前言:lsof是list opened files的简写,在实际生产环境中要检查某些文件或进程的关联运行文件,也就是会显示已经被打开的文件,比如系统被黑,查找恶意文件关联运行文件,可使用lsof命令很方便查看个文件夹或进程执行调用情况,各种使用方法可参考如下
通常的输出格式为:
引用
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
[root@blog-tag-gg ~]# lsof |tail -5
lsof 28860 root mem REG 253,1 2151672 658657 /usr/lib64/libc-2.17.so
lsof 28860 root mem REG 253,1 155784 659174 /usr/lib64/libselinux.so.1
lsof 28860 root mem REG 253,1 163400 658372 /usr/lib64/ld-2.17.so
lsof 28860 root 4r FIFO 0,9 0t0 8121659 pipe
lsof 28860 root 7w FIFO 0,9 0t0 8121660 pipe
[root@blog-tag-gg ~]#
1、COMMAND:默认以9个字符长度显示的命令名称。可使用+c参数指定显示的宽度,若+c后跟的参数为零,则显示命令的全名
2、PID:进程的ID号
3、PPID:父进程的IP号,默认不显示,当使用-R参数可打开。
4、PGID:进程组的ID编号,默认也不会显示,当使用-g参数时可打开。
5、USER:命令的执行UID或系统中登陆的用户名称。默认显示为用户名,当使用-l参数时,可显示UID。
6、FD:是文件的File Descriptor number,或者如下的内容:
(这里很难翻译对应的意思,保留英文)
cwd current working directory; Lnn library references (AIX); jld jail directory (FreeBSD); ltx shared library text (code and data); Mxx hex memory-mapped type number xx. m86 DOS Merge mapped file; mem memory-mapped file; mmap memory-mapped device; pd parent directory; rtd root directory; tr kernel trace file (OpenBSD); txt program text (code and data); v86 VP/ix mapped file;
文件的File Descriptor number显示模式有:
r for read access; w for write access; u for read and write access; N for a Solaris NFS lock of unknown type r for read lock on part of the file; R for a read lock on the entire file; w for a write lock on part of the file; W for a write lock on the entire file; u for a read and write lock of any length; U for a lock of unknown type; x for an SCO OpenServer Xenix lock on part of the file; X for an SCO OpenServer Xenix lock on the entire file; space if there is no lock.
7、TYPE引用:IPv4 IPv4的包;
IPv6 使用IPv6格式的包,即使地址是IPv4的,也会显示为IPv6,而映射到IPv6的地址;
DIR 目录
LINK 链接文件
详情请看manual中更多的注释。
8、DEVICE:使用character special、block special表示的设备号
9、SIZE:文件的大小,如果不能用大小表示的,会留空。使用-s参数控制。
10、NODE:本地文件的node码,或者协议,如TCP等
11、NAME:挂载点和文件的全路径(链接会被解析为实际路径),或者连接双方的地址和端口、状态等
常用示例:
1、显示开启文件/home/server/nginx/sbin/nginx的进程
[root@blog-tag-gg ~]# lsof /home/server/nginx/sbin/nginx COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 2968 root txt REG 253,17 1299952 1049238 /home/server/nginx/sbin/nginx nginx 2969 www txt REG 253,17 1299952 1049238 /home/server/nginx/sbin/nginx nginx 2970 www txt REG 253,17 1299952 1049238 /home/server/nginx/sbin/nginx [root@blog-tag-gg ~]#
2、知道80端口现在运行什么程序
[root@blog-tag-gg ~]# lsof -i :80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 2968 root 19u IPv4 7941333 0t0 TCP *:http (LISTEN) nginx 2969 www 19u IPv4 7941333 0t0 TCP *:http (LISTEN) AliYunDun 3460 root 22u IPv4 23850 0t0 TCP iZb0piaopr2dw1Z:46818->100.100.30.26:http (ESTABLISHED) [root@blog-tag-gg ~]#
3、显示chronyd进程现在打开的文件
4、看进程号为3242的进程打开了哪些文件[root@blog-tag-gg ~]# lsof -c chronyd COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chronyd 2570 chrony cwd DIR 253,1 4096 2 / chronyd 2570 chrony rtd DIR 253,1 4096 2 / chronyd 2570 chrony txt REG 253,1 261024 666236 /usr/sbin/chronyd chronyd 2570 chrony mem REG 253,1 68192 659665 /usr/lib64/libbz2.so.1.0.6 chronyd 2570 chrony mem REG 253,1 11448 658380 /usr/lib64/libfreebl3.so chronyd 2570 chrony mem REG 253,1 1137024 658665 /usr/lib64/libm-2.17.so chronyd 2570 chrony mem REG 253,1 163400 658372 /usr/lib64/ld-2.17.so chronyd 2570 chrony 0u unix 0xffff8e7eba313000 0t0 19129 socket chronyd 2570 chrony 1u IPv4 19174 0t0 UDP localhost:323 chronyd 2570 chrony 2u IPv6 19175 0t0 UDP localhost:323 chronyd 2570 chrony 3u unix 0xffff8e7e76db1c00 0t0 19196 /var/run/chrony/chronyd.sock chronyd 2570 chrony 4r CHR 1,9 0t0 5339 /dev/urandom [root@blog-tag-gg ~]#
