|
Packit |
6f02de |
|
|
Packit |
6f02de |
A Quick Start for Lsof
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
1. Introduction
|
|
Packit |
6f02de |
================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Agreed, the lsof man page is dense and lsof has a plethora of
|
|
Packit |
6f02de |
options. There are examples, but the manual page format buries
|
|
Packit |
6f02de |
them at the end. How does one get started with lsof?
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
This file is an attempt to answer that question. It plunges
|
|
Packit |
6f02de |
immediately into examples of lsof use to solve problems that
|
|
Packit |
6f02de |
involve looking at the open files of Unix processes.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Contents
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
1. Introduction
|
|
Packit |
6f02de |
2. Finding Uses of a Specific Open File
|
|
Packit |
6f02de |
3. Finding Open Files Filling a File System
|
|
Packit |
6f02de |
a. Finding an Unlinked Open File
|
|
Packit |
6f02de |
4. Finding Processes Blocking Umount
|
|
Packit |
6f02de |
5. Finding Listening Sockets
|
|
Packit |
6f02de |
6. Finding a Particular Network Connection
|
|
Packit |
6f02de |
7. Identifying a Netstat Connection
|
|
Packit |
6f02de |
8. Finding Files Open to a Named Command
|
|
Packit |
6f02de |
9. Deciphering the Remote Login Trail
|
|
Packit |
6f02de |
a. The Fundamentals
|
|
Packit |
6f02de |
b. The idrlogin.perl[5] Scripts
|
|
Packit |
6f02de |
10. Watching an Ftp or Rcp Transfer
|
|
Packit |
6f02de |
11. Listing Open NFS Files
|
|
Packit |
6f02de |
12. Listing Files Open by a Specific Login
|
|
Packit |
6f02de |
a. Ignoring a Specific Login
|
|
Packit |
6f02de |
13. Listing Files Open to a Specific Process Group
|
|
Packit |
6f02de |
14. When Lsof Seems to Hang
|
|
Packit |
6f02de |
a. Kernel lstat(), readlink(), and stat() Blockages
|
|
Packit |
6f02de |
b. Problems with /dev or /devices
|
|
Packit |
6f02de |
c. Host and Service Name Lookup Hangs
|
|
Packit |
6f02de |
d. UID to Login Name Conversion Delays
|
|
Packit |
6f02de |
15. Output for Other Programs
|
|
Packit |
6f02de |
16. The Lsof Exit Code and Shell Scripts
|
|
Packit |
6f02de |
17. Strange messages in the NAME column
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Options
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
A. Selection Options
|
|
Packit |
6f02de |
B. Output Options
|
|
Packit |
6f02de |
C. Precautionary Options
|
|
Packit |
6f02de |
D. Miscellaneous Lsof Options
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
2. Finding Uses of a Specific Open File
|
|
Packit |
6f02de |
========================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Often you're interested in knowing who is using a specific file.
|
|
Packit |
6f02de |
You know the path to it and you want lsof to tell you the processes
|
|
Packit |
6f02de |
that have open references to it.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Simple -- execute lsof and give it the path name of the file of
|
|
Packit |
6f02de |
interest -- e.g.,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof /etc/passwd
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Caveat: this only works if lsof has permission to get the status
|
|
Packit |
6f02de |
(via stat(2)) of the file at the named path. Unless the lsof
|
|
Packit |
6f02de |
process has enough authority -- e.g., it is being run with a
|
|
Packit |
6f02de |
real User ID (UID) of root -- this AIX example won't work:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Further caveat: this use of lsof will fail if the stat(2) kernel
|
|
Packit |
6f02de |
syscall returns different file parameters -- particularly device
|
|
Packit |
6f02de |
and inode numbers -- than lsof finds in kernel node structures.
|
|
Packit |
6f02de |
This condition is rare and is usually documented in the 00FAQ
|
|
Packit |
6f02de |
file of the lsof distribution.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof /etc/security/passwd
|
|
Packit |
6f02de |
lsof: status error on /etc/security/passwd: Permission denied
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
3. Finding Open Files Filling a File System
|
|
Packit |
6f02de |
============================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Oh! Oh! /tmp is filling and ls doesn't show that any large files
|
|
Packit |
6f02de |
are being created. Can lsof help?
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Maybe. If there's a process that is writing to a file that has
|
|
Packit |
6f02de |
been unlinked, lsof may be able to discover the process for you.
|
|
Packit |
6f02de |
You ask it to list all open files on the file system where /tmp
|
|
Packit |
6f02de |
is located.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Sometimes /tmp is a file system by itself. In that case,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof /tmp
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
is the appropriate command. If, however, /tmp is part of another
|
|
Packit |
6f02de |
file system, typically /, then you may have to ask lsof to list
|
|
Packit |
6f02de |
all files open on the containing file system and locate the
|
|
Packit |
6f02de |
offending file and its process by inspection -- e.g.,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof / | more
|
|
Packit |
6f02de |
or
|
|
Packit |
6f02de |
$ lsof / | grep ...
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Caveat: there must be a file open to a for the lsof search to
|
|
Packit |
6f02de |
succeed. Sometimes the kernel may cause a file reference to
|
|
Packit |
6f02de |
persist, even where there's no file open to a process. (Can you
|
|
Packit |
6f02de |
say kernel bug? Maybe.) In any event, lsof won't be able to
|
|
Packit |
6f02de |
help in this case.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
a. Finding an Unlinked Open File
|
|
Packit |
6f02de |
=================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
A pesky variant of a file that is filling a file system is an
|
|
Packit |
6f02de |
unlinked file to which some process is still writing. When a
|
|
Packit |
6f02de |
process opens a file and then unlinks it, the file's resources
|
|
Packit |
6f02de |
remain in use by the process, but the file's directory entries
|
|
Packit |
6f02de |
are removed. Hence, even when you know the directory where the
|
|
Packit |
6f02de |
file once resided, you can't detect it with ls.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
This can be an administrative problem when the unlinked file is
|
|
Packit |
6f02de |
large, and the process that holds it open continues to write to
|
|
Packit |
6f02de |
it. Only when the process closes the file will its resources,
|
|
Packit |
6f02de |
particularly disk space, be released.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof can help you find unlinked files on local disks. It has an
|
|
Packit |
6f02de |
option, +L, that will list the link counts of open files. That
|
|
Packit |
6f02de |
helps because an unlinked file on a local disk has a zero link
|
|
Packit |
6f02de |
count. Note: this is NOT true for NFS files, accessed from a
|
|
Packit |
6f02de |
remote server.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
You could use the option to list all files and look for a zero
|
|
Packit |
6f02de |
link count in the NLINK column -- e.g.,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$lsof +L
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NLINK NODE NAME
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
less 25366 abe txt VREG 6,0 40960 1 76319 /usr/...
