Linux command artifact: lsof

Keywords: Linux Unix server

lsof is system management/ security Uber tools. Call this tool lsof a real name, because it means "lists open files". One thing to remember is that in Unix, everything (including network sockets) is a file.

Interestingly, lsof is also one of the Linux/Unix commands with the most switches. It has so many switches, and it has many options to support the use of - and + prefixes.

1.  usage:  [-?abhlnNoOPRstUvV]  [+|-c c]  [+|-d s]  [+D D]  [+|-f[cgG]]
2.  [-F [f]]  [-g [s]]  [-i [i]]  [+|-L [l]]  [+|-M]  [-o [o]]
3.  [-p s]  [+|-r [t]]  [-S [t]]  [-T [t]]  [-u s]  [+|-w]  [-x [fl]]  [--]  [names]

As you can see, lsof has an amazing number of options. You can use it to get information about the devices on your system. You can know what the specified user is touching at the specified location, or even what files or network connections a process is using.

For me, lsof replaces all the work of netstat and ps. It can bring everything those tools can bring, and much more than those tools. Let's take a look at some of its basic capabilities:

Key options

It is important to understand some key things about how lsof works. Most importantly, when you pass options to it, the default behavior is to "or" the result. Therefore, if you use - i to pull out a port list and - p to pull out a process list, you will get both results by default.

Here are some other things to keep in mind:

  • Default: no option, lsof lists all open files of the active process
  • Combination: you can combine options together, such as - abc, but be careful which options require parameters
  • -a: the result is "and" (not "or")
  • -l: display the user ID instead of the user name in the output
  • -h: get help
  • -t: get process ID ONLY
  • -U: get UNIX socket address
  • -F: format output results for other commands. It can be formatted in many ways, such as - F pcfn (for process id, command name, file descriptor, file name, and null termination)

Get network information

As I said, I mainly use lsof to get information about how the system interacts with the network. Here are some topics about this information:

Use - i to display all connections

Some people like to use netstat to get a network connection, but I prefer to use lsof to do this. The results are presented in a very intuitive way for me. I can get more information through the same command just by changing my grammar.

Syntax: lsof -i[46] [protocol][@hostname|hostaddr][:service|port]

1.  #  lsof  -i

3.  COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
4.  dhcpcd 6061 root 4u  IPv4  4510 UDP *:bootpc
5.  sshd  7703 root 3u  IPv6  6499 TCP *:ssh  (LISTEN)
6.  sshd  7892 root 3u  IPv6  6757 TCP 10.10.1.5:ssh->192.168.1.5:49901  (ESTABLISHED)

Use -i 6 to get IPv6 traffic only

1.  #  lsof  -i 6

Only TCP connections are displayed (similarly, UDP connections can be obtained)

You can also display only TCP or UDP connection information by providing the corresponding protocol after - i.

1.  #  lsof  -iTCP

3.  COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
4.  sshd  7703 root 3u  IPv6  6499 TCP *:ssh  (LISTEN)
5.  sshd  7892 root 3u  IPv6  6757 TCP 10.10.1.5:ssh->192.168.1.5:49901  (ESTABLISHED)

Use - i:port to display network information related to the specified port

Alternatively, you can also search through the port, which is great to find out what prevents another application from binding to the specified port.

1.  #  lsof  -i :22

3.  COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
4.  sshd  7703 root 3u  IPv6  6499 TCP *:ssh  (LISTEN)
5.  sshd  7892 root 3u  IPv6  6757 TCP 10.10.1.5:ssh->192.168.1.5:49901  (ESTABLISHED)

Use @ host to display the connection to the specified host

This is very useful when you check whether to open the connection to a specified host in the network or on the Internet.

1.  #  lsof  -i@172.16.12.5

3.  sshd  7892 root 3u  IPv6  6757 TCP 10.10.1.5:ssh->172.16.12.5:49901  (ESTABLISHED)

Use @ host:port to display host to port based connections

You can also combine the display information of host and port.

1.  #  lsof  -i@172.16.12.5:22

3.  sshd  7892 root 3u  IPv6  6757 TCP 10.10.1.5:ssh->172.16.12.5:49901  (ESTABLISHED)

Find the listening port

Find the port waiting to connect.

