Linux lsof 命令

2018-01-29|Categories: External cmd, Linux|

lsof = LiSt Open Files

查看指定文件、目录被哪些进程打开

$ lsof /var/log/secure
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
rsyslogd 2187 root    5w   REG    8,2     2512 145935 /var/log/secure

# 不要在包含大量文件的目录执行此操作,否则可能耗费大量时间
$ lsof +D /var/log
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
vmtoolsd  1564 root    3w   REG    8,2   111181 154811 /var/log/vmware-vmsvc.log
VGAuthSer 1617 root    2w   REG    8,2    80677 154814 /var/log/vmware-vgauthsvc.log.0
VGAuthSer 1617 root    3w   REG    8,2    80677 154814 /var/log/vmware-vgauthsvc.log.0
Managemen 1696 root    0w   REG    8,2 10387690 145669 /var/log/vmware-caf/pme/ma-log4cpp_rolling.log
Managemen 1696 root    1w   REG    8,2        0 154822 /var/log/vmware-caf/pme/ma-log4cpp.log
Managemen 1696 root    2w   REG    8,2        0 154822 /var/log/vmware-caf/pme/ma-log4cpp.log
auditd    2153 root    5w   REG    8,2  4850966 130938 /var/log/audit/audit.log
rsyslogd  2187 root    1w   REG    8,2   265433 145672 /var/log/messages
rsyslogd  2187 root    2w   REG    8,2    77834 130618 /var/log/cron
rsyslogd  2187 root    4w   REG    8,2    10808 130621 /var/log/boot.log
rsyslogd  2187 root    5w   REG    8,2     2512 145935 /var/log/secure
console-k 2861 root    9w   REG    8,2     1947 145428 /var/log/ConsoleKit/history

根据进程名称查看监听端口

# 端口号存放在最后一列
$ lsof -Pi | grep dhcpd
dhcpd      2620   dhcpd    7u  IPv4  14227      0t0  UDP *:67

# 仅输出端口号
$ lsof -Pi | grep dhcpd | awk -F ':' '{print $NF}'
67

如果不使用-P选项,lsof会把端口转换为对应的服务名称:

$ lsof -i | grep dhcpd
dhcpd      2620   dhcpd    7u  IPv4  14227      0t0  UDP *:bootps

# 查找`67/udp`端口对应的服务
$ grep -E '\b67/udp' /etc/services
bootps          67/udp

-i选项可以指定完整的Internet address,也就是互联网IP地址,具体格式如下:

# 方括号包围的部分可以省略
# 各部分的详细规定参见`man lsof | less +"/^ *-i "`
[46][protocol][@hostname|hostaddr][:service|port]

如果-i后面的所有参数都被省略,就会显示本机所有的网络连接。

根据监听端口查看进程名称

进程名称(COMMAND)默认可以显示9个字符,如果需要显示更多字符,可以通过+c选项调整。

# 协议名称`udp`可以省略
$ lsof -Pi udp:67
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhcpd   2620 dhcpd    7u  IPv4  14227      0t0  UDP *:67

# 仅输出进程名称
$ lsof -Pi :67 | tail -n +2 | awk '{print $1}'
dhcpd

根据监听端口查看进程PID

# t = terse(简短的),仅输出PID
$ lsof -ti :80
29544
29548
29549
29550
29551
29552
32488

# 杀死监听80端口的所有进程
$ kill -9 `lsof -ti :80`

查看多个端口的使用情况

# 连续端口(典型的是1-1024特权端口)
$ lsof -Pi :1-70
COMMAND    PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd      2515 root    3u  IPv4   13901      0t0  TCP *:22 (LISTEN)
sshd      2515 root    4u  IPv6   13903      0t0  TCP *:22 (LISTEN)
master    2729 root   12u  IPv4   14516      0t0  TCP localhost:25 (LISTEN)
master    2729 root   13u  IPv6   14517      0t0  TCP localhost:25 (LISTEN)
dhclient 20939 root    6u  IPv4  923071      0t0  UDP *:68
sshd     68439 root    3u  IPv4 3426699      0t0  TCP localhost:22->localhost:52165 (ESTABLISHED)
sshd     68513 root    3u  IPv4 3426812      0t0  TCP localhost:22->localhost:52166 (ESTABLISHED)