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
> less 25366 abe 3r VREG 6,0 17360 0 98768 / (/dev/sd0a)
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Better yet, you can specify an upper bound to the +L option, and
|
|
Packit |
6f02de |
lsof will select only files that have a link count less than the
|
|
Packit |
6f02de |
upper bound. For example:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof +L1
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NLINK NODE NAME
|
|
Packit |
6f02de |
less 25366 abe 3r VREG 6,0 17360 0 98768 / (/dev/sd0a)
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
You can use lsof's -a (AND) option to narrow the link count search
|
|
Packit |
6f02de |
to a particular file system. For example, to look for zero link
|
|
Packit |
6f02de |
counts on the /home file system, use:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -a +L1 /home
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
CAUTION: lsof can't always report link counts for all file types
|
|
Packit |
6f02de |
-- e.g., it may not report them for FIFOs, pipes, or sockets.
|
|
Packit |
6f02de |
Remember also that link counts for NFS files on an NFS client
|
|
Packit |
6f02de |
host don't behave as do link counts for files on local disks.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
4. Finding Processes Blocking Umount
|
|
Packit |
6f02de |
=====================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
When you need to unmount a file system with the umount command,
|
|
Packit |
6f02de |
you may find the operation blocked by a process that has a file
|
|
Packit |
6f02de |
open on the file systems. Lsof may be able to help you find the
|
|
Packit |
6f02de |
process. In response to:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof <file_system_name>
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof will display all open files on the named file system. It
|
|
Packit |
6f02de |
will also set its exit code zero when it finds some open files
|
|
Packit |
6f02de |
and non-zero when it doesn't, making this type of lsof call
|
|
Packit |
6f02de |
useful in shell scripts. (See section 16.)
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Consult the output of the df command for file system names.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
See the caveat in the preceding section about file references
|
|
Packit |
6f02de |
that persist in the kernel without open file traces. That
|
|
Packit |
6f02de |
situation may hamper lsof's ability to help with umount, too.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
5. Finding Listening Sockets
|
|
Packit |
6f02de |
=============================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Sooner or later you may wonder if someone has installed a network
|
|
Packit |
6f02de |
server that you don't know about. Lsof can list for you all the
|
|
Packit |
6f02de |
network socket files open on your machine with:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -i
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The -i option without further qualification lists all open Internet
|
|
Packit |
6f02de |
socket files. You can add network names or addresses, protocol
|
|
Packit |
6f02de |
names, and service names or port numbers to the -i option to
|
|
Packit |
6f02de |
refine the search. (See the next section.)
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
6. Finding a Particular Network Connection
|
|
Packit |
6f02de |
===========================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
When you know the source or destination of a network connection
|
|
Packit |
6f02de |
whose open files and process you'd like to identify, the -i option
|
|
Packit |
6f02de |
may help.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If, for example, you want to know what process has a connection
|
|
Packit |
6f02de |
open to or from the Internet host named aaa.bbb.ccc, you can ask
|
|
Packit |
6f02de |
lsof to search for it with:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -i@aaa.bbb.ccc
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If you're interested in a particular protocol -- TCP or UDP --
|
|
Packit |
6f02de |
and a specific port number or service name, you can add those
|
|
Packit |
6f02de |
discriminators to the -i information:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -iTCP@aaa.bbb.ccc:ftp-data
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If you're interested in a particular IP version -- IPv4 or IPv6
|
|
Packit |
6f02de |
-- and your UNIX dialect supports both (It does if "IPv[46]"
|
|
Packit |
6f02de |
appears in the lsof -h output.), you can add the '4' or '6'
|
|
Packit |
6f02de |
selector immediately after -i:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -i4
|
|
Packit |
6f02de |
$ lsof -i6
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
7. Identifying a Netstat Connection
|
|
Packit |
6f02de |
====================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
How do I identify the process that has a network connection
|
|
Packit |
6f02de |
described in netstat output? For example, if netstat says:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Proto Recv-Q Send-Q Local Address Foreign Address (state)
|
|
Packit |
6f02de |
tcp 0 0 vic.1023 ipscgate.login ESTABLISHED
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
What process is connected to service name ``login'' on ipscgate?
