| 知乎专栏 | 多维度架构 | 微信号 netkiller-ebook | QQ群:128659835 请注明“读者” |
Command、PID 和 User 列分别表示进程的名称 进程标识符 (PID) 和所有者名称.
FD: 文件描述符,应用程序通过文件描述符识别该文件.如cwd txt等
(1) cwd : current working directory
应用程序的当前工作目录,这是该应用程序启动的目录,除非它本身对这个目录进行更改
(2) txt : program text (code and data)
该类型的文件是程序代码,如应用程序二进制文件本身或共享库,如上列表中显示的 /sbin/init 程序
(3) lnn : library references (AIX)
库引用
(4) er : FD information error (see NAME column)
FD错误信息
(5) jld : jail directory (FreeBSD)
安全目录
(6) ltx : shared library text (code and data)
共享库文本
(7) mxx : hex memory-mapped type number xx
十六进制内存映射型号码xx
(8) m86 : DOS Merge mapped file
DOS的合并映射文件
(9) mem : memory-mapped file
文件内存映射
(10) mmap : memory-mapped device
设备内存映射
(11) pd : parent directory
父目录
(12) rtd : root directory
root目录
(13) tr : kernel trace file (OpenBSD)
内核跟踪文件
(14) v86 : VP/ix mapped file
VP/ix映射文件
(15) 0 : 表示标准输出
(16) 1 : 表示标准输入
(17) 2 : 表示标准错误
初始打开每个应用程序时,都具有三个文件描述符,从 0 到 2,分别表示 标准输入 标准输出 和 错误流. 正因为如此,大多数应用程序所打开的文件的 FD 都是从3开始.
一般在标准输出 标准错误 标准输入 后还跟着文件状态模式: r w u等
(1) u : 表示该文件被打开并处于读取/写入模式
(2) r : 表示该文件被打开并处于只读模式
(3) w : 表示该文件被打开并处于
(4) 空格 : 表示该文件的状态模式为unknow,且没有锁定
(5) - : 表示该文件的状态模式为unknow,且被锁定
同时在文件状态模式后面,还跟着相关的锁
(1) N : for a Solaris NFS lock of unknown type;
(2) r : for read lock on part of the file;
(3) R : for a read lock on the entire file;
(4) w : for a write lock on part of the file;
文件的部分写锁
(5) W : for a write lock on the entire file
整个文件的写锁
(6) u : for a read and write lock of any length;
(7) U : for a lock of unknown type;
(8) x : for an SCO OpenServer Xenix lock on part of the file;
(9) X : for an SCO OpenServer Xenix lock on the entire file;
(10) space : if there is no lock.
TYPE : 文件类型,与 FD 列相比,Type 列则比较直观.
根据具体操作系统的不同,您会发现将文件和目录称为REG 和 DIR(在 Solaris 中,称为 VREG 和 VDIR).
其他可能的取值为 CHR 和 BLK,分别表示字符和块设备;
或者 UNIX、FIFO 和 IPv4,分别表示 UNIX 域套接字 先进先出 (FIFO) 队列和网际协议 (IP) 套接字.
(1) DIR : 表示目录
(2) CHR : 表示字符类型
(3) BLK : 块设备类型
(4) UNIX : UNIX 域套接字
(5) FIFO :先进先出 (FIFO) 队列
(6) IPv4 :网际协议 (IP) 套接字
Device SIZE/OFF Node 和 NA
列涉及到文件本身的信息,分别表示
指定磁盘的名称
文件的大小
索引节点(文件在磁盘上的标识)
该文件的确切名称
$ sudo lsof -c lighttpd
neo@netkiller:~/workspace/Document$ lsof -p $$ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME zsh 4536 neo cwd DIR 8,6 4096 30 /home/neo/workspace/Document zsh 4536 neo rtd DIR 8,1 4096 2 / zsh 4536 neo txt REG 8,1 675792 6907 /bin/zsh4 zsh 4536 neo mem REG 8,1 68824 56594 /usr/lib/zsh/4.3.10/zsh/computil.so zsh 4536 neo mem REG 8,1 41000 30570 /usr/lib/zsh/4.3.10/zsh/parameter.so zsh 4536 neo mem REG 8,1 31512 53350 /usr/lib/zsh/4.3.10/zsh/zutil.so zsh 4536 neo mem REG 8,1 153096 53354 /usr/lib/zsh/4.3.10/zsh/complete.so zsh 4536 neo mem REG 8,1 290888 56596 /usr/lib/zsh/4.3.10/zsh/zle.so zsh 4536 neo mem REG 8,1 10544 30579 /usr/lib/zsh/4.3.10/zsh/terminfo.so zsh 4536 neo mem REG 8,1 51712 19594 /lib/libnss_files-2.11.1.so zsh 4536 neo mem REG 8,1 43552 23798 /lib/libnss_nis-2.11.1.so zsh 4536 neo mem REG 8,1 97256 15503 /lib/libnsl-2.11.1.so