1.  #  lsof  -i -sTCP:LISTEN

You can also grep "LISTEN" to complete the task.

1.  #  lsof  -i |  grep  -i LISTEN

3.  iTunes 400 daniel 16u  IPv4  0x4575228  0t0 TCP *:daap (LISTEN)

Find the established connection

You can also display any connected connections.

1.  #  lsof  -i -sTCP:ESTABLISHED

You can also complete this task by grep searching for "ESTABLISHED".

1.  #  lsof  -i |  grep  -i ESTABLISHED

3.  firefox-b 169 daniel 49u  IPv4  0t0 TCP 1.2.3.3:1863->1.2.3.4:http (ESTABLISHED)

User information

You can also get information about various users and what they are doing on the system, including their network activities, file operations, etc.

Use - u to display what is opened by the specified user

1.  #  lsof  -u daniel

3.  -- snipped --
4.  Dock  155 daniel  txt REG 14,2  2798436  823208  /usr/lib/libicucore.A.dylib
5.  Dock  155 daniel  txt REG 14,2  1580212  823126  /usr/lib/libobjc.A.dylib
6.  Dock  155 daniel  txt REG 14,2  2934184  823498  /usr/lib/libstdc++.6.0.4.dylib
7.  Dock  155 daniel  txt REG 14,2  132008  823505  /usr/lib/libgcc_s.1.dylib
8.  Dock  155 daniel  txt REG 14,2  212160  823214  /usr/lib/libauto.dylib
9.  -- snipped --

Use - u user to display what all users except the specified user have done

1.  #  lsof  -u ^daniel

3.  -- snipped --
4.  Dock  155 jim  txt REG 14,2  2798436  823208  /usr/lib/libicucore.A.dylib
5.  Dock  155 jim  txt REG 14,2  1580212  823126  /usr/lib/libobjc.A.dylib
6.  Dock  155 jim  txt REG 14,2  2934184  823498  /usr/lib/libstdc++.6.0.4.dylib
7.  Dock  155 jim  txt REG 14,2  132008  823505  /usr/lib/libgcc_s.1.dylib
8.  Dock  155 jim  txt REG 14,2  212160  823214  /usr/lib/libauto.dylib
9.  -- snipped --

Kill everything the specified user does

It's nice to destroy everything running by a specified user.

1.  #  kill  -9  `lsof -t -u daniel`

Commands and processes

It is often useful to see what the specified program or process is started by, and you can use lsof to filter by name or process ID. Some options are listed below:

Use - c to view the files and network connections being used by the specified command

1.  #  lsof  -c syslog-ng

3.  COMMAND    PID USER   FD   TYPE     DEVICE    SIZE       NODE NAME
4.  syslog-ng 7547 root  cwd    DIR 3,3  4096  2  /
5.  syslog-ng 7547 root  rtd    DIR 3,3  4096  2  /
6.  syslog-ng 7547 root  txt    REG 3,3  113524  1064970  /usr/sbin/syslog-ng
7.  -- snipped --

Use - p to view the opened content of the specified process ID

1.  #  lsof  -p 10075

3.  -- snipped --
4.  sshd  10068 root  mem    REG 3,3  34808  850407  /lib/libnss_files-2.4.so
5.  sshd  10068 root  mem    REG 3,3  34924  850409  /lib/libnss_nis-2.4.so
6.  sshd  10068 root  mem    REG 3,3  26596  850405  /lib/libnss_compat-2.4.so
7.  sshd  10068 root  mem    REG 3,3  200152  509940  /usr/lib/libssl.so.0.9.7
8.  sshd  10068 root  mem    REG 3,3  46216  510014  /usr/lib/liblber-2.3
9.  sshd  10068 root  mem    REG 3,3  59868  850413  /lib/libresolv-2.4.so
10.  sshd  10068 root  mem    REG 3,3  1197180  850396  /lib/libc-2.4.so
11.  sshd  10068 root  mem    REG 3,3  22168  850398  /lib/libcrypt-2.4.so
12.  sshd  10068 root  mem    REG 3,3  72784  850404  /lib/libnsl-2.4.so
13.  sshd  10068 root  mem    REG 3,3  70632  850417  /lib/libz.so.1.2.3
14.  sshd  10068 root  mem    REG 3,3  9992  850416  /lib/libutil-2.4.so
15.  -- snipped --

-The t option returns only PID

1.  #  lsof  -t -c Mail

3.  350

Files and directories

By viewing the specified file or directory, you can see all the resources on the system interacting with it - including users, processes, etc.