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Use lsof's -i option:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$lsof -iTCP@ipscgate:login
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
|
|
Packit |
6f02de |
rlogin 25023 abe 3u inet 0x10144168 0t184 TCP lsof.itap.purdue.edu:1023->ipscgate.cc.purdue.edu:login
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
There's another way. Notice the 0x10144168 in the DEVICE column
|
|
Packit |
6f02de |
of the lsof output? That's the protocol control block (PCB)
|
|
Packit |
6f02de |
address. Many netstat applications will display it when given
|
|
Packit |
6f02de |
the -A option:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ netstat -A
|
|
Packit |
6f02de |
PCB Proto Recv-Q Send-Q Local Address Foreign Address (state)
|
|
Packit |
6f02de |
10144168 tcp 0 0 vic.1023 ipscgate.login ESTABLISHED
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Using the PCB address, lsof, and grep, you can find the process this
|
|
Packit |
6f02de |
way, too:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -i | grep 10144168
|
|
Packit |
6f02de |
rlogin 25023 abe 3u inet 0x10144168 0t184 TCP lsof.itap.purdue.edu:1023->ipscgate.cc.purdue.edu:login
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If the file is a UNIX socket and netstat reveals and adress for it,
|
|
Packit |
6f02de |
like this Solaris 11 example:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ netstat -a -f unix
|
|
Packit |
6f02de |
Active UNIX domain sockets
|
|
Packit |
6f02de |
Address Type Vnode Conn Local Addr Remote Addr
|
|
Packit |
6f02de |
ffffff0084253b68 stream-ord 0000000 0000000
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Using lsof's -U option and its output piped to a grep on the address
|
|
Packit |
6f02de |
yields:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -U | grep ffffff0084253b68
|
|
Packit |
6f02de |
squid 1638 nobody 12u unix 18,98 0t10 9437188 /devices/pseudo/tl@0:ticots->0xffffff0084253b68 stream-ord
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
8. Finding Files Open to a Named Command
|
|
Packit |
6f02de |
=========================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
When you want to look at the files open to a particular command,
|
|
Packit |
6f02de |
you can look up the PID of the process running the command and
|
|
Packit |
6f02de |
use lsof's -p option to specify it.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -p <PID>
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
However, there's a quicker way, using lsof's -c option, provided
|
|
Packit |
6f02de |
you don't mind seeing output for every process running the named
|
|
Packit |
6f02de |
command.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -c <first_characters_of_command_name_that_interest_you>
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The lsof -c option is useful when you want to see how many instances
|
|
Packit |
6f02de |
of a given command are executing and what their open files are.
|
|
Packit |
6f02de |
One useful example is for the sendmail command.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -c sendmail
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
9. Deciphering the Remote Login Trail
|
|
Packit |
6f02de |
======================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If the network connection you're interested in tracing has been
|
|
Packit |
6f02de |
initiated externally and is connected to an rlogind, sshd, or
|
|
Packit |
6f02de |
telnetd process, asking lsof to identify that process might not
|
|
Packit |
6f02de |
give a wholly satisfying answer. The report may be that the
|
|
Packit |
6f02de |
connection exists, but to a process owned by root.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
a. The Fundamentals
|
|
Packit |
6f02de |
====================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
How do you get from there to the login name really using the
|
|
Packit |
6f02de |
connection? You have to know a little about how real and pseudo
|
|
Packit |
6f02de |
ttys are paired in your system, and then use several lsof probes
|
|
Packit |
6f02de |
to identify the login.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
This example comes from a Solaris 2.4 system, named klaatu.cc.
|
|
Packit |
6f02de |
I've logged on to it via rlogin from lsof.itap. The first lsof
|
|
Packit |
6f02de |
probe,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -i@lsof.itap
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
yields (among other things):
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
|
|
Packit |
6f02de |
in.rlogin 7362 root 0u inet 0xfc0193b0 0t242 TCP klaatu.cc.purdue.edu:login->lsof.itap.purdue.edu:1023
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
This confirms that a connection exists. A second lsof probe
|
|
Packit |
6f02de |
shows:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -p7362
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
in.rlogin 7362 root 0u inet 0xfc0193b0 0t242 TCP klaatu.cc.purdue.edu:login->lsof.itap.purdue.edu:1023
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
in.rlogin 7362 root 3u VCHR 23, 0 0t66 52928 /devices/pseudo/clone@0:ptmx->pckt->ptm
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
7362 is the Process ID (PID) of the in.rlogin process, discovered
|
|
Packit |
6f02de |
in the first lsof probe. (I've abbreviated the output to simplify
|
|
Packit |
6f02de |
the example.) Now comes a need to understand Solaris pseudo-ttys.
|
|
Packit |
6f02de |
The key indicator is in the DEVICE column for FD 3, the major/minor
|
|
Packit |
6f02de |
device number of 23,0. This translates to /dev/pts/0, so a third
|
|
Packit |
6f02de |
lsof probe,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof /dev/pts/0
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
|
|
Packit |
6f02de |
ksh 7364 abe 0u VCHR 24, 0 0t2410 53410 /dev/pts/../../devices/pseudo/pts@0:0
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
shows in part that login abe has a ksh process on /dev/pts/0.
|
|
Packit |
6f02de |
(The NAME that lsof shows is not /dev/pts/0 but the full expansion
|
|
Packit |
6f02de |
of the symbolic link that lsof finds at /dev/pts/0.)
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Here's a second example, done on an HP-UX 9.01 host named ghg.ecn.
|
|
Packit |
6f02de |
Again, I've logged on to it from lsof.itap, so I start with:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -i@lsof.itap
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
|
|
Packit |
6f02de |
rlogind 10214 root 0u inet 0x041d5f00 0t1536 TCP ghg.ecn.purdue.edu:login->lsof.itap.purdue.edu:1023
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Then,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -p10214
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
rlogind 10214 root 0u inet 0x041d5f00 0t2005 TCP ghg.ecn.purdue.edu:login->lsof.itap.purdue.edu:1023
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
rlogind 10214 root 3u VCHR 16,0x000030 0t2037 24642 /dev/ptym/ptys0
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Here the key is the NAME /dev/ptym/ptys0. In HP-UX 9.01 tty and
|
|
Packit |
6f02de |
pseudo tty devices are paired with the names like /dev/ptym/ptys0
|
|
Packit |
6f02de |
and /dev/pty/ttys0, so the following lsof probe is the final step.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof /dev/pty/ttys0
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
|
|
Packit |
6f02de |
ksh 10215 abe 0u VCHR 17,0x000030 0t3399 22607 /dev/pty/ttys0
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Here's a third example for an AIX 4.1.4 system. I've used telnet
|
|
Packit |
6f02de |
to connect to it from lsof.itap.purdue.edu. I start with:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -i@lsof.itap.purdue.edu
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
telnetd 15616 root 0u inet 0x05a93400 0t5156 TCP cloud.cc.purdue.edu:telnet->lsof.itap.purdue.edu:3369
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Then I look at the telnetd process:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -p15616
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
telnetd 15616 root 0u inet 0x05a93400 0t5641 TCP cloud.cc.purdue.edu:telnet->lsof.itap.purdue.edu:3369
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
telnetd 15616 root 3u VCHR 25, 0 0t5493 103 /dev/ptc/0
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Here the key is /dev/ptc/0. In AIX it's paired with /dev/pts/0.
