lsof 小结
lsof 即 list opened files.
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
# lsof -h
lsof 4.87
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
-?|-h list help -a AND selections (OR) -b avoid kernel blocks
-c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s files
-d s select by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY*
-i select IPv[46] files -K list tasKs (threads) -l list UID numbers
-n no host names -N select NFS files -o list file offset
-O no overhead *RISKY* -P no port names -R list paRent PID
-s list file size -t terse listing -T disable TCP/TPI info
-U select Unix socket -v list version info -V verbose search
+|-w Warnings (+) -X skip TCP&UDP* files -Z Z context [Z]
-- end option scan
+f|-f +filesystem or -file names +|-f[gG] flaGs
-F [f] select fields; -F? for help
+|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
+m [m] use|create mount supplement
+|-M portMap registration (-) -o o o 0t offset digits (8)
-p s exclude(^)|select PIDs -S [t] t second stat timeout (15)
-T qs TCP/TPI Q,St (s) info
-g [s] exclude(^)|select and print process group IDs
-i i select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
+|-r [t[m<fmt>]] repeat every t seconds (15); + until no files, - forever.
An optional suffix to t is m<fmt>; m must separate t from <fmt> and
<fmt> is an strftime(3) format for the marker line.
-s p:s exclude(^)|select protocol (p = TCP|UDP) states by name(s).
-u s exclude(^)|select login|UID set s
-x [fl] cross over +d|+D File systems or symbolic Links
names select named files or files on named file systems
Anyone can list all files; /dev warnings disabled; kernel ID check disabled.
某用户打开的文件
# lsof -u mysql
所有网络连接
# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 766 root 6u IPv4 15480 0t0 UDP *:bootpc
dhclient 766 root 20u IPv4 15436 0t0 UDP *:25447
dhclient 766 root 21u IPv6 15437 0t0 UDP *:23892
sshd 967 root 3u IPv4 16351 0t0 TCP *:ssh (LISTEN)
sshd 967 root 4u IPv6 16360 0t0 TCP *:ssh (LISTEN)
master 1239 root 13u IPv4 17198 0t0 TCP localhost:smtp (LISTEN)
master 1239 root 14u IPv6 17199 0t0 TCP localhost:smtp (LISTEN)
mysqld 1255 mysql 10u IPv6 17347 0t0 TCP *:mysql (LISTEN)
nginx 1343 root 7u IPv4 17924 0t0 TCP *:http (LISTEN)
nginx 1343 root 8u IPv4 17925 0t0 TCP *:https (LISTEN)
nginx 1344 www 7u IPv4 17924 0t0 TCP *:http (LISTEN)
nginx 1344 www 8u IPv4 17925 0t0 TCP *:https (LISTEN)
sshd 1345 root 3u IPv4 17941 0t0 TCP .:ssh->.:50017 (ESTABLISHED)
sshd 2673 root 3u IPv4 30139 0t0 TCP .:ssh->.:51638 (ESTABLISHED)
dhclient 2876 root 6u IPv4 31713 0t0 UDP *:bootpc
dhclient 2876 root 20u IPv4 31702 0t0 UDP *:13212
dhclient 2876 root 21u IPv6 31703 0t0 UDP *:63469
某端口运行的进程
# lsof -i :443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 1343 root 8u IPv4 17925 0t0 TCP *:https (LISTEN)
nginx 1344 www 8u IPv4 17925 0t0 TCP *:https (LISTEN)
某协议运行的进程
