music

OSdata.com

lsof

summary

    This subchapter looks at lsof, a UNIX (and Linux) command.

    lsof lists open files (and that includes devices, directories, pipes, nodes, sockets, and anything else that UNIX treats as a file).

free book on UNIX/Linux System Administration Teach Yourself UNIX/Linux System Administration and Shell Programming free computer programming text book project table of contents If you like the idea of this project, then please donate some money. more information on donating

lsof

    This subchapter looks at lsof, a UNIX (and Linux) command.

    lsof lists open files (and that includes devices, directories, pipes, nodes, sockets, and anything else that UNIX treats as a file).

    lsof will give you information on any opened files (including all of the items UNIX treats as a file).

basic use

    Type lsof all by itelf to get a list of all open files belonging to all active processes. The list was huge when creating this example, so I have edited it to highlight some of the things listed.

    $ lsof
    COMMAND   PID    USER FD     TYPE    DEVICE   SIZE/OF     NODE NAME
    loginwind  24 admin  cwd      DIR      14,8      1564        2 /
    loginwind  24 admin  txt      REG      14,8    946736  1076582 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow
    loginwind  24 admin    0r     CHR       3,2       0t0 35264644 /dev/null
    loginwind  24 admin    1     PIPE 0x224f3f0     16384
    loginwind  24 admin    2     PIPE 0x224f3f0     16384
    loginwind  24 admin    3u    unix 0x27766e8       0t0          ->0x224cdd0
    launchd    68 admin    3u  KQUEUE                              count=0, state=0x1
    launchd    68 admin    5u   systm 0x25f1264       0t0          [1:1:0]
    launchd    68 admin   15     PIPE 0x224f6ac     16384
    launchd    68 admin   19r     DIR      14,8      1122      248 /Library/Preferences
    AirPort    84 admin  cwd      DIR      14,8      1564        2 /
    AirPort    84 admin  txt      REG      14,8    573072  3265433 /System/Library/CoreServices/AirPort Base Station Agent.app/Contents/MacOS/AirPort Base Station Agent
    Spotlight  88 admin  cwd      DIR      14,8      1564        2 /
    Spotlight  88 admin  txt      REG      14,8    708848  1067264 /System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight
    UserEvent  89 admin  cwd      DIR      14,8      1564        2 /
    Dock       90 admin  cwd      DIR      14,8      1564        2 /
    Dock       90 admin  txt      REG      14,8   2384752  1046722 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock
    Dock       90 admin    4u  KQUEUE                              count=0, state=0x2
    ATSServer  91 admin  cwd      DIR      14,8      1564        2 /
    ATSServer  91 admin  txt      REG      14,8   5787888  1131290 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/ATSServer
    pboard     92 admin  cwd      DIR      14,8      1564        2 /
    SystemUIS  94 admin  cwd      DIR      14,8      1564        2 /
    Finder     96 admin  cwd      DIR      14,8      1564        2 /
    iTunesHel 115 admin  cwd      DIR      14,8      1564        2 /
    Tex-Edit  146 admin  cwd      DIR      14,8      1564        2 /
    Tex-Edit  146 admin  txt      REG      14,8    367168  1045618 /System/Library/CoreServices/Encodings/libTraditionalChineseConverter.dylib
    firefox-b 149 admin  cwd      DIR      14,8      1564        2 /
    firefox-b 576 admin   56u    IPv4 0x4984e64       0t0      TCP 192.168.0.108:60388->173.194.57.119:http (ESTABLISHED)

    The default is one file per line. The FD column gives the file descriptor and the TYPE column gives the file type. The other columns should make sense.

    Some of the common FD values are:

• cwd = Current Working Directory
• mem = memory mapped file
• mmap = memory mapped device
• rtd = root directory
• txt = text file
• NUMBER = file descriptor. The character after the number inidicates the mode in which the file is opened. r = read, w = write, and u = both read and write. This may be followed by lock information.
• asdf

    Some of the common TYPE values are:

• BLK = block special file
• CHR = character special file
• DIR = directory
• FIFO = First In First Out special file
• IPv4 = IPv4 socket
• IPv6 = IPv6 socket
• LINK = symbolic link file
• PIPE = pipe
• REG = regular file
• unix = UNIX domain socket

find which process opened a file

    You can get information on which processes opened a specific file by giving the filename as an argument.