|
|
Packit |
6f02de |
The last probe for that shows:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof /dev/pts/0
|
|
Packit |
6f02de |
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
|
|
Packit |
6f02de |
...
|
|
Packit |
6f02de |
ksh 16642 abe 0u VCHR 26, 0 0t6461 360 /dev/pts/0
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
b. The idrlogin.perl[5] Scripts
|
|
Packit |
6f02de |
================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
There's another, perhaps easier way, to go about the job of
|
|
Packit |
6f02de |
tracing a network connection. The lsof distribution contains
|
|
Packit |
6f02de |
two Perl scripts, idrlogin.perl (Perl 4) and idrlogin.perl5
|
|
Packit |
6f02de |
(Perl 5), that use lsof field output to display values for
|
|
Packit |
6f02de |
shells that are parented by rlogind, sshd, or telnetd, or
|
|
Packit |
6f02de |
connected directly to TCP sockets. The lsof test suite contains
|
|
Packit |
6f02de |
a C library that can be adapted for use with C programs that
|
|
Packit |
6f02de |
need to call lsof and process its field output.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The two Perl scripts use the lsof -R option; it causes the
|
|
Packit |
6f02de |
paRent process ID (PPID) to be listed in the lsof output. The
|
|
Packit |
6f02de |
scripts identify all shell processes -- e.g., ones whose command
|
|
Packit |
6f02de |
names end in ``sh'' -- and determine if: 1) the ultimate ancestor
|
|
Packit |
6f02de |
process before a PID greater than 2 (e.g., init's PID is 1) is
|
|
Packit |
6f02de |
rlogind, sshd, or telnetd; or 2) the shell process has open
|
|
Packit |
6f02de |
TCP socket files.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Here's an example of output from idlogin.perl on a Solaris 2.4
|
|
Packit |
6f02de |
system:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
centurion: 1 = cd src/lsof4/scripts
|
|
Packit |
6f02de |
centurion: 2 = ./idrlogin.perl
|
|
Packit |
6f02de |
Login Shell PID Via PID TTY From
|
|
Packit |
6f02de |
oboyle ksh 12640 in.telnetd 12638 pts/5 opal.cc.purdue.edu
|
|
Packit |
6f02de |
icdtest ksh 15158 in.rlogind 15155 pts/6 localhost
|
|
Packit |
6f02de |
sh csh 18207 in.rlogind 18205 pts/1 babylon5.cc.purdue.edu
|
|
Packit |
6f02de |
root csh 18242 in.rlogind 18205 pts/1 babylon5.cc.purdue.edu
|
|
Packit |
6f02de |
trouble ksh 19208 in.rlogind 18205 pts/1 babylon5.cc.purdue.edu
|
|
Packit |
6f02de |
abe ksh 21334 in.rlogind 21332 pts/2 lsof.itap.purdue.edu
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The scripts assume that its parent directory contains an
|
|
Packit |
6f02de |
executable lsof. If you decide to use one of the scripts, you
|
|
Packit |
6f02de |
may want to customize it for your local lsof and perl paths.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Note that processes executing as remote shells are also
|
|
Packit |
6f02de |
identified.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Here's another example from a UnixWare 7.1.0 system.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
tweeker: 1 = cd src/lsof4/scripts
|
|
Packit |
6f02de |
tweeker: 9 = ./idrlogin.perl
|
|
Packit |
6f02de |
Login Shell PID Via PID TTY From
|
|
Packit |
6f02de |
abe ksh 9438 in.telnetd 9436 pts/3 lsof.itap.purdue.edu
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
10. Watching an Ftp or Rcp Transfer
|
|
Packit |
6f02de |
===================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The nature of the Internet being one of unpredictable performance
|
|
Packit |
6f02de |
at times, occasionally you want to know if a file transfer, being
|
|
Packit |
6f02de |
done by ftp or rcp, is making any progress.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
To use lsof for watching a file transfer, you need to know the
|
|
Packit |
6f02de |
PID of the file transfer process. You can use ps to find that.
|
|
Packit |
6f02de |
Then use lsof,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -p<PID>
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
to examine the files open to the transfer process. Usually the
|
|
Packit |
6f02de |
ftp files or interest are at file descriptors 9 and 10 or 10 and
|
|
Packit |
6f02de |
11; for rcp, 3 and 4. They describe the network socket file and
|
|
Packit |
6f02de |
the local data file.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If you want to watch only those file descriptors as the file
|
|
Packit |
6f02de |
transfer progresses, try these lsof forms (for ftp in the example):
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -p<PID> -ad9,10 -r
|
|
Packit |
6f02de |
or
|
|
Packit |
6f02de |
$ lsof -p<PID> -ad10,11 -r
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Some options need explaining:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-p<PID> specifies that lsof is to restrict its attention
|
|
Packit |
6f02de |
to the process whose ID is <PID>. You can specify
|
|
Packit |
6f02de |
a set of PIDs by separating them with commas.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -p 1234,5678,9012
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-a specifies that lsof is to AND its tests together.
|
|
Packit |
6f02de |
The two tests that are specified are tests on the
|
|
Packit |
6f02de |
PID and tests on file descriptions (``d9,10'').
