$ sudo lsof -c lighttpd
誰打開了該檔案? 顯示打開檔案filename的進程
lsof filename
列出某個目錄下被打開的檔案
# lsof /tmp/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME seahorse- 4158 neo cwd DIR 8,2 53248 1310721 /tmp
$ sudo lsof +D /srv/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME match 5227 root txt REG 252,0 1351616 1966083 /srv/match
$ lsof /dev/tty1 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 17187 neo 0u CHR 4,1 0t0 1057 /dev/tty1 bash 17187 neo 1u CHR 4,1 0t0 1057 /dev/tty1 bash 17187 neo 2u CHR 4,1 0t0 1057 /dev/tty1 bash 17187 neo 255u CHR 4,1 0t0 1057 /dev/tty1
用戶顯示打開的檔案
# lsof -u apache |more COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 4374 apache cwd DIR 252,1 4096 2 / httpd 4374 apache rtd DIR 252,1 4096 2 / httpd 4374 apache txt REG 252,1 354816 408099 /usr/sbin/httpd httpd 4374 apache mem REG 252,1 9488 408013 /usr/lib64/apr-util-1/apr_ldap-1.so httpd 4374 apache mem REG 252,1 27424 907 /lib64/libnss_dns-2.12.so httpd 4374 apache mem REG 252,1 65928 909 /lib64/libnss_files-2.12.so httpd 4374 apache mem REG 252,1 10416 408095 /usr/lib64/httpd/modules/mod_version.so httpd 4374 apache mem REG 252,1 27312 408054 /usr/lib64/httpd/modules/mod_cgi.so httpd 4374 apache mem REG 252,1 22992 408061 /usr/lib64/httpd/modules/mod_disk_cache.so
什麼程序運行在22連接埠上
lsof -i :22
誰在聯繫連接埠
# lsof -i -a -c ssh COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 2843 root 3r IPv4 27960 0t0 TCP 192.168.6.9:ssh->192.168.6.30:55363 (ESTABLISHED) sshd 3003 root 3u IPv4 28864 0t0 TCP *:ssh (LISTEN) sshd 3003 root 4u IPv6 28866 0t0 TCP *:ssh (LISTEN)
$ lsof -i -a -c nginx COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 26222 www 8w IPv4 557827648 0t0 TCP 42.121.14.230:http->110.240.206.67:63482 (ESTABLISHED) nginx 26222 www 9u IPv4 557817283 0t0 TCP 42.121.14.230:http->27.106.154.202:18972 (ESTABLISHED) nginx 26222 www 10u IPv4 496452301 0t0 TCP *:http (LISTEN) nginx 26222 www 17u IPv4 557826020 0t0 TCP 42.121.14.230:http->210.177.78.33:62297 (ESTABLISHED) nginx 26222 www 18u IPv4 557827745 0t0 TCP 42.121.14.230:http->115.214.39.230:50628 (ESTABLISHED) nginx 26222 www 19u IPv4 557826475 0t0 TCP 42.121.14.230:http->183.160.124.225:57143 (ESTABLISHED) nginx 26222 www 20u IPv4 557827670 0t0 TCP 42.121.14.230:http->125.88.77.30:8956 (ESTABLISHED) nginx 26222 www 21u IPv4 557826122 0t0 TCP 42.121.14.230:http->116.24.229.173:rfid-rp1 (ESTABLISHED) nginx 26222 www 22u IPv4 557826127 0t0 TCP 42.121.14.230:http->119.137.141.76:21508 (ESTABLISHED) nginx 26222 www 23u IPv4 557826476 0t0 TCP 42.121.14.230:http->183.160.124.225:57144 (ESTABLISHED) nginx 26222 www 24u IPv4 557821930 0t0 TCP 42.121.14.230:http->210.21.127.136:52309 (ESTABLISHED) nginx 26222 www 25u IPv4 557826477 0t0 TCP 42.121.14.230:http->183.160.124.225:57145 (ESTABLISHED) nginx 26222 www 26u IPv4 557827693 0t0 TCP 42.121.14.230:http->111.227.215.135:18628 (ESTABLISHED)
通過進程ID監控網絡連接
$ lsof -i -a -p 26222 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 26222 www 8w IPv4 557827648 0t0 TCP 42.121.14.230:http->110.240.206.67:63482 (ESTABLISHED) nginx 26222 www 9u IPv4 557817283 0t0 TCP 42.121.14.230:http->27.106.154.202:18972 (ESTABLISHED) nginx 26222 www 10u IPv4 496452301 0t0 TCP *:http (LISTEN) nginx 26222 www 21u IPv4 557826122 0t0 TCP 42.121.14.230:http->116.24.229.173:rfid-rp1 (ESTABLISHED) nginx 26222 www 26u IPv4 557827693 0t0 TCP 42.121.14.230:http->111.227.215.135:18628 (ESTABLISHED) nginx 26222 www 31u IPv4 557798349 0t0 TCP 42.121.14.230:http->213.92.156.27.broad.fz.fj.dynamic.163data.com.cn:novation (ESTABLISHED) nginx 26222 www 33u IPv4 557807306 0t0 TCP 42.121.14.230:http->182.139.49.102:news (ESTABLISHED) nginx 26222 www 38u IPv4 557825270 0t0 TCP 42.121.14.230:http->122.71.50.188:43694 (ESTABLISHED) nginx 26222 www 40u IPv4 557817907 0t0 TCP 42.121.14.230:http->120.28.127.54:62009 (ESTABLISHED) nginx 26222 www 41u IPv4 557800691 0t0 TCP 42.121.14.230:http->27.190.185.75:60475 (ESTABLISHED)