zsh 4536 neo mem REG 8,1 35712 16431 /lib/libnss_compat-2.11.1.so zsh 4536 neo mem REG 8,1 18704 1902 /lib/libattr.so.1.1.0 zsh 4536 neo mem REG 8,1 1568136 7583 /lib/libc-2.11.1.so zsh 4536 neo mem REG 8,1 534832 11379 /lib/libm-2.11.1.so zsh 4536 neo mem REG 8,1 323640 7295 /lib/libncursesw.so.5.7 zsh 4536 neo mem REG 8,1 14696 11378 /lib/libdl-2.11.1.so zsh 4536 neo mem REG 8,1 18888 5099 /lib/libcap.so.2.17 zsh 4536 neo mem REG 8,1 136936 7487 /lib/ld-2.11.1.so zsh 4536 neo mem REG 8,1 256324 145156 /usr/lib/locale/en_US.utf8/LC_CTYPE zsh 4536 neo mem REG 8,1 54 131099 /usr/lib/locale/en_US.utf8/LC_NUMERIC zsh 4536 neo mem REG 8,1 2454 145158 /usr/lib/locale/en_US.utf8/LC_TIME zsh 4536 neo mem REG 8,1 1170770 145157 /usr/lib/locale/en_US.utf8/LC_COLLATE zsh 4536 neo mem REG 8,1 286 145159 /usr/lib/locale/en_US.utf8/LC_MONETARY zsh 4536 neo mem REG 8,1 57 145160 /usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES zsh 4536 neo mem REG 8,1 26048 73711 /usr/lib/gconv/gconv-modules.cache zsh 4536 neo mem REG 8,1 34 131105 /usr/lib/locale/en_US.utf8/LC_PAPER zsh 4536 neo mem REG 8,1 77 131106 /usr/lib/locale/en_US.utf8/LC_NAME zsh 4536 neo mem REG 8,1 155 145161 /usr/lib/locale/en_US.utf8/LC_ADDRESS zsh 4536 neo mem REG 8,1 59 145162 /usr/lib/locale/en_US.utf8/LC_TELEPHONE zsh 4536 neo mem REG 8,1 23 131109 /usr/lib/locale/en_US.utf8/LC_MEASUREMENT zsh 4536 neo mem REG 8,1 373 145163 /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION zsh 4536 neo 0u CHR 136,0 0t0 3 /dev/pts/0 zsh 4536 neo 1u CHR 136,0 0t0 3 /dev/pts/0 zsh 4536 neo 2u CHR 136,0 0t0 3 /dev/pts/0 zsh 4536 neo 10u CHR 136,0 0t0 3 /dev/pts/0
谁打开了该文件? 显示打开文件filename的进程
lsof filename
列出某个目录下被打开的文件
# lsof /tmp/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME seahorse- 4158 neo cwd DIR 8,2 53248 1310721 /tmp
递归子目录列出文件状态
$ sudo lsof +D /srv/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME match 5227 root txt REG 252,0 1351616 1966083 /srv/match [root@netkiller ~]# lsof +D /proc/1/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 9r REG 0,3 0 8401 /proc/1/mountinfo
>1 查看某个文件被哪个进程/命令正在使用
在一个窗口执行
[root@netkiller ~]# less /etc/passwd
在另外一个窗口执行
[root@netkiller ~]# lsof /etc/passwd
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
less 14493 root 4r REG 8,2 2676 4466070 /etc/passwd
递归查看某个目录中文件被哪些命令/程序使用
使用了+D,对应目录下的所有子目录和文件都会被列出
开两个窗口分别执行如下命令
[root@netkiller ~]# less test/logs/access/2013-05-22.access
[root@netkiller ~]# less test/11
再第三个窗口执行
[root@netkiller ~]# lsof +D test/
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
less 14840 root 4r REG 8,2 252 6166856 test/11
less 14877 root 4r REG 8,2 0 6166852 test/logs/access/2013-05-22.access
$ lsof /dev/tty1 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 17187 neo 0u CHR 4,1 0t0 1057 /dev/tty1 bash 17187 neo 1u CHR 4,1 0t0 1057 /dev/tty1 bash 17187 neo 2u CHR 4,1 0t0 1057 /dev/tty1 bash 17187 neo 255u CHR 4,1 0t0 1057 /dev/tty1
