Pages

Friday, September 14, 2012

Resource Management : Lsof

lsof stands for 'List of Open Files’. This command is used to report all the open files and the process that currently opened them. Open files include disk files, pipes, network sockets and devices opened by all processes.

This can be very use full when we see issue which unmouting a file system. We can trace out which files are being open and can kill them to unmount.

A Basic execution of lsof gives ,

[root@vx111a test]# lsof | head
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
init 1 root cwd DIR 8,8 4096 2 /
init 1 root rtd DIR 8,8 4096 2 /
init 1 root txt REG 8,8 38652 11370583 /sbin/init
init 1 root mem REG 8,8 245376 918515 /lib/libsepol.so.1
init 1 root mem REG 8,8 129900 918498 /lib/ld-2.5.so
init 1 root mem REG 8,8 1693796 918499 /lib/libc-2.5.so
FD – Represents the file descriptor. Some of the values of FDs are,

* cwd – Current Working Directory
* txt – Text file


The out put explains most of the columns , but we FD and TYPE requires some more info

FD – Represents the file descriptor. Some of the values of FDs are,

* cwd – Current Working Directory
* txt – Text file
* mem – Memory mapped file
* mmap – Memory mapped device
* NUMBER – Represent the actual file descriptor. The character after the number i.e t;; font-size: 9.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> * DIR – write

TYPE – Specifies the type of the file. Some of the values of TYPEs are,

* REG – Regular File
* DIR – Directory
* FIFO – First In First Out
* CHR – Character special file

To find all the open files in the current directory

[root@vx111a test]# lsof $PWD
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 4132 root cwd DIR 8,8 4096 6127709 /root/test
sleep 4159 root cwd DIR 8,8 4096 6127709 /root/test
top.sh 4226 root cwd DIR 8,8 4096 6127709 /root/test
bash 4234 root cwd DIR 8,8 4096 6127709 /root/test
vi 4258 root cwd DIR 8,8 4096 6127709 /root/test
lsof 4929 root cwd DIR 8,8 4096 6127709 /root/test

List all Process that opened a specific file

[root@vx111a test]# lsof top.sh
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
top.sh 4226 root 255r REG 8,8 40 6128296 top.sh

List opened files under a directory

If we need to find the files that are opened under a directory including the subdirectories we can use +D like

[root@vx111a test]# lsof +D $PWD
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 4132 root cwd DIR 8,8 4096 6127709 /root/test
sleep 4159 root cwd DIR 8,8 4096 6127709 /root/test
bash 4161 root cwd DIR 8,8 4096 6127709 /root/test
top.sh 4226 root cwd DIR 8,8 4096 6127709 /root/test
top.sh 4226 root 255r REG 8,8 40 6128296 /root/test/top.sh

List opened files based on process names starting with

Lsof allows us to see the files that are opened by process that is starting with a specific name. This can be achieved using -c option,

Dev:vx1423:djbs001-~ $ lsof -c java | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 17077 root cwd DIR 253,9 4096 369127 /software/jboss/jon-server- /jbossas/bin

To find all the open files in the current File System

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
init 1 root cwd DIR 8,8 4096 2 /
init 1 root rtd DIR 8,8 4096 2 /
init 1 root txt REG 8,8 38652 11370583 /sbin/init
init 1 root mem REG 8,8 245376 918515 /lib/libsepol.so.1
migration 2 root cwd DIR 8,8 4096 2 /

List files opened by a specific user

Dev:vx1423:djbs002-~ $ lsof -u root | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 12698 root cwd DIR 253,7 4096 229381 /logs/jboss/ews/1.0/domains/jas
bash 12698 root rtd DIR 253,0 4096 2 /
bash 12698 root txt REG 253,0 801528 131130 /bin/bash

You can use Negation too, if you want to see all files opened by user leaving root you can use