Displays everything that interacts with the specified directory

1.  #  lsof  /var/log/messages/

3.  COMMAND    PID USER   FD   TYPE DEVICE   SIZE   NODE NAME
4.  syslog-ng 7547 root 4w REG 3,3  217309  834024  /var/log/messages

Displays everything that interacts with the specified file

1.  #  lsof  /home/daniel/firewall_whitelist.txt

Advanced Usage

And tcpdump Similarly, when you start combining queries, it shows its powerful function.

Show everything daniel did when connected to 1.1.1.1

1.  #  lsof  -u daniel -i @1.1.1.1

3.  bkdr 1893 daniel 3u  IPv6  3456 TCP 10.10.1.10:1234->1.1.1.1:31337  (ESTABLISHED)

Use both the - t and - c options to send a HUP signal to the process

1.  #  kill  -HUP `lsof -t -c sshd`

lsof +L1 displays all files with less than 1 open links

This usually (when not always) indicates that an attacker is trying to hide the contents of a file by deleting the file entry.

1.  #  lsof  +L1

3.  (hopefully nothing)

Displays open connections for a port range

1.  #  lsof  -i @fw.google.com:2150=2180

ending

This introductory tutorial is just a glimpse of the lsof function. To view the complete reference, run the man lsof command or view Online version . I hope this article is helpful to you and can be used at any time Your comments and corrections are welcome.

resources

This article was written by Daniel Miessler and was first written by him Blog Paste on

The lsof command can only be executed by the general root user, and the / usr/sbin/lsof command can be seen by the general user,
However, "permission denied" will be displayed for ordinary users

Let me summarize the usage of lsof instruction:

lsof abc.txt shows the process of opening the file abc.txt

Lsof - I: 22 knows what program is running on port 22

lsof -c abc displays the files that the abc process is now opening

lsof -g gid displays the progress of the home gid

lsof +d /usr/local / displays the files opened by the process in the directory

lsof +D /usr/local / is the same as above, but it will search the directory under the directory for a long time

lsof -d 4 shows processes using fd 4 www.2cto.com

lsof -i is used to display the qualified processes

Syntax: lsof -i[46] [protocol][@hostname|hostaddr][:service|port]

46 --> IPv4 or IPv6

protocol --> TCP or UDP

hostname --> Internet host name

Hostaddr -- > IPv4 location

service name in service -- > / etc / service (can be more than one)

Port -- > port number (can be more than one)

Example: TCP:25 - TCP and port 25

@1.2.3.4 - Internet IPv4 host address 1.2.3.4

tcp@ohaha.ks.edu.tw:ftp - TCP protocol hosthaha.ks.edu.tw service name:ftp

lsof -n does not convert IP to hostname. By default, the - n parameter is not added

Example: lsof -i tcp@ohaha.ks.edu.tw:ftp -n

lsof -p 12 see which files are opened by the process with process number 12

lsof +|-r [t] controls the repeated execution of lsof. The default is 15s refresh

-r. lsof will always be executed until an interrupt signal is received

+r. lsof will run until no files are displayed

Example: constantly check the current ftp connection: lsof -i tcp@ohaha.ks.edu.tw:ftp -r

lsof -s lists the size of the open file. If there is no size, leave blank

lsof -u username lists open files in UID www.2cto.com

Attention:
Process debugging commands: truss, strace, and ltrace
The process cannot be started, the running speed of the software suddenly slows down, and the "segment fault" of the program are headache problems for every Unix system user. These problems can quickly diagnose the "difficult and miscellaneous problems" of the software by using the three common debugging tools truss, strace and ltrace.



Author: xihuazi
Link: https://www.jianshu.com/p/a3aa6b01b2e1
Source: Jianshu
The copyright belongs to the author. For commercial reprint, please contact the author for authorization, and for non-commercial reprint, please indicate the source.

Posted by joesaddigh on Thu, 28 Oct 2021 21:29:15 -0700

Hot Keywords

©2024 Programmer Group