用户显示打开的文件
# lsof -u apache |more COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 4374 apache cwd DIR 252,1 4096 2 / httpd 4374 apache rtd DIR 252,1 4096 2 / httpd 4374 apache txt REG 252,1 354816 408099 /usr/sbin/httpd httpd 4374 apache mem REG 252,1 9488 408013 /usr/lib64/apr-util-1/apr_ldap-1.so httpd 4374 apache mem REG 252,1 27424 907 /lib64/libnss_dns-2.12.so httpd 4374 apache mem REG 252,1 65928 909 /lib64/libnss_files-2.12.so httpd 4374 apache mem REG 252,1 10416 408095 /usr/lib64/httpd/modules/mod_version.so httpd 4374 apache mem REG 252,1 27312 408054 /usr/lib64/httpd/modules/mod_cgi.so httpd 4374 apache mem REG 252,1 22992 408061 /usr/lib64/httpd/modules/mod_disk_cache.so [root@netkiller ~]# lsof -u www COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 2412 www DEL REG 0,4 12653 /dev/zero httpd 2412 www mem REG 8,2 90784 5636110 /lib64/libgcc_s-4.4.7-20120601.so.1
列出被打开的文件信息,排除root用户
[root@netkiller neo]# lsof -u ^root |more COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME dbus-daem 448 dbus cwd DIR 253,1 4096 2 / dbus-daem 448 dbus rtd DIR 253,1 4096 2 / dbus-daem 448 dbus txt REG 253,1 441256 141406 /usr/bin/dbus-daemon;56822cb8 (deleted) dbus-daem 448 dbus DEL REG 253,1 146439 /usr/lib64/libnss_sss.so.2;56822cb8 dbus-daem 448 dbus DEL REG 253,1 151203 /usr/lib64/libnss_files-2.17.so;56822cb8 dbus-daem 448 dbus DEL REG 253,1 151199 /usr/lib64/libdl-2.17.so;56822cb8 dbus-daem 448 dbus DEL REG 253,1 133002 /usr/lib64/liblzma.so.5.0.99;56822ac0 dbus-daem 448 dbus DEL REG 253,1 133005 /usr/lib64/libpcre.so.1.2.0;56822ac0 dbus-daem 448 dbus DEL REG 253,1 132825 /usr/lib64/libc-2.17.so;56822cb8 dbus-daem 448 dbus DEL REG 253,1 151206 /usr/lib64/librt-2.17.so;56822cb8 dbus-daem 448 dbus DEL REG 253,1 132851 /usr/lib64/libpthread-2.17.so;56822cb8 dbus-daem 448 dbus DEL REG 253,1 133622 /usr/lib64/libcap-ng.so.0.0.0;56822cb8 dbus-daem 448 dbus mem REG 253,1 118792 133084 /usr/lib64/libaudit.so.1.0.0 dbus-daem 448 dbus mem REG 253,1 147120 133015 /usr/lib64/libselinux.so.1 dbus-daem 448 dbus mem REG 253,1 173288 133153 /usr/lib64/libexpat.so.1.6.0 dbus-daem 448 dbus DEL REG 253,1 132818 /usr/lib64/ld-2.17.so;56822cb8 dbus-daem 448 dbus 0r CHR 1,3 0t0 1028 /dev/null dbus-daem 448 dbus 1u unix 0xffff880426d4c740 0t0 14381 socket dbus-daem 448 dbus 2u unix 0xffff880426d4c740 0t0 14381 socket dbus-daem 448 dbus 3u unix 0xffff880428cd7800 0t0 14082 /var/run/dbus/system_bus_socket dbus-daem 448 dbus 4u a_inode 0,9 0 5639 [eventpoll] dbus-daem 448 dbus 5r a_inode 0,9 0 5639 inotify dbus-daem 448 dbus 6u sock 0,6 0t0 14179 protocol: NETLINK dbus-daem 448 dbus 7u unix 0xffff880428cd1e00 0t0 14180 socket dbus-daem 448 dbus 8u unix 0xffff880428cd5640 0t0 14181 socket dbus-daem 448 dbus 9u unix 0xffff880037101e00 0t0 5347943 /var/run/dbus/system_bus_socket dbus-daem 448 dbus 10u unix 0xffff8800292ae900 0t0 626418112 /var/run/dbus/system_bus_socket dbus-daem 448 dbus 11u unix 0xffff880426f3cec0 0t0 5345962 socket dbus-daem 448 dbus 12u unix 0xffff8801f8149e00 0t0 626420423 /var/run/dbus/system_bus_socket [root@netkiller ~]# lsof -u ^www COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root txt REG 8,2 150352 2228260 /sbin/init init 1 root mem REG 8,2 65928 5636192 /lib64/libnss_files-2.12.so
