If everything in Linux is a file, there must be more than just files on your hard disk. This tutorial will show you how to use lsof to view all other devices and processes that are managed as files.
On Linux, everything is a file
The often quoted phrase that everything under Linux is a file is somehow true. A file is a collection of bytes. When they are read in a program or sent to a printer, they seem to generate a stream of bytes. When they are written, they accept a stream of bytes.
Many other system components support or generate byte streams, such as keyboards, socket connections, printers, and communication processes. Because they accept, generate or accept and generate streams of bytes, these devices can be managed – at a very low level – as if it 's been files.
This design has simplified the implementation of the Unix operating system. This meant that a small set of managers, tools and API could be created to handle a wide range of different resources.
The data and program files that reside on your hard drive are old file system files. We can use the ls command to list them and find some details about them.
How do we know about all the other processes and devices handled as it's files? We use the lsof command. This lists the open files in the system. That is, it lists everything that is treated as a file.
The lsof command
Most of the processes or devices that lsof can report belong to or have been started by root. You will need to use the sudo command with lsof.
And as this list will be very long, we will make it less.
sudo lsof | less
Before the lsof output appears, GNOME users can see a warning message in the terminal window.
lsof: WARNING: impossible to stat () fuse.gvfsd-fuse file system / run / user / 1000 / gvfs
The output information may be incomplete.
lsof tries to process all mounted filesystems. This warning message is issued because lsof has encountered a problem. GNOME virtual file system (GVFS). This is a special case of file system in the user space (FUSE). It acts as a bridge between GNOME, its APIs and the kernel. Nobody – not even root – can access any of these file systems, except the owner who mounted it (in this case, GNOME). You can ignore this warning.
The output of lsof is very wide. The leftmost columns are:
The rightmost columns are:
The columns of lsof
Not all columns apply to all open file types. It is normal for some of them to be empty.
Command: The name of the command associated with the process that opened the file.
PID: Identification number of the process that opened the file.
TID: Identification number of the task (thread). An empty column means that it is not a task; it's a process.
User: The user ID or name of the user to which the process belongs, or the user ID or login ID of the person who owns the directory in / proc where lsof finds information about the process.
FD: Displays the file descriptor of the file. The file descriptors are described below.
Type: The type of node associated with the file. The types of notes are described below.
Device: Contains the device numbers, separated by commas, for a special character file, special block, normal, directory or NFS file, or a kernel reference address that identifies the file. It can also indicate the base address or device name of an AX.25 Linux socket device.
Size / Off: Specifies the size of the file or the offset of the file in bytes.
Node: Displays the node number of a local file or the inode number of an NFS file in the server's host or Internet protocol type. It can display STR for a stream or the IRQ number or inode of an AX.25 Linux socket device.
Name: Displays the name of the mount point and the file system on which the file resides.
The FD column
The file descriptor in the FD column can be one of many options; the manual page list them all.
The FD column entry can be composed of three parts: a file descriptor, a mode character, and a lock character. Some common file descriptors are:
cwd: current working directory.
err: FD information error (see NAME column).
ltx: shared library text (code and data).
m86: merged DOS merge file.
mem: file mapped in memory.
mmap: device mapped in memory.
pd: parent directory.
rtd: root directory.
txt: program text (code and data)
A number representing a file descriptor.
The fashion character can be one of the following:
r: read access.
w: write access.
u: read and write access.
'': A space character, if the mode is unknown and there is no lock character.
-: Unknown mode and there is a lock character.
The lock character can be one of the following:
r: Read lock on part of the file.
A: Lock the entire file.
w: locks part of the file.
W: Lock the entire file.
u: Read and write a lock of any length.
U: Type of unknown lock.
& # 39 ;: A character of space. No lock.
There is more than 70 entries which could appear in the TYPE column. Here are some common entries you will see:
REG: standard system file.
FIFO: first in first out.
CHR: Special character file.
BLK: Block the special file.
INET: Internet connection.
unix: UNIX domain socket
See the processes that opened a file
To see the processes that opened a certain file, provide the file name as a parameter to lsof. For example, to see the processes that opened the kern.log file, use this command:
sudo lsof /var/log/kern.log
lsof responds by displaying the unique rsyslogd process that was started by the syslog user.
See all open files from a directory
To see open files from a directory and the processes that opened them, pass the directory to lsof as a parameter. You must use the option + D (directory).
To see all open files in the / var / log / directory, use this command:
sudo lsof + D / var / log /
lsof responds with a list of all open files in this directory.