lsof -u ^root

List all open files by a specific processtop.sh 4226 root txt REG 8,8 735004 10780705 /bin/bash
top.sh 4226 root mem REG 8,8 129900 918498 /lib/ld-2.5.so
top.sh 4226 root cwd DIR 8,8 4096 6127709 /root/test
top.sh 4226 root rtd DIR 8,8 4096 2 /
top.sh 4226 root txt REG 8,8 735004 10780705 /bin/bash
top.sh 4226 root mem REG 8,8 129900 918498 /lib/ld-2.5.so
top.sh 4226 root mem REG 8,8 1693796 918499 /lib/libc-2.5.so
top.sh 4226 root mem REG 8,8 20668 918500 /lib/libdl-2.5.so
top.sh 4226 root mem REG 8,8 13276 918521 /lib/libtermcap.so.2.0.8
top.sh 4226 root mem REG 8,9 56479264 459245 /usr/lib/locale/locale-archive
top.sh 4226 root mem REG 8,9 25462 522496 /usr/lib/gconv/gconv-modules.cache
top.sh 4226 root 0u CHR 136,1 3 /dev/pts/1
top.sh 4226 root 1u CHR 136,1 3 /dev/pts/1
top.sh 4226 root 2u CHR 136,1 3 /dev/pts/1
top.sh 4226 root 255r REG 8,8 40 6128296 /root/test/top.sh


Kill all process that belongs to a particular user

We can use lsof to kill process that belong to a user much like,

kill -9 `lsof -t -u root`

list process id of a process which opened a specific file

[root@vx111a test]# lsof -t /var/log/messages
7390

Execute lsof in repeat mode

lsof also support Repeat mode. It will first list files based on the given parameters, and delay for specified seconds and again list files based on the given parameters. It can be interrupted by a signal.

Repeat mode can be enabled by using ‘-r’ or ‘+r’. If ‘+r’ is used then, the repeat mode will end when no open files are found. ‘-r’ will continue to list,delay,list until a interrupt is given irrespective of files are opened or not.

Each cycle output will be separated by using ‘=======’. You also also specify the time delay as ‘-r’ | ‘+r’.

lsof -u root -c java -a -r5

Finding Network Information

List all network connections

[root@vx111a test]# lsof -i (use ‘-i4′ or ‘-i6′ to list only ‘IPV4′ or ‘IPV6‘ )
rpc.statd 2382 root 3u IPv4 6100 UDP *:865
dhclient 2178 root 4u IPv4 5593 UDP *:bootpc
rpc.statd 2382 root 6u IPv4 6091 UDP *:862
rpc.statd 2382 root 7u IPv4 6110 TCP *:868 (LISTEN)
hpiod 2593 root 0u IPv4 7887 TCP localhost.localdomain:2208 (LISTEN)
-family: "Verdana","sans-serif"; font-size: 9.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">rpc.statd 2382 root 6u IPv4 6091 UDP *:862
rpc.statd 2382 root 7u IPv4 6110 TCP *:868 (LISTEN)
hpiod 2593 root 0u IPv4 7887 TCP localhost.localdomain:2208 (LISTEN)
hpssd.py 2598 root 4u IPv4 7905 TCP localhost.localdomain:2207 (LISTEN)


List all network files in use by a specific process
localhost:root-~ $ lsof -i -a -p 17077 | head
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 17077 root 101u IPv4 728449 0t0 TCP *:9093 (LISTEN)
.
.

List processes which are listening on a particular port
[root@vx111a test]# lsof -nPi tcp:80


or

[root@vx111a test]# lsof -i :7080
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 17077 root 141u IPv4 728528 0t0 TCP *:7080 (LISTEN)

Some Examples ,


Determine if port is open or not
[root@vx111a test]#lsof -i :22


Kill a Process on the Port
[root@vx111a test]#kill -9 `lsof -t -i :port_number`

Show apps that use internet connection at the moment Or Lists all listening ports together with the PID of the associated process
[root@vx111a test]# lsof -P -i -n
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dhclient 2178 root 4u IPv4 5593 UDP *:68
rpc.statd 2382 root 6u IPv4 630 UDP *:111
portmap 2347 rpc 4u IPv4 5931 TCP *:111 (LISTEN)
rpc.statd 2382 root 3u IPv4 6100 UDP *:865
rpc.statd 2382 root 6u IPv4 6091 UDP *:862


List all files opened by a particular command
lsof -c java

check open ports
lsof -Pni4 | grep LISTEN

Display who is accessing a device
lsof /dev/tty1

View details of network activity
lsof -i :7000-8000

List all the files that have been deleted while they were still open.
lsof | egrep "^COMMAND|deleted"
If you delete a file that is still in use by a process, that space does not get freed up (will not show up in df) until that process either closes the file on its own, or is killed.

show the working directories of running processes
lsof -bw -d cwd -a -c java

find the delete file ,which is in use
lsof -n |grep delete

Grep from Open Files
lsof | grep "stuff"

View Open File Descriptors for a Process
lsof -p | wc -l

Find The Command Line Of the Process Using Specific Port
cat /proc/$(lsof -ti:631)/cmdline

More To Come , happy learning :-)