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
d9,10 specifies that lsof is to test only file descriptors
|
|
Packit |
6f02de |
9 and 10. Note that the `-' is absent, since ``-a''
|
|
Packit |
6f02de |
is a unary option and can be followed immediately
|
|
Packit |
6f02de |
by another lsof option.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-r tells lsof to list the requested open file information,
|
|
Packit |
6f02de |
sleep for a default 15 seconds, then list the open
|
|
Packit |
6f02de |
file information again. You can specify a different
|
|
Packit |
6f02de |
time (in seconds) after -r and override the default.
|
|
Packit |
6f02de |
Lsof issues a short line of equal signs between
|
|
Packit |
6f02de |
each set of output to distinguish it.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
For an rcp transfer, the above example becomes:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -p<PID> -ad3,4 -r
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
11. Listing Open NFS Files
|
|
Packit |
6f02de |
==========================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof will list all files open on remote file systems, supported
|
|
Packit |
6f02de |
by an NFS server. Just use:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -N
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Note, however, that when run on an NFS server, lsof will not list
|
|
Packit |
6f02de |
files open to the server from one of its clients. That's because
|
|
Packit |
6f02de |
lsof can only examine the processes running on the machine where
|
|
Packit |
6f02de |
it is called -- i.e., on the NFS server.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If you run lsof on the NFS client, using the -N option, it will
|
|
Packit |
6f02de |
list files open by processes on the client that are on remote
|
|
Packit |
6f02de |
NFS file systems.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
12. Listing Files Open by a Specific Login
|
|
Packit |
6f02de |
==========================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If you're interested in knowing what files the processes owned
|
|
Packit |
6f02de |
by a particular login name have open, lsof can help.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -u<login>
|
|
Packit |
6f02de |
or
|
|
Packit |
6f02de |
$ lsof -u<User ID number>
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
You can specify either the login name or the UID associated with
|
|
Packit |
6f02de |
it. You can specify multiple login names and UID numbers, mixed
|
|
Packit |
6f02de |
together, by separating them with commas.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -u548,abe
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
On the subject of login names and UIDs, it's worth noting that
|
|
Packit |
6f02de |
lsof can be told to report either. By default it reports login
|
|
Packit |
6f02de |
names; the -l option switches reporting to UIDs. You might want
|
|
Packit |
6f02de |
to use -l if login name lookup is slow for some reason.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
a. Ignoring a Specific Login
|
|
Packit |
6f02de |
=============================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The -u option can also be used to direct lsof to ignore a
|
|
Packit |
6f02de |
specific login name or UID, or a list of them. Simply prefix
|
|
Packit |
6f02de |
the login names or UIDs with a `^' character, as you might do
|
|
Packit |
6f02de |
in a regular expression. The `^' prefix is useful, for example,
|
|
Packit |
6f02de |
when you want to have lsof ignore the files open to system
|
|
Packit |
6f02de |
processes, owned by the root (UID 0) login. Try:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -u ^root
|
|
Packit |
6f02de |
or
|
|
Packit |
6f02de |
$ lsof -u ^0
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
13. Listing Files Open to a Specific Process Group
|
|
Packit |
6f02de |
==================================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
There's a Unix collection of processes called a process group.
|
|
Packit |
6f02de |
The name indicates that the processes of the group have a common
|
|
Packit |
6f02de |
association and are grouped so that a signal sent to one (e.g.,
|
|
Packit |
6f02de |
a keyboard kill stroke) is delivered to all.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
This causes Unix to create a two element process group:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof | less
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
You can use lsof to look at the open files of all members of a
|
|
Packit |
6f02de |
process group, if you know the process group ID number. Assuming
|
|
Packit |
6f02de |
that it is 12717 for the above example, this lsof command:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -g12717 -adcwd
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
would produce on a Solaris 8 system:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -g12717 -adcwd
|
|
Packit |
6f02de |
COMMAND PID PGID USER FD TYPE DEVICE SIZE/OFF NODE NAME
|
|
Packit |
6f02de |
sshd 11369 12717 root cwd VDIR 0,2 189 1449175 /tmp (swap)
|
|
Packit |
6f02de |
sshd 12717 12717 root cwd VDIR 136,0 1024 2 /
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The ``-g12717'' option specifies the process group ID of interest;
|
|
Packit |
6f02de |
the ``-adcwd'' option specifies that options are to be ANDed and
|
|
Packit |
6f02de |
that lsof should limit file output to information about current
|
|
Packit |
6f02de |
working directory (``cwd'') files.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
14. When Lsof Seems to Hang
|
|
Packit |
6f02de |
===========================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
On occasion when you run lsof it seems to hang and produce no
|
|
Packit |
6f02de |
output. This may result from system conditions beyond the control
|
|
Packit |
6f02de |
of lsof. Lsof has a number of options that may allow you to
|
|
Packit |
6f02de |
bypass the blockage.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
a. Kernel lstat(), readlink(), and stat() Blockages
|
|
Packit |
6f02de |
====================================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof uses the kernel (system) calls lstat(), readlink(), and
|
|
Packit |
6f02de |
stat() to locate mounted file system information. When a file
|
|
Packit |
6f02de |
system has been mounted from an NFS server and that server is
|
|
Packit |
6f02de |
temporarily unavailable, the calls lsof uses may block in the
|
|
Packit |
6f02de |
kernel.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof will announce that it is being blocked with warning messages
|
|
Packit |
6f02de |
(unless they have been suppressed by the lsof builder), but
|
|
Packit |
6f02de |
only after a default waiting period of fifteen seconds has
|
|
Packit |
6f02de |
expired for each file system whose server is unavailable. If
|
|
Packit |
6f02de |
you have a number of such file systems, the total wait may be
|
|
Packit |
6f02de |
unacceptably long.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
You can do two things to shorten your suffering: 1) reduce the
|
|
Packit |
6f02de |
wait time with the -S option; or 2) tell lsof to avoid the
|
|
Packit |
6f02de |
kernel calls that might block by specifying the -b option.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -S 5
|
|
Packit |
6f02de |
or
|
|
Packit |
6f02de |
$ lsof -b
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Avoiding the kernel calls that might block may result in the
|
|
Packit |
6f02de |
lack of some information that lsof needs to know about mounted
|
|
Packit |
6f02de |
file systems. Thus, when you use -b, lsof warns that it might
|
|
Packit |
6f02de |
lack important information.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The warnings that result from using -b (unless suppressed by
|
|
Packit |
6f02de |
the lsof builder) can themselves be annoying. You can suppress
|
|
Packit |
6f02de |
them by adding the -w option. (Of course, if you do, you won't
|
|
Packit |
6f02de |
know what warning messages lsof might have issued.)