5、显示归属4325的进程情况[root@blog-tag-gg ~]# lsof -p 3242
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
pure-ftpd 3242 root cwd DIR 253,1 4096 2 /
pure-ftpd 3242 root rtd DIR 253,1 4096 2 /
pure-ftpd 3242 root txt REG 253,17 195832 1059708 /home/server/pure-ftpd/sbin/pure-ftpd
pure-ftpd 3242 root mem REG 253,1 61624 658675 /usr/lib64/libnss_files-2.17.so
pure-ftpd 3242 root mem REG 253,1 106075056 666749 /usr/lib/locale/locale-archive
pure-ftpd 3242 root mem REG 253,1 402384 659156 /usr/lib64/libpcre.so.1.2.0
pure-ftpd 3242 root mem REG 253,1 155784 659174 /usr/lib64/libselinux.so.1
pure-ftpd 3242 root mem REG 253,1 141968 658683 /usr/lib64/libpthread-2.17.so
.........
[root@blog-tag-gg ~]# lsof -g 4325
COMMAND PID PGID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 4325 4325 root cwd DIR 253,1 4096 2 /
sshd 4325 4325 root rtd DIR 253,1 4096 2 /
sshd 4325 4325 root txt REG 253,1 853040 665898 /usr/sbin/sshd
sshd 4325 4325 root mem REG 253,1 61624 658675 /usr/lib64/libnss_files-2.17.so
sshd 4325 4325 root mem REG 253,1 68192 659665 /usr/lib64/libbz2.so.1.0.6
sshd 4325 4325 root mem REG 253,1 100008 659676 /usr/lib64/libelf-0.172.so
sshd 4325 4325 root mem REG 253,1 19896 659137 /usr/lib64/libattr.so.1.1.0
sshd 4325 4325 root mem REG 253,1 1249576 663982 /usr/lib64/libnss3.so
sshd 4325 4325 root mem REG 253,1 164288 663992 /usr/lib64/libsmime3.so
sshd 4325 4325 root mem REG 253,1 340976 664132 /usr/lib64/libssl3.so
...........
6、依照文件夹/home/server来搜寻,但不会打开子目录,用来显示目录下被进程开启的文件
7、 打开/home/oracle文件夹以及其子目录搜寻,用来显示目录下被进程开启的文件[root@blog-tag-gg ~]# lsof +d /home/server
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld_sa 3217 root cwd DIR 253,17 4096 1049281 /home/server/mysql
BT-Task 3844 root cwd DIR 253,17 4096 1048578 /home/server/panel
BT-Panel 4215 root cwd DIR 253,17 4096 1048578 /home/server/panel
mysqld 4313 mysql cwd DIR 253,17 4096 1049282 /home/server/data
[root@blog-tag-gg ~]#
8、lsof -i 用以显示符合条件的进程情况[root@blog-tag-gg ~]# lsof +D /home/server
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
php-fpm 313 www txt REG 253,17 11906320 1060316 /home/server/php/56/sbin/php-fpm
php-fpm 314 www txt REG 253,17 11906320 1060316 /home/server/php/56/sbin/php-fpm
php-fpm 315 www txt REG 253,17 11906320 1060316 /home/server/php/56/sbin/php-fpm
php-fpm 316 www txt REG 253,17 11906320 1060316 /home/server/php/56/sbin/php-fpm
BT-Task 3844 root 1w REG 253,17 23230592 1049179 /home/server/panel/logs/task.log
BT-Task 3844 root 2w REG 253,17 23230592 1049179 /home/server/panel/logs/task.log
BT-Task 3844 root 3u REG 253,17 23230592 1049179 /home/server/panel/logs/task.log
php-fpm 32698 www txt REG 253,17 11906320 1060316 /home/server/php/56/sbin/php-fpm
php-fpm 32739 www txt REG 253,17 11906320 1060316 /home/server/php/56/sbin/php-fpm
