the deleted files are still open, and when they are finally found, they are marked deleted. At this point, you can analyze the actual situation, which files may be too large but have been deleted, so that the space is still full.

Restore files that have been opened but deleted

Previously, we can find files that have been deleted but are still open. In fact, the file has not really disappeared. If it was deleted accidentally, we still have the means to recover it. Take the /var/log/syslog file as an example, let's delete it first (root user) : 


$ rm /var/log/syslog

Then use lsof to view that process and open the file: 


$ lsof |grep syslog
rs:main 993 1119  syslog 5w REG  8,10 78419 528470 /var/log/syslog (deleted)

It can be found that the process id opened the file for the process of 993, we know that each process under /proc has the file descriptor open records: 


$ ls -l /proc/993/fd
lr-x------ 1 root root 64 3 month  5 18:30 0 -> /dev/null
l-wx------ 1 root root 64 3 month  5 18:30 1 -> /dev/null
l-wx------ 1 root root 64 3 month  5 18:30 2 -> /dev/null
lrwx------ 1 root root 64 3 month  5 18:30 3 -> socket:[15032]
lr-x------ 1 root root 64 3 month  5 18:30 4 -> /proc/kmsg
l-wx------ 1 root root 64 3 month  5 18:30 5 -> /var/log/syslog (deleted)
l-wx------ 1 root root 64 3 month  5 18:30 6 -> /var/log/auth.log

Here we find the deleted syslog file, the file descriptor is 5, we redirect it out: 


$ cat /proc/993/fd/5 > syslog
$ ls -al /var/log/syslog
-rw-r--r-- 1 root root 78493 3 month  5 19:22 /var/log/syslog

We have restored the syslog file.

See which processes open the current file

Windows is often used to delete a file and then tell you that a program is in use, but not which program. We can search the file in the handle associated with Explorer - performance - Resource Monitor -cpu- to find the program that opened the file, but the search speed is impressive.

linux is easier, using the lsof command, for example, to see which programs are currently on hello.c: 


$ lsof hello.c
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
tail 28731 hyb 3r REG 8,15 228 138441 hello.c

However, we will find that hello.c opened with vi did not find it, because vi opened with a temporary copy. Let's look in another way: 


$ lsof |grep hello.c
tail 28906   hyb 3r REG  8,15 228 138441 /home/hyb/workspaces/c/hello.c
vi 28933   hyb 9u REG  8,15 12288 137573 /home/hyb/workspaces/c/.hello.c.swp

So we found two programs that are related to the ES110en.c file.

The purpose of grep here is to list only the eligible results from all the results.

See if a directory file has been opened 


$ lsof +D ./

See which files are open by the current process

How to use: lsof-ES125en process name

Typically used to locate problems in a program, such as to see which libraries are being used by the current process, which files are open, and so on. Suppose there is an hello program with 1 cyclic print character: 


$ lsof -c hello
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
hello 29190 hyb cwd DIR 8,15 4096 134538 /home/hyb/workspaces/c
hello 29190 hyb rtd DIR 8,10 4096 2 /
hello 29190 hyb txt REG 8,15 9816 138314 /home/hyb/workspaces/c/hello
hello 29190 hyb mem REG 8,10 1868984 939763 /lib/x86_64-linux-gnu/libc-2.23.so
hello 29190 hyb mem REG 8,10 162632 926913 /lib/x86_64-linux-gnu/ld-2.23.so
hello 29190 hyb 0u CHR 136,20 0t0 23 /dev/pts/20
hello 29190 hyb 1u CHR 136,20 0t0 23 /dev/pts/20
hello 29190 hyb 2u CHR 136,20 0t0 23 /dev/pts/20

We can see that at least it uses the /lib/ x86_64-ES135en-ES136en/libc-2.23.so and hello files.