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -bw
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Note: if the lsof builder suppressed warning message issuance,
|
|
Packit |
6f02de |
you don't need to use -w to suppress them. You can tell what
|
|
Packit |
6f02de |
the default state of message warning issuance is by looking at
|
|
Packit |
6f02de |
the -h (help) output. If it says ``-w enable warnings'' then
|
|
Packit |
6f02de |
warnings are disabled by default; ``-w disable warnings'', they
|
|
Packit |
6f02de |
are enabled by default.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
b. Problems with /dev or /devices
|
|
Packit |
6f02de |
==================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof scans the /dev or /devices branch of your file system to
|
|
Packit |
6f02de |
obtain information about your system's devices. (The scan isn't
|
|
Packit |
6f02de |
necessary when a device cache file exists.)
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Sometimes that scan can take a very long time, especially if
|
|
Packit |
6f02de |
you have a large number of devices, and if your kernel is
|
|
Packit |
6f02de |
relatively slow to process the stat() system call on device
|
|
Packit |
6f02de |
nodes. You can't do anything about the stat() system call
|
|
Packit |
6f02de |
speed.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
However, you can make sure that lsof is allowed to use its
|
|
Packit |
6f02de |
device cache file feature. When lsof can use a device cache
|
|
Packit |
6f02de |
file, it retains information it gleans via the stat() calls
|
|
Packit |
6f02de |
on /dev or /devices in a separate file for later, faster
|
|
Packit |
6f02de |
access.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The device cache file feature is described in the lsof man
|
|
Packit |
6f02de |
page. See the DEVICE CACHE FILE, LSOF PERMISSIONS THAT AFFECT
|
|
Packit |
6f02de |
DEVICE CACHE FILE ACCESS, DEVICE CACHE FILE PATH FROM THE -D
|
|
Packit |
6f02de |
OPTION, DEVICE CACHE PATH FROM AN ENVIRONMENT VARIABLE,
|
|
Packit |
6f02de |
SYSTEM-WIDE DEVICE CACHE PATH, PERSONAL DEVICE CACHE PATH
|
|
Packit |
6f02de |
(DEFAULT), and MODIFIED PERSONAL DEVICE CACHE PATH sections.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
There is also a separate file in the lsof distribution, named
|
|
Packit |
6f02de |
00DCACHE, that describes the device cache file in detail,
|
|
Packit |
6f02de |
including information about possible security problems.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
One final observation: don't overlook the possibility that your
|
|
Packit |
6f02de |
/dev or /devices tree might be damaged. See if
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ ls -R /dev
|
|
Packit |
6f02de |
or
|
|
Packit |
6f02de |
$ ls -R /devices
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
completes or hangs. If it hangs, then lsof will probably hang,
|
|
Packit |
6f02de |
too, and you should try to discover why ls hangs.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
c. Host and Service Name Lookup Hangs
|
|
Packit |
6f02de |
======================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof can hang up when it tries to convert an Internet dot-form
|
|
Packit |
6f02de |
address to a host name, or a port number to a service name. Both
|
|
Packit |
6f02de |
hangs are caused by the lookup functions of your system.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
An independent check for both types of hangs can be made with
|
|
Packit |
6f02de |
the netstat program. Run it without arguments. If it hangs,
|
|
Packit |
6f02de |
then it is probably having lookup difficulties. When you run
|
|
Packit |
6f02de |
it with -n it shouldn't hang and should report network and port
|
|
Packit |
6f02de |
numbers instead of names.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof has two options that serve the same purpose as netstat's
|
|
Packit |
6f02de |
-n option. The lsof -n option tells it to avoid host name
|
|
Packit |
6f02de |
lookups; and -P, service name lookups. Try those options when
|
|
Packit |
6f02de |
you suspect lsof may be hanging because of lookup problems.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -n
|
|
Packit |
6f02de |
or
|
|
Packit |
6f02de |
$ lsof -P
|
|
Packit |
6f02de |
or
|
|
Packit |
6f02de |
$ lsof -nP
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
d. UID to Login Name Conversion Delays
|
|
Packit |
6f02de |
=======================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
By default lsof converts User IDentification (UID) numbers to
|
|
Packit |
6f02de |
login names when it produces output. That conversion process
|
|
Packit |
6f02de |
may sometimes hang because of system problems or interlocks.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
You can tell lsof to skip the lookup with the -l option; it
|
|
Packit |
6f02de |
will then report UIDs in the USER column.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -l
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
15. Output for Other Programs
|
|
Packit |
6f02de |
=============================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The -F option allows you to specify that lsof should describe
|
|
Packit |
6f02de |
open files with a special form of output, called field output,
|
|
Packit |
6f02de |
that can be parsed easily by a subsequent program. The lsof
|
|
Packit |
6f02de |
distribution comes with sample AWK, Perl 4, and Perl 5 scripts
|
|
Packit |
6f02de |
that post-process field output. The lsof test suite has a C
|
|
Packit |
6f02de |
library that could be adapted for use by C programs that want to
|
|
Packit |
6f02de |
process lsof field output from an in-bound pipe.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The lsof manual page describes field output in detail in its
|
|
Packit |
6f02de |
OUTPUT FOR OTHER PROGRAMS section. A quick look at a sample
|
|
Packit |
6f02de |
script in the scripts/ subdirectory of the lsof distribution will
|
|
Packit |
6f02de |
also give you an idea how field output works.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The most important thing about field output is that it is relatively
|
|
Packit |
6f02de |
homogeneous across Unix dialects. Thus, if you write a script
|
|
Packit |
6f02de |
to post-process field output for AIX, it probably will work for
|
|
Packit |
6f02de |
HP-UX, Solaris, and Ultrix as well.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
16. The Lsof Exit Code and Shell Scripts
|
|
Packit |
6f02de |
========================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
When lsof exits successfully it returns an exit code based on
|
|
Packit |
6f02de |
the result of its search for specified files. (If no files were
|
|
Packit |
6f02de |
specified, then the successful exit code is 0 (zero).)