组监控
[root@netkiller neo]# lsof -g 0 COMMAND PID PGID USER FD TYPE DEVICE SIZE/OFF NODE NAME kthreadd 2 0 root cwd DIR 202,1 4096 2 / kthreadd 2 0 root rtd DIR 202,1 4096 2 / kthreadd 2 0 root txt unknown /proc/2/exe ksoftirqd 3 0 root cwd DIR 202,1 4096 2 / ksoftirqd 3 0 root rtd DIR 202,1 4096 2 / ksoftirqd 3 0 root txt unknown /proc/3/exe kworker/0 5 0 root cwd DIR 202,1 4096 2 / kworker/0 5 0 root rtd DIR 202,1 4096 2 / kworker/0 5 0 root txt unknown /proc/5/exe migration 7 0 root cwd DIR 202,1 4096 2 / migration 7 0 root rtd DIR 202,1 4096 2 / migration 7 0 root txt unknown /proc/7/exe
列出某个程序进程所打开的文件信息,显示httpd进程现在打开的文件
lsof -c httpd
显示多个进程命令用法
[root@netkiller ~]# lsof -c smbd COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME smbd 2506 root cwd DIR 8,2 4096 2 / smbd 2506 root rtd DIR 8,2 4096 2 / smbd 2506 root txt REG 8,2 10112200 3935771 /usr/sbin/smbd [root@netkiller ~]# lsof -c smbd -c httpd
-p 进程ID, 显示该进程打开了那些文件
pgrep httpd lsof -p 1782
显示进程ID
# lsof -t -u apache 4374 4375 4376 4377 4378 4379 4380 列出某个程序号打开的文件 [root@netkiller ~]# lsof -p 2374 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 2374 root cwd DIR 8,2 4096 2 / httpd 2374 root rtd DIR 8,2 4096 2 / httpd 2374 root txt REG 8,2 1772950 4985314 /usr/local/apache/bin/httpd httpd 2374 root DEL REG 0,4 12653 /dev/zero httpd 2374 root mem REG 8,2 90784 5636110 /lib64/libgcc_s-4.4.7-20120601.so.1
监控多个进程ID
[root@netkiller neo]# lsof -p 20535,26359,31462 | more COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 20535 root cwd DIR 253,1 4096 2 / nginx 20535 root rtd DIR 253,1 4096 2 / nginx 20535 root txt REG 253,1 1066704 142069 /usr/sbin/nginx nginx 20535 root DEL REG 0,4 686393039 /dev/zero nginx 20535 root mem REG 253,1 61928 162109 /usr/lib64/libnss_files-2.17.so nginx 20535 root mem REG 253,1 153192 151546 /usr/lib64/liblzma.so.5.0.99 nginx 20535 root mem REG 253,1 147120 133015 /usr/lib64/libselinux.so.1 nginx 20535 root mem REG 253,1 110808 162113 /usr/lib64/libresolv-2.17.so nginx 20535 root mem REG 253,1 15688 134676 /usr/lib64/libkeyutils.so.1.5 nginx 20535 root mem REG 253,1 62720 158030 /usr/lib64/libkrb5support.so.0.1 nginx 20535 root mem REG 253,1 202576 137049 /usr/lib64/libk5crypto.so.3.1 nginx 20535 root mem REG 253,1 15840 133029 /usr/lib64/libcom_err.so.2.1 nginx 20535 root mem REG 253,1 950496 137059 /usr/lib64/libkrb5.so.3.3 nginx 20535 root mem REG 253,1 316528 151679 /usr/lib64/libgssapi_krb5.so.2.2 nginx 20535 root mem REG 253,1 11376 151527 /usr/lib64/libfreebl3.so nginx 20535 