Checking On Open Files and Sockets with lsof

Have you ever tried to umount a filesystem, only to find that some process was still using it?

[root@host]# umount /mnt
umount: /mnt: device is busy 

To quickly hunt down what processes are still using /mnt, try the lsof tool:

[root@host]# lsof /mnt
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 30951 rob cwd DIR 7,0 1024 2 /mnt 

Ah, apparently rob is cd'd to /mnt (since his bash process has it set as its cwd). lsof will list all open files, directories, libraries, sockets, and devices associated with a particular process. In the above example, we specified a mount point and had lsof show us the associated processes. To do the reverse (show files associated with a PID), use the -p switch:

[root@host]# lsof -p 30563

If you'd rather specify the process by name, use -c:

[root@host]# lsof -c syslogd 

You can also specify special devices on the command line. For example, let's see what the user on pts/0 is up to:

[root@host]# lsof /dev/pts/0

If you need to specify multiple switches, they are ORed with each other by default. To require all switches (that is, to AND them) include the -a flag on each switch you want to AND. For example, to see all of the open files associated with vi processes that rob is running, try this:

[root@host]# lsof -u rob -ac vi 

If you'd like to examine open sockets and their associated processes (like a netstat -p), try the -i switch:

[root@host]# lsof -i -n
COMMAND     PID     USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
sshd        302  kivanov    3u  IPv4 2726435534      0t0  TCP 11.12.99.18:ssh->11.6.60.134:56727 (ESTABLISHED)
puppetmas   946   puppet    7u  IPv4 2707586260      0t0  TCP *:8140 (LISTEN)
snmpd      1118     snmp    8u  IPv4       4053      0t0  UDP *:snmp

[root@host]# lsof -i TCP:443
COMMAND   PID     USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
apache2  4364     root    4u  IPv4 1700297415      0t0  TCP *:https (LISTEN)
python   8766 www-data    5u  IPv4 1991759475      0t0  TCP 11.11.99.43:56247->11.13.65.159:https (ESTABLISHED)
apache2 15045 www-data    4u  IPv4 1700297415      0t0  TCP *:https (LISTEN)
python  16524 www-data    5u  IPv4 1865357034      0t0  TCP 11.11.99.44:42225->11.13.65.152:https (CLOSE_WAIT)
python  16524 www-data    6u  IPv4 1865357436      0t0  TCP 11.11.99.44:47789->11.7.124.31:https (CLOSE_WAIT)
python  16524 www-data    7u  IPv4 1865357514      0t0  TCP 11.11.99.44:57493->11.9.152.111:https (ESTABLISHED)
apache2 22970 www-data    4u  IPv4 1700297415      0t0  TCP *:https (LISTEN)

Note that you must be root to run lsof for many functions, including retrieving open socket information. lsof is a complex and very flexible tool, giving you as much (or as little) detail as you need about what files are in use by every running process on your system.

No comments:

Post a Comment