Lsof: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(22 intermediate revisions by the same user not shown)
Line 5: Line 5:
=Overview=
=Overview=


<tt>lsof</tt> lists information about files opened by processes. <tt>lsof</tt> provides information about:
<code>lsof</code> lists information about files opened by processes, on both Linux and Mac. <code>lsof</code> provides information about:
* regular files
* regular files
* directories
* directories
Line 14: Line 14:
* streams
* streams
* network files (Internet socket, NFS file or UNIX domain socket)
* network files (Internet socket, NFS file or UNIX domain socket)
In absence of any options, <code>lsof</code> lists all open files by all processes.
To list open files by a specific process, use the process' PID as follows:


<pre>
<pre>
lsof -p <pid>
lsof -p <pid>
</pre>
</pre>
The output of <tt>lsof</tt> includes ''all'' information that can be obtained by listing the [[Linux_File_and_File_Descriptor_Information#Used_File_Descriptors_per_Process|/proc/<pid>/fd]] directory, and also other files that have a special significance for the process and are not associated with file descriptors, such as the current working directory, the root directory, memory mapped files, etc.
The output is similar to:
<pre>
COMMAND  PID    USER  FD  TYPE            DEVICE SIZE/OFF    NODE NAME
java    10016 vagrant  cwd    DIR              252,2    4096 2621584 /home/test
java    10016 vagrant  rtd    DIR              252,0    4096      2 /
java    10016 vagrant  txt    REG              252,2    7734 2885001 /opt/java/x64/jre1.8.0_51/bin/java
java    10016 vagrant  mem    REG              252,0  161704 1310723 /lib64/ld-2.12.so
[...]
java    10016 vagrant    0r  CHR                1,3      0t0      26 /dev/null
java    10016 vagrant    1u  CHR              136,0      0t0      3 /dev/pts/0 (deleted)
java    10016 vagrant    2u  CHR              136,0      0t0      3 /dev/pts/0 (deleted)
java    10016 vagrant    3w  REG              252,2    48759 2753619 /home/test/gc.log.0.current
java    10016 vagrant    4r  REG              252,2 65944582 2884909 /opt/java/x64/jre1.8.0_51/lib/rt.jar
java    10016 vagrant    5u  IPv4              39331      0t0    TCP *:msgsrvr (LISTEN)
[...]
</pre>
=Parser=
{{External|https://github.com/NovaOrdis/playground/blob/master/main/src/main/java/io/novaordis/playground/FDAndLsofAnalysis.java}}
=File Descriptor Information=
The command provides file descriptor information by default, as the fourth field "FD". The FD column contents constitutes a single field for parsing in post-processing scripts.
The FD column content starts with the file descriptor number, followed by several characters, usually one, describing the mode under which the file is open. If the FD does not start with a file descriptor number, it is one of the [[#Special_Entries|special entries]] described below.
* 'r' for read access
* 'w' for write access
* 'u' for read and write access
* space if mode is unknown and no lock character follows
* ‘-’ if mode unknown and lock character follows
The mode character is followed by one of these lock characters, describing the type of lock applied to the file:
* 'r' for read lock on part of the file
* 'R' for a read lock on the entire file
* 'w' for a write lock on part of the file
* 'W' for a write lock on the entire file
* 'u' for a read and write lock of any length
* 'U' for a lock of unknown type
* space if there is no lock
==Special Entries==
Special entries do not start with a file descriptor number and marked as such:
* '''cwd''' current working directory
* '''err''' FD information error (see NAME column)
* '''jld" jail directory (FreeBSD)
* '''ltx''' shared library text (code and data)
* '''Mxx''' hex memory-mapped type number xx
* '''m86''' DOS Merge mapped file
* <span id="memory_mapped_file></span>'''mem''' memory-mapped file
* '''mmap''' memory-mapped device
* '''pd''' parent directory
* '''rtd''' root directory
* '''tr''' kernel trace file (OpenBSD)
* '''txt''' program text (code and data)
* '''v86''' VP/ix mapped file
=Use Cases=
==Finding out what processes are listening and on what sockets==
===Mac===
lsof -nP -i4TCP:$PORT | grep LISTEN

Latest revision as of 06:36, 2 June 2021

Internal

Overview

lsof lists information about files opened by processes, on both Linux and Mac. lsof provides information about:

  • regular files
  • directories
  • block special files
  • character special files
  • executing text references
  • libraries
  • streams
  • network files (Internet socket, NFS file or UNIX domain socket)

In absence of any options, lsof lists all open files by all processes.

To list open files by a specific process, use the process' PID as follows:

lsof -p <pid>

The output of lsof includes all information that can be obtained by listing the /proc/<pid>/fd directory, and also other files that have a special significance for the process and are not associated with file descriptors, such as the current working directory, the root directory, memory mapped files, etc.

The output is similar to:

COMMAND   PID    USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME
java    10016 vagrant  cwd    DIR              252,2     4096 2621584 /home/test
java    10016 vagrant  rtd    DIR              252,0     4096       2 /
java    10016 vagrant  txt    REG              252,2     7734 2885001 /opt/java/x64/jre1.8.0_51/bin/java
java    10016 vagrant  mem    REG              252,0   161704 1310723 /lib64/ld-2.12.so
[...]
java    10016 vagrant    0r   CHR                1,3      0t0      26 /dev/null
java    10016 vagrant    1u   CHR              136,0      0t0       3 /dev/pts/0 (deleted)
java    10016 vagrant    2u   CHR              136,0      0t0       3 /dev/pts/0 (deleted)
java    10016 vagrant    3w   REG              252,2    48759 2753619 /home/test/gc.log.0.current
java    10016 vagrant    4r   REG              252,2 65944582 2884909 /opt/java/x64/jre1.8.0_51/lib/rt.jar
java    10016 vagrant    5u  IPv4              39331      0t0     TCP *:msgsrvr (LISTEN)
[...]

Parser

https://github.com/NovaOrdis/playground/blob/master/main/src/main/java/io/novaordis/playground/FDAndLsofAnalysis.java

File Descriptor Information

The command provides file descriptor information by default, as the fourth field "FD". The FD column contents constitutes a single field for parsing in post-processing scripts.

The FD column content starts with the file descriptor number, followed by several characters, usually one, describing the mode under which the file is open. If the FD does not start with a file descriptor number, it is one of the special entries described below.

  • 'r' for read access
  • 'w' for write access
  • 'u' for read and write access
  • space if mode is unknown and no lock character follows
  • ‘-’ if mode unknown and lock character follows

The mode character is followed by one of these lock characters, describing the type of lock applied to the file:

  • 'r' for read lock on part of the file
  • 'R' for a read lock on the entire file
  • 'w' for a write lock on part of the file
  • 'W' for a write lock on the entire file
  • 'u' for a read and write lock of any length
  • 'U' for a lock of unknown type
  • space if there is no lock

Special Entries

Special entries do not start with a file descriptor number and marked as such:

  • cwd current working directory
  • err FD information error (see NAME column)
  • jld" jail directory (FreeBSD)
  • ltx shared library text (code and data)
  • Mxx hex memory-mapped type number xx
  • m86 DOS Merge mapped file
  • mem memory-mapped file
  • mmap memory-mapped device
  • pd parent directory
  • rtd root directory
  • tr kernel trace file (OpenBSD)
  • txt program text (code and data)
  • v86 VP/ix mapped file

Use Cases

Finding out what processes are listening and on what sockets

Mac

lsof -nP -i4TCP:$PORT | grep LISTEN