root mem REG 253,1 2112384 132823 /usr/lib64/libc-2.17.so nginx 20535 root mem REG 253,1 90632 133017 /usr/lib64/libz.so.1.2.7 nginx 20535 root mem REG 253,1 2016880 132882 /usr/lib64/libcrypto.so.1.0.1e nginx 20535 root mem REG 253,1 449904 137215 /usr/lib64/libssl.so.1.0.1e nginx 20535 root mem REG 253,1 398264 160788 /usr/lib64/libpcre.so.1.2.0 nginx 20535 root mem REG 253,1 40816 151198 /usr/lib64/libcrypt-2.17.so nginx 20535 root mem REG 253,1 142304 132849 /usr/lib64/libpthread-2.17.so nginx 20535 root mem REG 253,1 19520 162101 /usr/lib64/libdl-2.17.so nginx 20535 root mem REG 253,1 164440 132816 /usr/lib64/ld-2.17.so nginx 20535 root DEL REG 0,4 686393042 /dev/zero nginx 20535 root 0u CHR 1,3 0t0 1028 /dev/null nginx 20535 root 1u CHR 1,3 0t0 1028 /dev/null
排除1,4,显示2,3,5
[root@netkiller neo]# lsof -p ^1,2,3,^4,5 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME kthreadd 2 root cwd DIR 253,1 4096 2 / kthreadd 2 root rtd DIR 253,1 4096 2 / kthreadd 2 root txt unknown /proc/2/exe ksoftirqd 3 root cwd DIR 253,1 4096 2 / ksoftirqd 3 root rtd DIR 253,1 4096 2 / ksoftirqd 3 root txt unknown /proc/3/exe kworker/0 5 root cwd DIR 253,1 4096 2 / kworker/0 5 root rtd DIR 253,1 4096 2 / kworker/0 5 root txt unknown /proc/5/exe
列出所有的网络连接
[root@netkiller neo]# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME php-fpm 2274 www 0u IPv4 96056019 0t0 TCP localhost:cslistener (LISTEN) php-fpm 2274 www 4u IPv4 688391009 0t0 TCP localhost:43483->localhost:27017 (ESTABLISHED) python3 4384 zabbix 6u IPv4 688769849 0t0 TCP iZ623qr3xctZ:zabbix-agent->10.26.6.18:50666 (ESTABLISHED) python3 4385 zabbix 6u IPv4 688769848 0t0 TCP iZ623qr3xctZ:zabbix-agent->10.26.6.18:50668 (ESTABLISHED) redis-ser 5170 redis 4u IPv4 5690059 0t0 TCP localhost:6379 (LISTEN) php-fpm 8277 www 0u IPv4 96056019 0t0 TCP localhost:cslistener (LISTEN) php-fpm 8277 www 4u IPv4 688149893 0t0 TCP localhost:60933->localhost:27017 (ESTABLISHED) php-fpm 8543 www 0u IPv4 96056019 0t0 TCP localhost:cslistener (LISTEN) beam.smp 9703 rabbitmq 8u IPv4 626401894 0t0 TCP *:25672 (LISTEN) beam.smp 9703 rabbitmq 9u IPv4 626401896 0t0 TCP localhost:42821->localhost:epmd (ESTABLISHED) beam.smp 9703 rabbitmq 17u IPv6 626403609 0t0 TCP *:amqp (LISTEN) beam.smp 9703 rabbitmq 18u IPv4 626402643 0t0 TCP *:15672 (LISTEN) beam.smp 9703 rabbitmq 20u IPv6 685257290 0t0 TCP localhost:amqp->localhost:57692 (ESTABLISHED) sshd 11227 root 3u IPv4 626404210 0t0 TCP *:ssh (LISTEN) ntpd 11646 ntp 16u IPv4 626409506 0t0 UDP *:ntp ntpd 11646 ntp 17u IPv6 626406239 0t0 UDP *:ntp ntpd 11646 ntp 18u IPv4 626406244 0t0 UDP localhost:ntp ntpd 11646 ntp 19u IPv4 626406245 0t0 UDP iZ623qr3xctZ:ntp ntpd 11646 ntp 20u IPv4 626406246 0t0 UDP iZ623qr3xctZ:ntp 5 列出所有的网络连接/端口 [root@netkiller ~]# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME portreser 1698 root 5u IPv4 10656 0t0 UDP *:ldaps snmpd 1993 root 7u IPv4 12071 0t0 UDP *:snmp snmpd 1993 root 9u IPv4 12073 0t0 TCP localhost:smux (LISTEN) sshd 2005 root 3u IPv4 12109 0t0 TCP *:ssh (LISTEN)