It can also be viewed by process id, separated from multiple processes by commas: 


$ lsof |grep deleted
Xorg 1131 root 125u REG  0,5 4 61026 /memfd:xshmfence (deleted)
Xorg 1131 root 126u REG  0,5 4 62913 /memfd:xshmfence (deleted)
Xorg 1131 root 129u REG  0,5 4 74609 /memfd:xshmfence (deleted)
0

Of course, there is another way to use the proc file system, the first process to find the hello process id: 


$ lsof |grep deleted
Xorg 1131 root 125u REG  0,5 4 61026 /memfd:xshmfence (deleted)
Xorg 1131 root 126u REG  0,5 4 62913 /memfd:xshmfence (deleted)
Xorg 1131 root 129u REG  0,5 4 74609 /memfd:xshmfence (deleted)
1

You can see that the process id is 29190. Check the process file description record directory: 


$ lsof |grep deleted
Xorg 1131 root 125u REG  0,5 4 61026 /memfd:xshmfence (deleted)
Xorg 1131 root 126u REG  0,5 4 62913 /memfd:xshmfence (deleted)
Xorg 1131 root 129u REG  0,5 4 74609 /memfd:xshmfence (deleted)
2

This filters a lot of information because it only lists what the process actually opens, in this case it only opens 0,1,2, standard input, standard output, and standard error.

Check to see if a port is occupied

When using a database or enabling web services, you can always experience port occupancy issues, so how do you check if a port is being occupied? 


$ lsof -i :6379
COMMAND  PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
redis-ser 29389 hyb 6u IPv6 534612  0t0 TCP *:6379 (LISTEN)
redis-ser 29389 hyb 7u IPv4 534613  0t0 TCP *:6379 (LISTEN)

You can see here that the redis-ES167en process is using port 6379.

View all TCP/UDP connections 


$ lsof |grep deleted
Xorg 1131 root 125u REG  0,5 4 61026 /memfd:xshmfence (deleted)
Xorg 1131 root 126u REG  0,5 4 62913 /memfd:xshmfence (deleted)
Xorg 1131 root 129u REG  0,5 4 74609 /memfd:xshmfence (deleted)
4

Of course, we can also use the netstat command. 


$ lsof |grep deleted
Xorg 1131 root 125u REG  0,5 4 61026 /memfd:xshmfence (deleted)
Xorg 1131 root 126u REG  0,5 4 62913 /memfd:xshmfence (deleted)
Xorg 1131 root 129u REG  0,5 4 74609 /memfd:xshmfence (deleted)
5

The -ES180en parameter here can be followed by a variety of conditions:

-i 4 #ipv4 address -i 6 #ipv6 address -ES186en tcp #tcp connection -ES189en :3306 # port -i @ip #ip

So when you need to see a connection to an ip address, you can use the following: 


$ lsof |grep deleted
Xorg 1131 root 125u REG  0,5 4 61026 /memfd:xshmfence (deleted)
Xorg 1131 root 126u REG  0,5 4 62913 /memfd:xshmfence (deleted)
Xorg 1131 root 129u REG  0,5 4 74609 /memfd:xshmfence (deleted)
6

See which files a user has open

linux is a multi-user operating system. How do you know which files are open by other ordinary users? The -u parameter can be used 


$ lsof |grep deleted
Xorg 1131 root 125u REG  0,5 4 61026 /memfd:xshmfence (deleted)
Xorg 1131 root 126u REG  0,5 4 62913 /memfd:xshmfence (deleted)
Xorg 1131 root 129u REG  0,5 4 74609 /memfd:xshmfence (deleted)
7

Lists files that are open except for a process or a user

This is actually similar to the previous use, except that the process id or user name is preceded by the ^, for example: 


lsof -p ^1  # List the division process id Files that are open outside the process for 1 
lsof -u ^root # In addition to the listed root Open files other than the user

conclusion

The above introduction is based on one condition. In fact, multiple conditions can be combined, such as the tcp socket file that lists the process id 1 open: 


$ lsof |grep deleted
Xorg 1131 root 125u REG  0,5 4 61026 /memfd:xshmfence (deleted)
Xorg 1131 root 126u REG  0,5 4 62913 /memfd:xshmfence (deleted)
Xorg 1131 root 129u REG  0,5 4 74609 /memfd:xshmfence (deleted)
9

The lsof parameters are numerous and can be viewed using the man command, but it's good enough for us to know the basics.

In this article: Watchman
This paper links: https: / / www yanbinghu. com 2019/03/05/61180. html
Copyright Notice: This article is original and copyrighted by Shouwang and is licensed under the CC BY-ES233en-SA 3.0 license. Reprint please contact me!

]
Related articles: