Lsof

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Overview

lsof lists information about files opened by processes, on both Linux and Mac. lsof provides information about:

  • regular files
  • directories
  • block special files
  • character special files
  • executing text references
  • libraries
  • streams
  • network files (Internet socket, NFS file or UNIX domain socket)

In absence of any options, lsof lists all open files by all processes.

To list open files by a specific process, use the process' PID as follows: 

lsof -p <pid>

The output of lsof includes all information that can be obtained by listing the /proc/<pid>/fd directory, and also other files that have a special significance for the process and are not associated with file descriptors, such as the current working directory, the root directory, memory mapped files, etc.

The output is similar to: 

COMMAND   PID    USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME
java    10016 vagrant  cwd    DIR              252,2     4096 2621584 /home/test
java    10016 vagrant  rtd    DIR              252,0     4096       2 /
java    10016 vagrant  txt    REG              252,2     7734 2885001 /opt/java/x64/jre1.8.0_51/bin/java
java    10016 vagrant  mem    REG              252,0   161704 1310723 /lib64/ld-2.12.so
[...]
java    10016 vagrant    0r   CHR                1,3      0t0      26 /dev/null
java    10016 vagrant    1u   CHR              136,0      0t0       3 /dev/pts/0 (deleted)
java    10016 vagrant    2u   CHR              136,0      0t0       3 /dev/pts/0 (deleted)
java    10016 vagrant    3w   REG              252,2    48759 2753619 /home/test/gc.log.0.current
java    10016 vagrant    4r   REG              252,2 65944582 2884909 /opt/java/x64/jre1.8.0_51/lib/rt.jar
java    10016 vagrant    5u  IPv4              39331      0t0     TCP *:msgsrvr (LISTEN)
[...]

Parser

https://github.com/NovaOrdis/playground/blob/master/main/src/main/java/io/novaordis/playground/FDAndLsofAnalysis.java

File Descriptor Information

The command provides file descriptor information by default, as the fourth field "FD". The FD column contents constitutes a single field for parsing in post-processing scripts.

The FD column content starts with the file descriptor number, followed by several characters, usually one, describing the mode under which the file is open. If the FD does not start with a file descriptor number, it is one of the special entries described below.

  • 'r' for read access
  • 'w' for write access
  • 'u' for read and write access
  • space if mode is unknown and no lock character follows
  • ‘-’ if mode unknown and lock character follows

The mode character is followed by one of these lock characters, describing the type of lock applied to the file:

  • 'r' for read lock on part of the file
  • 'R' for a read lock on the entire file
  • 'w' for a write lock on part of the file
  • 'W' for a write lock on the entire file
  • 'u' for a read and write lock of any length
  • 'U' for a lock of unknown type
  • space if there is no lock

Special Entries

Special entries do not start with a file descriptor number and marked as such:

  • cwd current working directory
  • err FD information error (see NAME column)
  • jld" jail directory (FreeBSD)
  • ltx shared library text (code and data)
  • Mxx hex memory-mapped type number xx
  • m86 DOS Merge mapped file
  • mem memory-mapped file
  • mmap memory-mapped device
  • pd parent directory
  • rtd root directory
  • tr kernel trace file (OpenBSD)
  • txt program text (code and data)
  • v86 VP/ix mapped file

Use Cases

Finding out what processes are listening and on what sockets

Mac

lsof -nP -i4TCP:$PORT | grep LISTEN
Retrieved from "https://kb.novaordis.com/index.php?title=Lsof&oldid=78487"