什么程序运行在22端口上
lsof -i :22
谁在联系端口
# lsof -i -a -c ssh COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 2843 root 3r IPv4 27960 0t0 TCP 192.168.6.9:ssh->192.168.6.30:55363 (ESTABLISHED) sshd 3003 root 3u IPv4 28864 0t0 TCP *:ssh (LISTEN) sshd 3003 root 4u IPv6 28866 0t0 TCP *:ssh (LISTEN)
$ lsof -i -a -c nginx COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 26222 www 8w IPv4 557827648 0t0 TCP 42.121.14.230:http->110.240.206.67:63482 (ESTABLISHED) nginx 26222 www 9u IPv4 557817283 0t0 TCP 42.121.14.230:http->27.106.154.202:18972 (ESTABLISHED) nginx 26222 www 10u IPv4 496452301 0t0 TCP *:http (LISTEN) nginx 26222 www 17u IPv4 557826020 0t0 TCP 42.121.14.230:http->210.177.78.33:62297 (ESTABLISHED) nginx 26222 www 18u IPv4 557827745 0t0 TCP 42.121.14.230:http->115.214.39.230:50628 (ESTABLISHED) nginx 26222 www 19u IPv4 557826475 0t0 TCP 42.121.14.230:http->183.160.124.225:57143 (ESTABLISHED) nginx 26222 www 20u IPv4 557827670 0t0 TCP 42.121.14.230:http->125.88.77.30:8956 (ESTABLISHED) nginx 26222 www 21u IPv4 557826122 0t0 TCP 42.121.14.230:http->116.24.229.173:rfid-rp1 (ESTABLISHED) nginx 26222 www 22u IPv4 557826127 0t0 TCP 42.121.14.230:http->119.137.141.76:21508 (ESTABLISHED) nginx 26222 www 23u IPv4 557826476 0t0 TCP 42.121.14.230:http->183.160.124.225:57144 (ESTABLISHED) nginx 26222 www 24u IPv4 557821930 0t0 TCP 42.121.14.230:http->210.21.127.136:52309 (ESTABLISHED) nginx 26222 www 25u IPv4 557826477 0t0 TCP 42.121.14.230:http->183.160.124.225:57145 (ESTABLISHED) nginx 26222 www 26u IPv4 557827693 0t0 TCP 42.121.14.230:http->111.227.215.135:18628 (ESTABLISHED)
通过进程ID监控网络连接
$ lsof -i -a -p 26222 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 26222 www 8w IPv4 557827648 0t0 TCP 42.121.14.230:http->110.240.206.67:63482 (ESTABLISHED) nginx 26222 www 9u IPv4 557817283 0t0 TCP 42.121.14.230:http->27.106.154.202:18972 (ESTABLISHED) nginx 26222 www 10u IPv4 496452301 0t0 TCP *:http (LISTEN) nginx 26222 www 21u IPv4 557826122 0t0 TCP 42.121.14.230:http->116.24.229.173:rfid-rp1 (ESTABLISHED) nginx 26222 www 26u IPv4 557827693 0t0 TCP 42.121.14.230:http->111.227.215.135:18628 (ESTABLISHED) nginx 26222 www 31u IPv4 557798349 0t0 TCP 42.121.14.230:http->213.92.156.27.broad.fz.fj.dynamic.163data.com.cn:novation (ESTABLISHED) nginx 26222 www 33u IPv4 557807306 0t0 TCP 42.121.14.230:http->182.139.49.102:news (ESTABLISHED) nginx 26222 www 38u IPv4 557825270 0t0 TCP 42.121.14.230:http->122.71.50.188:43694 (ESTABLISHED) nginx 26222 www 40u IPv4 557817907 0t0 TCP 42.121.14.230:http->120.28.127.54:62009 (ESTABLISHED) nginx 26222 www 41u IPv4 557800691 0t0 TCP 42.121.14.230:http->27.190.185.75:60475 (ESTABLISHED)
UDP 监控