# lsof -i UDP
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 766 root 6u IPv4 15480 0t0 UDP *:bootpc
dhclient 766 root 20u IPv4 15436 0t0 UDP *:25447
dhclient 766 root 21u IPv6 15437 0t0 UDP *:23892
dhclient 2876 root 6u IPv4 31713 0t0 UDP *:bootpc
dhclient 2876 root 20u IPv4 31702 0t0 UDP *:13212
dhclient 2876 root 21u IPv6 31703 0t0 UDP *:63469
# lsof -i TCP:3306
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld 1255 mysql 10u IPv6 17347 0t0 TCP *:mysql (LISTEN)
# lsof -i TCP:1-1024
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 967 root 3u IPv4 16351 0t0 TCP *:ssh (LISTEN)
sshd 967 root 4u IPv6 16360 0t0 TCP *:ssh (LISTEN)
master 1239 root 13u IPv4 17198 0t0 TCP localhost:smtp (LISTEN)
master 1239 root 14u IPv6 17199 0t0 TCP localhost:smtp (LISTEN)
nginx 1343 root 7u IPv4 17924 0t0 TCP *:http (LISTEN)
nginx 1343 root 8u IPv4 17925 0t0 TCP *:https (LISTEN)
nginx 1344 www 7u IPv4 17924 0t0 TCP *:http (LISTEN)
nginx 1344 www 8u IPv4 17925 0t0 TCP *:https (LISTEN)
sshd 1345 root 3u IPv4 17941 0t0 TCP .:ssh->.:50017 (ESTABLISHED)
sshd 2673 root 3u IPv4 30139 0t0 TCP .:ssh->.:51638 (ESTABLISHED)
不显示hostname, 不显示portname
# lsof -Pan -i TCP:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 967 root 3u IPv4 16351 0t0 TCP *:22 (LISTEN)
sshd 967 root 4u IPv6 16360 0t0 TCP *:22 (LISTEN)
sshd 1345 root 3u IPv4 17941 0t0 TCP 192.168.56.101:22->192.168.56.1:50017 (ESTABLISHED)
sshd 2673 root 3u IPv4 30139 0t0 TCP 192.168.56.101:22->192.168.56.1:51638 (ESTABLISHED)
指定IPv4 IPv6
# lsof -i 6
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 766 root 21u IPv6 15437 0t0 UDP *:23892
sshd 967 root 4u IPv6 16360 0t0 TCP *:ssh (LISTEN)
master 1239 root 14u IPv6 17199 0t0 TCP localhost:smtp (LISTEN)
mysqld 1255 mysql 10u IPv6 17347 0t0 TCP *:mysql (LISTEN)
dhclient 2876 root 21u IPv6 31703 0t0 UDP *:63469
筛选排除
# lsof -i 6 -u^root
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld 1255 mysql 10u IPv6 17347 0t0 TCP *:mysql (LISTEN)
筛选某PID
# lsof -p 995
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld_sa 995 mysql cwd DIR 253,0 244 64 /
mysqld_sa 995 mysql rtd DIR 253,0 244 64 /
mysqld_sa 995 mysql txt REG 253,0 960472 12584134 /usr/bin/bash
mysqld_sa 995 mysql mem REG 253,0 106070960 245898 /usr/lib/locale/locale-archive
mysqld_sa 995 mysql mem REG 253,0 2127336 223984 /usr/lib64/libc-2.17.so
mysqld_sa 995 mysql mem REG 253,0 19776 223990 /usr/lib64/libdl-2.17.so
mysqld_sa 995 mysql mem REG 253,0 174520 245927 /usr/lib64/libtinfo.so.5.9
mysqld_sa 995 mysql mem REG 253,0 164264 223977 /usr/lib64/ld-2.17.so
mysqld_sa 995 mysql mem REG 253,0 26254 8489107 /usr/lib64/gconv/gconv-modules.cache
mysqld_sa 995 mysql 0r CHR 1,3 0t0 4856 /dev/null
mysqld_sa 995 mysql 1u unix 0xffff88003d620400 0t0 16649 socket
mysqld_sa 995 mysql 2u unix 0xffff88003d620400 0t0 16649 socket
mysqld_sa 995 mysql 255r REG 253,0 27288 12831550 /usr/bin/mysqld_safe
简洁输出PID
# lsof -u mysql -t
995
1255
杀死某用户的所有进程
# kill -9 `lsof -u mysql -t`