To see all open files from the / home directory, use the following command:
sudo lsof + D / home
Files opened from the / home directory are displayed. Note that with shorter descriptions in some columns, the entire list is narrower.
List of files opened by a process
To see the files opened by a particular process, use the -c (command) option. Note that you can provide multiple search terms at lsof at a time.
sudo lsof -c ssh -c init
lsof provides a list of open files by one of the processes provided on the command line.
See files opened by a user
To limit the display to files opened by a specific user, use the -u (user) option. In this example, we will examine files opened by processes owned or run on behalf of Mary.
sudo lsof -u mary
All files listed have been opened on behalf of the user Mary. This includes files that have been opened by the desktop environment, for example, or simply as a result of Mary's connection.
Excluding files opened by a user
To exclude files opened by a user, use the ^ operator. The exclusion of users from the list makes it easy to find information that interests you. You must use the -u option as before and add the ^ character to the beginning of the user name.
sudo lsof + D / home -u ^ mary
This time, the / home directory listing does not include any files opened by the user Mary.
List of fields opened by a process
To list the files opened by a specific process, use the -p (process) option and specify the process ID as a parameter.
sudo lsof – p 4610
All files opened by the process ID that you provided are listed for you.
List of process IDs that opened a file
To view process IDs for processes that have opened a particular file, use the -t (terse) option and specify the file name on the command line.
sudo lsof -t /usr/share/mime/mime.cache
The process IDs are displayed in a simple list.
Use AND and OR searches
List the files opened by the user Mary, related to SSH processes. We know we can provide several search items on the command line. It should be simple.
sudo lsof -u mary -c ssh
Now let's see the result of lsof. This does not seem correct; there are entries in the output that have been started by root.
This is not what we expected. What happened?
When you provide multiple search terms, lsof returns any file that matches the first search term or second search term, and so on. In other words, he does a search OR.
For lsof to perform an AND search, use the -a (and) option. This means that the only files listed will be those that match the first search term, the second search term, and so on.
Let's try again and use the -a option.
sudo lsof -u mary -c ssh -a
From now on, each file in the list is a file opened by or on behalf of Mary and associated with the SSH command.
Automatic refresh of the display
We can use the option + | -r (repeat) to put lsof into repeat mode. The repeat option can be applied in two ways: + r or -r. We also need to add the number of seconds we want lsof to wait before refreshing the display.
Using the repeat option in one or the other format allows lsof to display the results as usual, but adds a dotted line to the bottom of the screen. It waits for the number of seconds indicated on the command line, then refreshes the display with a new set of results.
With the -r option, this will continue until you press Ctrl + C. With the + r format, this will continue until you have done so. more results to display or until you press Ctrl + C.
sudo lsof -u mary -c ssh -a -r5
Note the dotted line at the bottom of the list. This separates each new data display when the output is refreshed.
Viewing files associated with Internet connections
The -i (Internet) option allows you to see files open by processes associated with network and Internet connections.
All files opened by network and Internet connections are displayed.
View files associated with Internet connections by process ID
To see the files opened by Internet connections associated with a specific process ID, add the -p and -a options.
Here we are looking for open files over an Internet or network connection, through a process with an ID of 606.
sudo lsof -i -a -p 606
All files opened by process ID 606 associated with Internet or network connections are displayed.
Viewing files associated with Internet connections and commands
We can use the -c (command) option to search for open files by specific processes. To find open files over Internet or network connections associated with the ssh process, use the following command:
lsof -i -a -c ssh
All open files because of the ssh processes are listed in the output.
Viewing files associated with Internet connections and ports
We can report on open files over the Internet or through network connections on a specific port. To do this, we use the character: followed by the port number.
Here we ask lsof to list files opened by network or Internet connections using port 22.
lsof -i: 22
All the files listed have been opened by the processes associated with port 22 (which is the default port for SSH connections).
Viewing files associated with Internet connections and protocols
We can ask lsof to show open files by processes associated with network and Internet connections, using a specific protocol. We can choose between TCP, UDP and SMTP. Let's use TCP and see what we get.
sudo lsof -i tcp
The only files listed are those opened by processes using the TCP protocol.
We did not touch the surface
It's a good foundation in some common use cases for LSOF, but it's much more than that. How much more can be judged by the fact that the manual page is over 2800 lines.
The lsof command can be used to further explore open file and pseudo-file strata. We provided a sketch map; the atlas is in the manual page.