# 不连续
$ lsof -Pi :80 -Pi :3306 -Pi :9000
COMMAND   PID   USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
mysqld  29683  mysql   21u  IPv6 3990073      0t0  TCP *:3306 (LISTEN)
php-fpm 32804   root    7u  IPv4 4008990      0t0  TCP localhost:9000 (LISTEN)
php-fpm 32805 apache    0u  IPv4 4008990      0t0  TCP localhost:9000 (LISTEN)
php-fpm 32806 apache    0u  IPv4 4008990      0t0  TCP localhost:9000 (LISTEN)
httpd   39350   root    4u  IPv6 4049346      0t0  TCP *:80 (LISTEN)
httpd   39354 apache    4u  IPv6 4049346      0t0  TCP *:80 (LISTEN)
httpd   39355 apache    4u  IPv6 4049346      0t0  TCP *:80 (LISTEN)
httpd   39356 apache    4u  IPv6 4049346      0t0  TCP *:80 (LISTEN)
httpd   39357 apache    4u  IPv6 4049346      0t0  TCP *:80 (LISTEN)
httpd   39358 apache    4u  IPv6 4049346      0t0  TCP *:80 (LISTEN)

查看本机与指定IP地址的活动连接

$ lsof -Pi @127.0.0.1
COMMAND     PID    USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
rpc.statd  2281 rpcuser   11u  IPv4   13115      0t0  UDP localhost:766
cupsd      2325    root    7u  IPv4   13247      0t0  TCP localhost:631 (LISTEN)
chronyd    2628  chrony    1u  IPv4   14220      0t0  UDP localhost:323
master     2729    root   12u  IPv4   14516      0t0  TCP localhost:25 (LISTEN)
php-fpm   32804    root    7u  IPv4 4008990      0t0  TCP localhost:9000 (LISTEN)
php-fpm   32805  apache    0u  IPv4 4008990      0t0  TCP localhost:9000 (LISTEN)
php-fpm   32806  apache    0u  IPv4 4008990      0t0  TCP localhost:9000 (LISTEN)

查看指定命令打开的文件

$ lsof -c http
COMMAND   PID   USER   FD   TYPE  DEVICE SIZE/OFF    NODE NAME
httpd   39350   root  cwd    DIR     8,2     4096       2 /
httpd   39350   root  rtd    DIR     8,2     4096       2 /
httpd   39350   root  txt    REG     8,3  2009168  260340 /app/httpd24/bin/httpd
httpd   39350   root  mem    REG     8,2   161704  432328 /lib64/ld-2.12.so
# 省略许多行

此处-c选项后面的参数是http,而实际查询结果是httpd,因为-c选项不是精确查找,而是查找以指定参数开头的命令。

查看指定用户打开的文件

$ lsof -u mysql
COMMAND   PID  USER   FD   TYPE             DEVICE  SIZE/OFF    NODE NAME
mysqld  29683 mysql  cwd    DIR                8,2      4096  145439 /mysqldb
mysqld  29683 mysql  rtd    DIR                8,2      4096       2 /
mysqld  29683 mysql  txt    REG                8,3 123176298    1305 /app/mysql/bin/mysqld
mysqld  29683 mysql  mem    REG                8,2    161704  432328 /lib64/ld-2.12.so
# 省略许多行

查看指定用户打开的所有网络连接

这里需要用到-a选项,意为AND,表示筛选结果要同时满足所有的选项。如果不使用-a选项,多个选项之间是OR关系。

$ lsof -Pi -a -u root
COMMAND    PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
cupsd     2325 root    6u  IPv6   13246      0t0  TCP localhost:631 (LISTEN)
cupsd     2325 root    7u  IPv4   13247      0t0  TCP localhost:631 (LISTEN)
cupsd     2325 root    9u  IPv4   13250      0t0  UDP *:631
sshd      2515 root    3u  IPv4   13901      0t0  TCP *:22 (LISTEN)
sshd      2515 root    4u  IPv6   13903      0t0  TCP *:22 (LISTEN)
master    2729 root   12u  IPv4   14516      0t0  TCP localhost:25 (LISTEN)
master    2729 root   13u  IPv6   14517      0t0  TCP localhost:25 (LISTEN)
dhclient 20939 root    6u  IPv4  923071      0t0  UDP *:68
php-fpm  32804 root    7u  IPv4 4008990      0t0  TCP localhost:9000 (LISTEN)
httpd    39350 root    4u  IPv6 4049346      0t0  TCP *:80 (LISTEN)
sshd     68439 root    3u  IPv4 3426699      0t0  TCP localhost:22->localhost:52165 (ESTABLISHED)
sshd     68513 root    3u  IPv4 3426812      0t0  TCP localhost:22->localhost:52166 (ESTABLISHED)

-a选项出现在命令中的哪个位置没有严格的规定:

$ lsof -Pi -u root -a -c sshd
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd     2515 root    3u  IPv4   13901      0t0  TCP *:22 (LISTEN)
sshd     2515 root    4u  IPv6   13903      0t0  TCP *:22 (LISTEN)
sshd    68439 root    3u  IPv4 3426699      0t0  TCP localhost:22->localhost:52165 (ESTABLISHED)
sshd    68513 root    3u  IPv4 3426812      0t0  TCP localhost:22->localhost:52166 (ESTABLISHED)

Leave A Comment