UDP 監控
# lsof -i udp; COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 2431 rpc 6u IPv4 12483 0t0 UDP *:sunrpc rpcbind 2431 rpc 7u IPv4 12487 0t0 UDP *:kink rpcbind 2431 rpc 9u IPv6 12490 0t0 UDP *:sunrpc rpcbind 2431 rpc 10u IPv6 12492 0t0 UDP *:kink avahi-dae 2549 avahi 13u IPv4 12781 0t0 UDP *:mdns avahi-dae 2549 avahi 14u IPv4 12782 0t0 UDP *:45747 rpc.statd 2570 rpcuser 5u IPv4 13011 0t0 UDP *:asia rpc.statd 2570 rpcuser 8u IPv4 13015 0t0 UDP *:55218 rpc.statd 2570 rpcuser 10u IPv6 13023 0t0 UDP *:51236 openvpn 2594 nobody 5u IPv4 13060 0t0 UDP *:openvpn cupsd 2661 root 9u IPv4 13379 0t0 UDP *:ipp ntpd 2832 ntp 16u IPv4 14050 0t0 UDP *:ntp ntpd 2832 ntp 17u IPv6 14051 0t0 UDP *:ntp ntpd 2832 ntp 18u IPv6 14055 0t0 UDP localhost:ntp ntpd 2832 ntp 19u IPv6 14056 0t0 UDP [fe80::225:90ff:fe35:906c]:ntp ntpd 2832 ntp 20u IPv4 14057 0t0 UDP localhost:ntp ntpd 2832 ntp 21u IPv4 14058 0t0 UDP manager.repo:ntp ntpd 2832 ntp 22u IPv4 14059 0t0 UDP 10.8.0.1:ntp ntpd 2832 ntp 24u IPv4 15922 0t0 UDP 192.168.122.1:ntp ntpd 2832 ntp 25u IPv6 27224 0t0 UDP [fe80::fc54:ff:fe94:b3c2]:ntp ntpd 2832 ntp 26u IPv6 27225 0t0 UDP [fe80::fc54:ff:fe54:c9d2]:ntp ntpd 2832 ntp 27u IPv6 27948 0t0 UDP [fe80::fc54:ff:fe4e:a846]:ntp ntpd 2832 ntp 28u IPv6 28197 0t0 UDP [fe80::fc54:ff:fe19:c00e]:ntp ntpd 2832 ntp 29u IPv6 99178415 0t0 UDP [fe80::fc54:ff:fe5a:ace]:ntp ntpd 2832 ntp 30u IPv6 99179648 0t0 UDP [fe80::fc54:ff:fe68:54a0]:ntp ntpd 2832 ntp 31u IPv6 99180801 0t0 UDP [fe80::fc54:ff:fed6:3593]:ntp postmaste 3391 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 postmaste 3395 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 postmaste 3396 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 postmaste 3397 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 postmaste 3398 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 postmaste 3399 postgres 9u IPv6 15004 0t0 UDP localhost:56631->localhost:56631 dnsmasq 3647 nobody 5u IPv4 15671 0t0 UDP *:bootps dnsmasq 3647 nobody 7u IPv4 15680 0t0 UDP 192.168.122.1:domain
TCP 監控
lsof -i tcp;
顯示httpd進程現在打開的檔案
lsof -c httpd
-p 進程ID, 顯示該進程打開了那些檔案
pgrep httpd lsof -p 1782
顯示進程ID
# lsof -t -u apache 4374 4375 4376 4377 4378 4379 4380
組合參數
# lsof -a -c bash -u root COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 1394 root cwd DIR 8,2 4096 4849665 /root bash 1394 root rtd DIR 8,2 4096 2 / bash 1394 root txt REG 8,2 938768 3671557 /bin/bash bash 1394 root mem REG 8,2 156872 3014902 /lib64/ld-2.12.so bash 1394 root mem REG 8,2 1922152 3014903 /lib64/libc-2.12.so bash 1394 root mem REG 8,2 22536 3014911 /lib64/libdl-2.12.so bash 1394 root mem REG 8,2 138280 3018719 /lib64/libtinfo.so.5.7 bash 1394 root mem REG 8,2 65928 3017998 /lib64/libnss_files-2.12.so bash 1394 root mem REG 8,2 26060 2632051 /usr/lib64/gconv/gconv-modules.cache bash 1394 root mem REG 8,2 99158576 2648204 /usr/lib/locale/locale-archive bash 1394 root 0u CHR 136,7 0t0 10 /dev/pts/7 bash 1394 root 1u CHR 136,7 0t0 10 /dev/pts/7 bash 1394 root 2u CHR 136,7 0t0 10 /dev/pts/7 bash 1394 root 255u CHR 136,7 0t0 10 /dev/pts/7
每個5秒刷新一次
# lsof -c init -a -r5