# lsof -i udp; COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 2431 rpc 6u IPv4 12483 0t0 UDP *:sunrpc rpcbind 2431 rpc 7u IPv4 12487 0t0 UDP *:kink rpcbind 2431 rpc 9u IPv6 12490 0t0 UDP *:sunrpc rpcbind 2431 rpc 10u IPv6 12492 0t0 UDP *:kink avahi-dae 2549 avahi 13u IPv4 12781 0t0 UDP *:mdns avahi-dae 2549 avahi 14u IPv4 12782 0t0 UDP *:45747 rpc.statd 2570 rpcuser 5u IPv4 13011 0t0 UDP *:asia rpc.statd 2570 rpcuser 8u IPv4 13015 0t0 UDP *:55218 rpc.statd 2570 rpcuser 10u IPv6 13023 0t0 UDP *:51236 openvpn 2594 nobody 5u IPv4 13060 0t0 UDP *:openvpn cupsd 2661 root 9u IPv4 13379 0t0 UDP *:ipp ntpd 2832 ntp 16u IPv4 14050 0t0 UDP *:ntp ntpd 2832 ntp 17u IPv6 14051 0t0 UDP *:ntp ntpd 2832 ntp 18u IPv6 14055 0t0 UDP localhost:ntp ntpd 2832 ntp 19u IPv6 14056 0t0 UDP [fe80::225:90ff:fe35:906c]:ntp ntpd 2832 ntp 20u IPv4 14057 0t0 UDP localhost:ntp ntpd 2832 ntp 21u IPv4 14058 0t0 UDP manager.repo:ntp ntpd 2832 ntp 22u IPv4 14059 0t0 UDP 10.8.0.1:ntp ntpd 2832 ntp 24u IPv4 15922 0t0 UDP 192.168.122.1:ntp ntpd 2832 ntp 25u IPv6 27224 0t0 UDP [fe80::fc54:ff:fe94:b3c2]:ntp ntpd 2832 ntp 26u IPv6 27225 0t0 UDP [fe80::fc54:ff:fe54:c9d2]:ntp ntpd 2832 ntp 27u IPv6 27948 0t0 UDP [fe80::fc54:ff:fe4e:a846]:ntp ntpd 2832 ntp 28u IPv6 28197 0t0 UDP [fe80::fc54:ff:fe19:c00e]:ntp ntpd 2832 ntp 29u IPv6 99178415 0t0 UDP [fe80::fc54:ff:fe5a:ace]:ntp ntpd 2832 ntp 30u IPv6 99179648 0t0 UDP [fe80::fc54:ff:fe68:54a0]:ntp ntpd 2832 ntp 31u IPv6 99180801 0t0 UDP [fe80::fc54:ff:fed6:3593]:ntp postmaste 3391 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 postmaste 3395 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 postmaste 3396 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 postmaste 3397 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 postmaste 3398 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 postmaste 3399 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 dnsmasq 3647 nobody 5u IPv4 15671 0t0 UDP *:bootps dnsmasq 3647 nobody 7u IPv4 15680 0t0 UDP 192.168.122.1:domain
TCP 监控
lsof -i tcp;
特定的tcp/udp端口, 监控 udp 端口 123
[root@netkiller neo]# lsof -i udp:123 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ntpd 11646 ntp 16u IPv4 626409506 0t0 UDP *:ntp ntpd 11646 ntp 17u IPv6 626406239 0t0 UDP *:ntp ntpd 11646 ntp 18u IPv4 626406244 0t0 UDP localhost:ntp ntpd 11646 ntp 19u IPv4 626406245 0t0 UDP iZ623qr3xctZ:ntp ntpd 11646 ntp 20u IPv4 626406246 0t0 UDP iZ623qr3xctZ:ntp 检测某个端口所占用的进程,如22端口 [root@netkiller ~]# lsof -i :22 [root@netkiller ~]# lsof -i udp:53
列出所有tcp/UDP 网络连接信息
[root@netkiller ~]# lsof -i tcp/udp
列出nginx用户活跃的链接
[root@netkiller neo]# lsof -a -u nginx -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 20536 nginx 19u IPv4 686393040 0t0 TCP *:http (LISTEN) nginx 20536 nginx 20u IPv4 686393041 0t0 TCP *:https (LISTEN) nginx 20536 nginx 42u IPv4 688774445 0t0 TCP iZ623qr3xctZ:http->112.224.19.79:32751 (ESTABLISHED) nginx 20536 nginx 49u IPv4 688774400 0t0 TCP iZ623qr3xctZ:http->117.156.4.113:58212 (ESTABLISHED) nginx 20536 nginx 52u IPv4 