Lsof: Difference between revisions
No edit summary |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
=Overview= | =Overview= | ||
< | <code>lsof</code> lists information about files opened by processes, on both Linux and Mac. <code>lsof</code> provides information about: | ||
* regular files | * regular files | ||
* directories | * directories | ||
Line 15: | Line 15: | ||
* network files (Internet socket, NFS file or UNIX domain socket) | * network files (Internet socket, NFS file or UNIX domain socket) | ||
In absence of any options, < | In absence of any options, <code>lsof</code> lists all open files by all processes. | ||
To list open files by a specific process, use the process' PID as follows: | To list open files by a specific process, use the process' PID as follows: | ||
Line 23: | Line 23: | ||
</pre> | </pre> | ||
The output of <tt>lsof</tt> includes ''all'' information that can be obtained by listing the [[ | The output of <tt>lsof</tt> includes ''all'' information that can be obtained by listing the [[Linux_File_and_File_Descriptor_Information#Used_File_Descriptors_per_Process|/proc/<pid>/fd]] directory, and also other files that have a special significance for the process and are not associated with file descriptors, such as the current working directory, the root directory, memory mapped files, etc. | ||
The output is similar to: | The output is similar to: | ||
Line 42: | Line 42: | ||
[...] | [...] | ||
</pre> | </pre> | ||
=Parser= | |||
{{External|https://github.com/NovaOrdis/playground/blob/master/main/src/main/java/io/novaordis/playground/FDAndLsofAnalysis.java}} | |||
=File Descriptor Information= | =File Descriptor Information= | ||
Line 82: | Line 86: | ||
* '''txt''' program text (code and data) | * '''txt''' program text (code and data) | ||
* '''v86''' VP/ix mapped file | * '''v86''' VP/ix mapped file | ||
=Use Cases= | |||
==Finding out what processes are listening and on what sockets== | |||
===Mac=== | |||
lsof -nP -i4TCP:$PORT | grep LISTEN |
Latest revision as of 06:36, 2 June 2021
Internal
Overview
lsof
lists information about files opened by processes, on both Linux and Mac. lsof
provides information about:
- regular files
- directories
- block special files
- character special files
- executing text references
- libraries
- streams
- network files (Internet socket, NFS file or UNIX domain socket)
In absence of any options, lsof
lists all open files by all processes.
To list open files by a specific process, use the process' PID as follows:
lsof -p <pid>
The output of lsof includes all information that can be obtained by listing the /proc/<pid>/fd directory, and also other files that have a special significance for the process and are not associated with file descriptors, such as the current working directory, the root directory, memory mapped files, etc.
The output is similar to:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 10016 vagrant cwd DIR 252,2 4096 2621584 /home/test java 10016 vagrant rtd DIR 252,0 4096 2 / java 10016 vagrant txt REG 252,2 7734 2885001 /opt/java/x64/jre1.8.0_51/bin/java java 10016 vagrant mem REG 252,0 161704 1310723 /lib64/ld-2.12.so [...] java 10016 vagrant 0r CHR 1,3 0t0 26 /dev/null java 10016 vagrant 1u CHR 136,0 0t0 3 /dev/pts/0 (deleted) java 10016 vagrant 2u CHR 136,0 0t0 3 /dev/pts/0 (deleted) java 10016 vagrant 3w REG 252,2 48759 2753619 /home/test/gc.log.0.current java 10016 vagrant 4r REG 252,2 65944582 2884909 /opt/java/x64/jre1.8.0_51/lib/rt.jar java 10016 vagrant 5u IPv4 39331 0t0 TCP *:msgsrvr (LISTEN) [...]
Parser
File Descriptor Information
The command provides file descriptor information by default, as the fourth field "FD". The FD column contents constitutes a single field for parsing in post-processing scripts.
The FD column content starts with the file descriptor number, followed by several characters, usually one, describing the mode under which the file is open. If the FD does not start with a file descriptor number, it is one of the special entries described below.
- 'r' for read access
- 'w' for write access
- 'u' for read and write access
- space if mode is unknown and no lock character follows
- ‘-’ if mode unknown and lock character follows
The mode character is followed by one of these lock characters, describing the type of lock applied to the file:
- 'r' for read lock on part of the file
- 'R' for a read lock on the entire file
- 'w' for a write lock on part of the file
- 'W' for a write lock on the entire file
- 'u' for a read and write lock of any length
- 'U' for a lock of unknown type
- space if there is no lock
Special Entries
Special entries do not start with a file descriptor number and marked as such:
- cwd current working directory
- err FD information error (see NAME column)
- jld" jail directory (FreeBSD)
- ltx shared library text (code and data)
- Mxx hex memory-mapped type number xx
- m86 DOS Merge mapped file
- mem memory-mapped file
- mmap memory-mapped device
- pd parent directory
- rtd root directory
- tr kernel trace file (OpenBSD)
- txt program text (code and data)
- v86 VP/ix mapped file
Use Cases
Finding out what processes are listening and on what sockets
Mac
lsof -nP -i4TCP:$PORT | grep LISTEN