    $ lsof /System/Library/Fonts/Helvetica.dfont
    loginwind  24 admin  txt    REG   14,8  2402112 10720 /System/Library/Fonts/Helvetica.dfont
    ATSServer  90 admin  txt    REG   14,8  2402112 10720 /System/Library/Fonts/Helvetica.dfont
    Tex-Edit  123 admin  txt    REG   14,8  2402112 10720 /System/Library/Fonts/Helvetica.dfont
    firefox-b 576 admin  txt    REG   14,8  2402112 10720 /System/Library/Fonts/Helvetica.dfont

find any open file by name

    To find any open file, including an open UNIX domain socket file, with the name /dev/log, type lsof /dev/log. (from the man pages)

    $ lsof /dev/log

list opened files in directory

    To list all the processes that have opened files in a particular directory, use the +d option.

    $ lsof +d /u/abe/foo/

    To list all the processes that have opened files in a particular directory and all of its child directories (subdirectories), use the +D option. lsof will recurse through all subdirectories.

    $ lsof +D /var/
    COMMAND   PID  USER   FD   TYPE DEVICE  SIZE/OFF    NODE NAME
    loginwind  24 admin  txt    REG   14,8 149168128 1137272 /private/var/db/dyld/dyld_shared_cache_ppc
    loginwind  24 admin    4u   REG   14,8      2512 3589022 /private/var/run/utmpx
    launchd    64 admin  txt    REG   14,8 149168128 1137272 /private/var/db/dyld/dyld_shared_cache_ppc
         < listing continues >

list open directory

    To list the process that has /u/abe/foo open, type lsof /u/abe/foo. (from the man pages)

    $ lsof /u/abe/foo

list by process names

    To list all open files by process names starting with particlar strings, use the -c option, followed by the process name. You can give multiple -c switches on a single command line.

    Note that this option does not look for an exact match, but any process that includes the character string as a substring of the process name. So, sh would find ssh and sh

    $ lsof -c Terminal
    COMMAND  PID  USER   FD   TYPE    DEVICE  SIZE/OFF     NODE NAME
    Terminal 168 admin  cwd    DIR      14,8       918   547359 /Users/admin
    Terminal 168 admin  txt    REG      14,8  10244512  1048543 /usr/share/icu/icudt36b.dat
    Terminal 168 admin    0r   CHR       3,2       0t0 35027076 /dev/null
    Terminal 168 admin    1   PIPE 0x22374b4     16384
    Terminal 168 admin    2   PIPE 0x22374b4     16384
         < listing continues >

list by particular login names

    To list all of the files opened by a specific user, type the -u option.

    $ lsof -u jill

    To list all of the files opened by several specific users, use a comma delimited list.

    $ lsof -u jack,jill

    To list all of the files opened by every user other than a specific user, use the ^ character. You can use a comma delimited list

    $ lsof -u ^jack,jill

list by particular process

    To list all of the files opened by a particular process, type the -p option.

    $ lsof -p 1234

list particular login names, user IDs or process numbers

    To list all open files for any and all of: login name abe, or user ID 1234, or process 456, or process 123, or process 789, type lsof -p 456,123,789 -u 1234,abe. (from the man pages)

    $ lsof -p 456,123,789 -u 1234,abe

list by mount point

    Sometimes when you attempt to unmount a device or directory, the system will warn you with the “Device or resource Busy” error.

    You can list all of the processes using a mount point and then kill those processes so that you can unmount the device or directory.

    $ lsof /home

    An equivalent option is:

    $ lsof +D /home/

list by device

    To list all open files on device /dev/hd4, type lsof /dev/hd4. (from the man pages)

    $ lsof /dev/hd4

kill process

    To kill the process that has /u/abe/foo open (by sending the signal SIGHUP), type kill -HUP `lsof -t /u/abe/foo`. (from the man pages)

    $ kill -HUP `lsof /u/abe/foo`

    Notice that those are back ticks.

    You can also kill all processes that belong to a specific user by using the -t option to output only the process ID and pass that result on to kill.

    $ kill -9 `lsof -t -u jill `

AND/OR

    lsof defaults to logical OR of all options. The following example (from the man pages) will list all of the files open from all three listed processes and from both users.

    $ lsof -p 456,123,789 -u 1234,abe

    Use the -a option to perform a logical AND on the user names, processes, etc. Note that you either OR the entire line or AND the entire line. You can not mix AND and OR together in a single lsof command. The ^ negation on login name or user ID, process ID, or process group ID options are evaluated prior to other selection criteria and therefore don’t get included in AND or OR for lsof. Although the -a is legal in any position, placing it between a pair of items does not cause just those two items to be ANDed, the entire line is still ANDed.

    The following AND example will produce a listing of only UNIX socket files that belong to processes owned by the user foo.