688774494 0t0 TCP iZ623qr3xctZ:http->112.224.19.79:32753 (ESTABLISHED) nginx 20536 nginx 53u IPv4 688774495 0t0 TCP iZ623qr3xctZ:http->112.224.19.79:32752 (ESTABLISHED) nginx 20536 nginx 54u IPv4 688774555 0t0 TCP iZ623qr3xctZ:http->113.128.232.89:37529 (ESTABLISHED) nginx 20536 nginx 55u IPv4 688774497 0t0 TCP iZ623qr3xctZ:http->112.224.19.79:32754 (ESTABLISHED) nginx 20536 nginx 56u IPv4 688774556 0t0 TCP iZ623qr3xctZ:http->113.128.232.89:37530 (ESTABLISHED) nginx 20536 nginx 58u IPv4 688774500 0t0 TCP iZ623qr3xctZ:http->112.224.19.79:32755 (ESTABLISHED) nginx 20536 nginx 60u IPv4 688778242 0t0 TCP iZ623qr3xctZ:http->113.128.232.89:37532 (ESTABLISHED) nginx 20536 nginx 61u IPv4 688774559 0t0 TCP iZ623qr3xctZ:http->113.128.232.89:37528 (ESTABLISHED) nginx 20536 nginx 64u IPv4 688774562 0t0 TCP iZ623qr3xctZ:http->113.128.232.89:37531 (ESTABLISHED) nginx 20537 nginx 19u IPv4 686393040 0t0 TCP *:http (LISTEN) nginx 20537 nginx 20u IPv4 686393041 0t0 TCP *:https (LISTEN) nginx 20538 nginx 19u IPv4 686393040 0t0 TCP *:http (LISTEN) nginx 20538 nginx 20u IPv4 686393041 0t0 TCP *:https (LISTEN) nginx 20539 nginx 18u IPv4 688777804 0t0 TCP iZ623qr3xctZ:http->39.187.213.246:49624 (ESTABLISHED) nginx 20539 nginx 19u IPv4 686393040 0t0 TCP *:http (LISTEN) nginx 20539 nginx 20u IPv4 686393041 0t0 TCP *:https (LISTEN)
组合参数
# lsof -a -c bash -u root COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 1394 root cwd DIR 8,2 4096 4849665 /root bash 1394 root rtd DIR 8,2 4096 2 / bash 1394 root txt REG 8,2 938768 3671557 /bin/bash bash 1394 root mem REG 8,2 156872 3014902 /lib64/ld-2.12.so bash 1394 root mem REG 8,2 1922152 3014903 /lib64/libc-2.12.so bash 1394 root mem REG 8,2 22536 3014911 /lib64/libdl-2.12.so bash 1394 root mem REG 8,2 138280 3018719 /lib64/libtinfo.so.5.7 bash 1394 root mem REG 8,2 65928 3017998 /lib64/libnss_files-2.12.so bash 1394 root mem REG 8,2 26060 2632051 /usr/lib64/gconv/gconv-modules.cache bash 1394 root mem REG 8,2 99158576 2648204 /usr/lib/locale/locale-archive bash 1394 root 0u CHR 136,7 0t0 10 /dev/pts/7 bash 1394 root 1u CHR 136,7 0t0 10 /dev/pts/7 bash 1394 root 2u CHR 136,7 0t0 10 /dev/pts/7 bash 1394 root 255u CHR 136,7 0t0 10 /dev/pts/7
每个5秒刷新一次
# lsof -c init -a -r5
列出www用户的所有活跃的网络端口 [root@netkiller ~]# lsof -a -u www -i 列出被sshd进程所打开的所有IPV4网络相关文件 [root@netkiller ~]# lsof -i 4 -c sshd -a 列出被root用户所打开的所有TCP和IPV4网络相关文件 [root@netkiller ~]# lsof -i 4 -i tcp -u root -a
lsof -d fd_type [root@netkiller ~]# lsof -d 2 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root 2u CHR 1,3 0t0 3794 /dev/null 根据文件描述范围列出文件信息 [root@netkiller ~]# lsof -d 2-4 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root 2u CHR 1,3 0t0 3794 /dev/null 列出COMMAND列中包含字符串" httpd",且文件描符的类型为txt的文件信息 [root@netkiller ~]# lsof -c httpd -a -d txt COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 2374 root txt REG 8,2 1772950 4985314 /usr/local/apache/bin/httpd