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If lsof was asked to search for specific files, including any
|
|
Packit |
6f02de |
files on specified file systems, it returns an exit code of 0
|
|
Packit |
6f02de |
(zero) if it found all the specified files and at least one file
|
|
Packit |
6f02de |
on each specified file system. Otherwise it returns a 1 (one).
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If lsof detects an error and makes an unsuccessful exit, it
|
|
Packit |
6f02de |
returns an exit code of 1 (one).
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
You can use the exit code in a shell script to search for files
|
|
Packit |
6f02de |
on a file system and take action based on the result -- e.g.,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
#!/bin/sh
|
|
Packit |
6f02de |
lsof <file_system_name> > /dev/null 2>&1
|
|
Packit |
6f02de |
if test $? -eq 0
|
|
Packit |
6f02de |
then
|
|
Packit |
6f02de |
echo "<file_system_name> has some users."
|
|
Packit |
6f02de |
else
|
|
Packit |
6f02de |
echo "<file_system_name> may have no users."
|
|
Packit |
6f02de |
fi
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
17. Strange messages in the NAME column
|
|
Packit |
6f02de |
=======================================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
When lsof encounters problems analyzing a particular file, it may
|
|
Packit |
6f02de |
put a message in the file's NAME column. Many of those messages
|
|
Packit |
6f02de |
are explained in the 00FAQ file of the lsof distribution.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
So consult 00FAQ first if you encounter a NAME column message you
|
|
Packit |
6f02de |
don't understand. (00FAQ is a possible source of information
|
|
Packit |
6f02de |
about other unfamiliar things in lsof output, too.)
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If you can't find help in 00FAQ, you can use grep to look in the
|
|
Packit |
6f02de |
lsof source files for the message -- e.g.,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ cd .../lsof_4.76_src
|
|
Packit |
6f02de |
$ grep "can't identify protocol" *.[ch]
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The code associated with the message will usually make clear the
|
|
Packit |
6f02de |
reason for the message.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If you have an lsof source tree that has been processed by the
|
|
Packit |
6f02de |
lsof Configure script, you need grep only there. If, however,
|
|
Packit |
6f02de |
your source tree hasn't been processed by Configure, you may
|
|
Packit |
6f02de |
have to look in the top-level lsof source directory and in the
|
|
Packit |
6f02de |
dialects sub-directory for the UNIX dialect you are using - e.g.,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ cd .../lsof_4.76_src
|
|
Packit |
6f02de |
$ grep "can't identify protocol" *.[ch]
|
|
Packit |
6f02de |
$ cd dialects/Linux
|
|
Packit |
6f02de |
$ grep "can't identify protocol" *.[ch]
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
In rare cases you may have to look in the lsof library, too --
|
|
Packit |
6f02de |
e.g.,
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ cd .../lsof_4.76_src
|
|
Packit |
6f02de |
$ grep "can't identify protocol" *.[ch]
|
|
Packit |
6f02de |
$ cd dialects/Linux
|
|
Packit |
6f02de |
$ grep "can't identify protocol" *.[ch]
|
|
Packit |
6f02de |
$ cd ../../lib
|
|
Packit |
6f02de |
$ grep "can't identify protocol" *.[ch]
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Options
|
|
Packit |
6f02de |
=======
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
The following appendices describe the lsof options in detail.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
A. Selection Options
|
|
Packit |
6f02de |
====================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof has a rich set of options for selecting the files to be
|
|
Packit |
6f02de |
displayed. These include:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-a tells lsof to AND the set of selection options that
|
|
Packit |
6f02de |
are specified. Normally lsof ORs them.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
For example, if you specify the -p<PID> and -u<UID>
|
|
Packit |
6f02de |
options, lsof will display all files for the
|
|
Packit |
6f02de |
specified PID or for the specified UID.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
By adding -a, you specify that the listed files
|
|
Packit |
6f02de |
should be limited to PIDs owned by the specified
|
|
Packit |
6f02de |
UIDs -- i.e., they match the PIDs *and* the UIDs.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -p1234 -au 5678
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-c specifies that lsof should list files belonging
|
|
Packit |
6f02de |
to processes having the associated command name.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Hint: if you want to select files based on more than
|
|
Packit |
6f02de |
one command name, use multiple -c<name> specifications.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -clsof -cksh
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-d tells lsof to select by the associated file descriptor
|
|
Packit |
6f02de |
(FD) set. An FD set is a comma-separated list of
|
|
Packit |
6f02de |
numbers and the names lsof normally displays in
|
|
Packit |
6f02de |
its FD column: cwd, Lnn, ltx, <number>, etc. See
|
|
Packit |
6f02de |
the OUTPUT section of the lsof man page for the
|
|
Packit |
6f02de |
complete list of possible file descriptors. Example:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -dcwd,0,1,2
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-g tells lsof to select by the associated process
|
|
Packit |
6f02de |
group ID (PGID) set. The PGID set is a comma-separated
|
|
Packit |
6f02de |
list of PGID numbers. When -g is specified, it also
|
|
Packit |
6f02de |
enables the display of PGID numbers.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Note: when -g isn't followed by a PGID set, it
|
|
Packit |
6f02de |
simply selects the listing of PGID for all processes.