php-fpm 32740 www txt REG 253,17 11906320 1060316 /home/server/php/56/sbin/php-fpm
[root@blog-tag-gg ~]#
语法:
例:lsof -i[46] [protocol][@hostname|hostaddr][:service|port]
46 --> IPv4 or IPv6
protocol --> TCP or UDP
hostname --> Internet host name
hostaddr --> IPv4位置
service --> /etc/service中的 service name (可以不只一个)
port --> 端口号 (可以不只一个)
或者:[root@blog-tag-gg ~]# lsof -i tcp@118.114.245.1:14152 -n
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 28805 root 3u IPv4 8121248 0t0 TCP 172.24.86.228:snapenetio->118.114.245.1:14152 (ESTABLISHED)
[root@blog-tag-gg ~]#
lsof -n 不将IP转换为hostname,缺省是不加上-n参数[root@blog-tag-gg ~]# lsof -i tcp@118.114.245.1:14152
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 28805 root 3u IPv4 8121248 0t0 TCP iZb0piasdfdw1Z:snapenetio->118.114.245.1:14152 (ESTABLISHED)
[root@blog-tag-gg ~]#
9、显示某用户的已经打开的文件(或该用户执行程序已经打开的文件)
或者:[root@blog-tag-gg ~]# lsof -U /home/server
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 12u unix 0xffff8e7eb926a800 0t0 13296 /run/systemd/private
systemd 1 root 16u unix 0xffff8e7eba937000 0t0 26402 /run/systemd/journal/stdout
systemd 1 root 23u unix 0xffff8e7eb91ec400 0t0 7362 /run/systemd/notify
systemd 1 root 24u unix 0xffff8e7eb91ec800 0t0 7364 /run/systemd/cgroups-agent
systemd 1 root 25u unix 0xffff8e7eb926b800 0t0 13326 /run/systemd/shutdownd
systemd 1 root 27u unix 0xffff8e7eb91edc00 0t0 7382 /run/systemd/journal/stdout
systemd 1 root 28u unix 0xffff8e7ebc233000 0t0 7385 /run/systemd/journal/socke
mysqld 4313 mysql 435u unix 0xffff8e7eb8eaa400 0t0 8247045 /tmp/mysql.sock
sshd 4325 root 1u unix 0xffff8e7eba937400 0t0 26401 socket
sshd 4325 root 2u unix 0xffff8e7eba937400 0t0 26401 socket
AliSecGua 4665 root 4u unix 0xffff8e7ebb25b800 0t0 31471 socket
sshd 28805 root 4u unix 0xffff8e7e7643c800 0t0 8121375 socket
10、 显示某进程名对应的进程ID。[root@blog-tag-gg ~]# lsof -u 0
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,1 4096 2 /
systemd 1 root rtd DIR 253,1 4096 2 /
systemd 1 root txt REG 253,1 1616360 663311 /usr/lib/systemd/systemd
systemd 1 root mem REG 253,1 20112 659662 /usr/lib64/libuuid.so.1.3.0
systemd 1 root mem REG 253,1 265624 659668 /usr/lib64/libblkid.so.1.1.0
systemd 1 root mem REG 253,1 90248 658976 /usr/lib64/libz.so.1.2.7
systemd 1 root mem REG 253,1 157424 659661 /usr/lib64/liblzma.so.5.2.2
systemd 1 root mem REG 253,1 23968 659710 /usr/lib64/libcap-ng.so.0.0.0
systemd 1 root mem REG 253,1 19896 659137 /usr/lib64/libattr.so.1.1.0
systemd 1 root mem REG 253,1 19288 658663 /usr/lib64/libdl-2.17.so
systemd 1 root mem REG 253,1 402384 659156 /usr/lib64/libpcre.so.1.2.0
systemd 1 root mem REG 253,1 2151672 658657 /usr/lib64/libc-2.17.so
systemd 1 root mem REG 253,1 141968 658683 /usr/lib64/libpthread-2.17.so
systemd 1 root mem REG 253,1 88776 667681 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
systemd 1 root mem REG 253,1 43776 658687 /usr/lib64/librt-2.17.so
systemd 1 root mem REG 253,1 277824 659932 /usr/lib64/libmount.so.1.1.0
systemd 1 root mem REG 253,1 91848 661859 /usr/lib64/libkmod.so.2.2.10
技术小学生网站整理收集,转载请注明出处,谢谢。[root@blog-tag-gg ~]# lsof -tc nginx
2968
2969
2970
[root@blog-tag-gg ~]# lsof -tc nginx |wc -l
3
[root@blog-tag-gg ~]#
文章评论 本文章有个评论