    $ lsof -a -U -ufoo

timed listings

    You can gather information at specific time intervals. To list the files at descriptors 1 and 3 of every process running the lsof command for login abe every 10 seconds, type lsof -c lsof -a -d 1 -d 3 -u abe -r10. (from the man pages)

    $ lsof -c lsof -a -d 1 -d 3 -u abe -r10

    Use the +r or -r options for timed repeats. The +r switch will stop when no open files that meet the selected criteria are open. The -r will continue until interrupted by a signal. The number after the r is the time in seconds for each delay.

    Between each cycle, lsof will print a sequence of equal signs ( ======= ).

    =======

internet connections

    Because UNIX and Linux (and Mac OS X) treat internet connections as files, you can use the -i switch to view all of your open internet connections.

    $ lsof -i
    COMMAND   PID  USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
    SystemUIS  93 admin   10u  IPv4 0x2152f48      0t0  UDP *:*
    firefox-b 127 admin   75u  IPv4 0x43c5270      0t0  TCP 192.168.0.108:49816->63.141.192.121:http (CLOSE_WAIT)
    Fetch     294 admin   23u  IPv4 0x27ffe64      0t0  TCP 192.168.0.108:50539->reliant.websitewelcome.com:ftp (ESTABLISHED)
    Fetch     294 admin   24u  IPv4 0x2d2be64      0t0  TCP 192.168.0.108:50541->reliant.websitewelcome.com:36975 (LAST_ACK)
    Fetch     294 admin   25u  IPv4 0x444a66c      0t0  TCP 192.168.0.108:50542->reliant.websitewelcome.com:22271 (TIME_WAIT)

internet files

    To list all open Internet, x.25 (HP-UX), and UNIX domain files, type lsof -i -U. (from the man pages)

    $ lsof -i -U

IPv4 network files by PID

    To list all open IPv4 network files in use by the process whose PID is 1234, type lsof -i 4 -a -p 1234. (from the man pages)

    $ lsof -i 4 -a -p 1234

IPv6 files

    To list all open IPv6 network files (assuming your UNIX system supports IPv6), type lsof -i 6. (from the man pages)

    $ lsof -i 6

list by port

    List all of the processes that are listening to a particular port by using colon ( : ) followed by the port number(s).

    $ lsof -i:21

    To list all files using any protocol on ports 513, 514, or 515 of host wonderland.cc.purdue.edu, type lsof -i @wonderland.cc.purdue.edu:513-515. (from the man pages)

    $ lsof -i @wonderland.cc.purdue.edu:513-515

list TCP or UDP connections

    List all of the TCP connections:

    $ lsof -i tcp

    List all of the UDP connections:

    $ lsof -i udp

list from default domain

    Assuming a default domain of cc.purdue.edu, list all files using any protocol on any port of mace.cc.purdue.edu, type lsof -i @mace. (from the man pages)

    $ lsof -i @mace

Network File System (NFS)

    List all of the Network File System (NFS) files by using the -N switch.

    $ lsof -N

    To find processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible (assuming your mount table supplies the device number for /nfs/mount/point), type lsof -b /nfs/mount/point. (from the man pages)

    $ lsof -b /nfs/mount/point

    To do the preceding search with warning messages suppressed, type lsof -bw /nfs/mount/point. (from the man pages)

    $ lsof -bw /nfs/mount/point

ignore device cache file

    To ignore the device cache file, type lsof -Di. (from the man pages)

    $ lsof -Di

obtain specific multiple info on each file

    You can combine flags to gather specific information. To obtain the PID and command name field for each process, file descriptor, file device number, and file inode number for each file of each process, type lsof -FpcfDi. (from the man pages)

    $ lsof -FpcfDi

using regular expressions

    To list the current working directory of prcoesses running a command that is exactly four characters long and has an upper or lower case “O” or “o” in character position three, type lsof -c /^..o.$/i -a -d cwd. (from the man pages)

    $ lsof -c /^..o.$/i -a -d cwd

socket files

    To find an IP version 4 socket file by its associated numeric dot-form address, type lsof -i@128.210.15.17. (from the man pages)

    $ lsof -i@128.210.15.17

    To find an IP version 6 socket file by its associated numeric colon-form address, type lsof -i@[0:1:2:3:4:5:6:7]. (from the man pages)

    $ lsof -i@[0:1:2:3:4;5;6:7]

    To find an IP version 6 socket file by its associated numeric colon-form address that has a run of zeros in it (such as the loop-back address), type lsof -i@[::1]. (from the man pages)

    $ lsof -i@[::1]

---