|
|
Packit |
6f02de |
Examples:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -g
|
|
Packit |
6f02de |
$ lsof -g1234,5678
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-i tells lsof to display Internet socket files. If no
|
|
Packit |
6f02de |
protocol/address/port specification follows -i,
|
|
Packit |
6f02de |
lsof lists all Internet socket files.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
If a specification follows -i, lsof lists only the
|
|
Packit |
6f02de |
socket files whose Internet addresses match the
|
|
Packit |
6f02de |
specification.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Hint: multiple addresses may be specified with
|
|
Packit |
6f02de |
multiple -i options. Examples:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -iTCP
|
|
Packit |
6f02de |
$ lsof -i@lsof.itap.purdue.edu:sendmail
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-N selects the listing of files mounted on NFS devices.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-U selects the listing of socket files in the Unix
|
|
Packit |
6f02de |
domain.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
B. Output Options
|
|
Packit |
6f02de |
==================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof has these options to control its output format:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-F produce output that can be parsed by a subsequent
|
|
Packit |
6f02de |
program.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-g print process group (PGID) IDs.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-l list UID numbers instead of login names.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-n list network numbers instead of host names.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-o always list file offset.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-P list port numbers instead of port service names.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-s always list file size.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
C. Precautionary Options
|
|
Packit |
6f02de |
=========================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Lsof uses system functions that can block or take a long time,
|
|
Packit |
6f02de |
depending on the health of the Unix dialect supporting it. These
|
|
Packit |
6f02de |
include:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-b directs lsof to avoid system functions -- e.g.,
|
|
Packit |
6f02de |
lstat(2), readlink(2), stat(2) -- that might block
|
|
Packit |
6f02de |
in the kernel. See the BLOCKS AND TIMEOUTS
|
|
Packit |
6f02de |
section of the lsof man page.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
You might want to use this option when you have
|
|
Packit |
6f02de |
a mount from an NFS server that is not responding.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-C tells lsof to ignore the kernel's name cache. As
|
|
Packit |
6f02de |
a precaution this option will have little effect on
|
|
Packit |
6f02de |
lsof performance, but might be useful if the kernel's
|
|
Packit |
6f02de |
name cache is scrambled. (I've never seen that
|
|
Packit |
6f02de |
happen.)
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-D might be used to direct lsof to ignore an existing
|
|
Packit |
6f02de |
device cache file and generate a new one from /dev
|
|
Packit |
6f02de |
(and /devices). This might be useful if you have
|
|
Packit |
6f02de |
doubts about the integrity of an existing device
|
|
Packit |
6f02de |
cache file.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-l tells lsof to list UID numbers instead of login
|
|
Packit |
6f02de |
names -- this is useful when UID to login name
|
|
Packit |
6f02de |
conversion is slow or inoperative.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-n tells lsof to avoid converting Internet addresses
|
|
Packit |
6f02de |
to host numbers. This might be useful when your
|
|
Packit |
6f02de |
host name lookup (e.g., DNS) is inoperative.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-O tells lsof to avoid its strategy of forking to
|
|
Packit |
6f02de |
perform potentially blocking kernel operations.
|
|
Packit |
6f02de |
While the forking allows lsof to detect that a
|
|
Packit |
6f02de |
block has occurred (and possibly break it), the
|
|
Packit |
6f02de |
fork operation is a costly one. Use the -O option
|
|
Packit |
6f02de |
with care, lest your lsof be blocked.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-P directs lsof to list port numbers instead of trying
|
|
Packit |
6f02de |
to convert them to port service names. This might
|
|
Packit |
6f02de |
be useful if port to service name lookups (e.g.,
|
|
Packit |
6f02de |
via NIS) are slow or failing.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-S can be used to change the lstat/readlink/stat
|
|
Packit |
6f02de |
timeout interval that governs how long lsof waits
|
|
Packit |
6f02de |
for response from the kernel. This might be useful
|
|
Packit |
6f02de |
when an NFS server is slow or unresponsive. When
|
|
Packit |
6f02de |
lsof times out of a kernel function, it may have
|
|
Packit |
6f02de |
less information to display. Example:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -S2
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-w tells lsof to avoid issuing warning messages, if
|
|
Packit |
6f02de |
they are enabled by default, or enable them if they
|
|
Packit |
6f02de |
are disabled by default. Check the -h (help) output
|
|
Packit |
6f02de |
to determine their status. If it says ``-w enable
|
|
Packit |
6f02de |
warnings'', then warning messages are disabled by
|
|
Packit |
6f02de |
default; ``-w disable warnings'', they are enabled
|
|
Packit |
6f02de |
by default.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
This may be a useful option, for example, when you
|
|
Packit |
6f02de |
specify -b, if warning messages are enabled, because
|
|
Packit |
6f02de |
it will suppress the warning messages lsof issues
|
|
Packit |
6f02de |
about avoiding functions that might block in the
|
|
Packit |
6f02de |
kernel.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
D. Miscellaneous Lsof Options
|
|
Packit |
6f02de |
==============================
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
There are some lsof options that are hard to classify, including:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-? these options select help output.
|
|
Packit |
6f02de |
-h
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-F selects field output. Field output is a mode where
|
|
Packit |
6f02de |
lsof produces output that can be parsed easily by
|
|
Packit |
6f02de |
subsequent programs -- e.g., AWK or Perl scripts.
|
|
Packit |
6f02de |
See ``15. Output for Other Programs'' for more
|
|
Packit |
6f02de |
information.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-k specifies an alternate kernel symbol file -- i.e.,
|
|
Packit |
6f02de |
where nlist() will get its information. Example:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -k/usr/crash/vmunix.1
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-m specifies an alternate kernel memory file from
|
|
Packit |
6f02de |
which lsof will read kernel structures in place
|
|
Packit |
6f02de |
of /dev/kmem or kvm_read(). Example:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -m/usr/crash/vmcore.n
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-r tells lsof to repeat its scan every 15 seconds (the
|
|
Packit |
6f02de |
default when no associated value is specified). A
|
|
Packit |
6f02de |
repeat time, different from the default, can follow
|
|
Packit |
6f02de |
-r. Example:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -r30
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-v displays information about the building of the
|
|
Packit |
6f02de |
lsof executable.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
-- The double minus sign option may be used to
|
|
Packit |
6f02de |
signal the end of options. It's particularly useful
|
|
Packit |
6f02de |
when arguments to the last option are optional and
|
|
Packit |
6f02de |
you want to supply a file path that could be confused
|
|
Packit |
6f02de |
for arguments to the last option. Example:
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
$ lsof -g -- 1
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Where `1' is a file path, not PGID ID 1.
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
|
|
Packit |
6f02de |
Vic Abell <abe@purdue.edu>
|
|
Packit |
6f02de |
October 13, 2014
|