If everything in Linux is a file, there has to be more to it than just files on your hard drive. This tutorial will show you how to use lsof to see all the other devices and processes that are being handled as files.
如果Linux中的所有内容都是文件,那么除了硬盘驱动器上的文件之外,还有更多其他内容。 本教程将向您展示如何使用lsof查看正在作为文件处理的所有其他设备和进程。
在Linux上,一切都是文件 (On Linux, Everything Is a File)
The oft-quoted phrase that everything in Linux is a file is sort of true. A file is a collection of bytes. When they are being read into a program or sent to a printer, they appear to generate a stream of bytes. When they are being written to, they accept a stream of bytes.
Linux上的所有内容都是文件的常被引用的说法是正确的。 文件是字节的集合。 当将它们读入程序或发送给打印机时,它们似乎会生成字节流。 当它们被写入时,它们接受字节流。
Many other system components accept or generate streams of bytes, such as keyboards, socket connections, printers, and communication processes. Because they either accept, generate, or accept and generate byte streams, these devices can be handled—at a very low level—as though they were files.
许多其他系统组件接受或生成字节流,例如键盘,套接字连接,打印机和通信过程。 由于它们要么接受,生成,要么接受并生成字节流,因此可以像处理文件一样对这些设备进行非常低的处理。
This design concept simplified the implementation of the Unix operating system. It meant that a small set of handlers, tools, and APIs could be created to handle a wide range of different resources.
该设计概念简化了Unix操作系统的实现。 这意味着可以创建少量处理程序,工具和API,以处理各种不同的资源。
The data and program files that reside on your hard disk are plain old filesystem files. We can use the ls command to list them and find out some details about them.
硬盘上的数据和程序文件是普通的旧文件系统文件。 我们可以使用ls命令列出它们,并找到有关它们的一些详细信息。
How do we find out about all the other processes and devices that are being treated as though they were files? We use the lsof command. This lists the open files in the system. That is, it lists anything that is being handled as though it were a file.
我们如何找出所有其他被视为文件的其他进程和设备? 我们使用lsof命令。 这列出了系统中打开的文件。 也就是说,它列出了所有正在处理的东西,就好像它是文件一样。
lsof命令 (The lsof Command)
Many of the processes or devices that lsof can report on belong to root or were launched by root, so you will need to use the sudo command with lsof.
lsof可以报告的许多进程或设备都属于root或由root启动,因此您需要将sudo命令与lsof一起使用。
And because this listing will be very long, we are going to pipe it through less .
而且由于此清单将非常长,因此我们将通过less管道进行传递。
sudo lsof | less
Before the lsof output appears GNOME users may see a warning message in the terminal window.
在lsof输出出现之前,GNOME用户可能会在终端窗口中看到警告消息。
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
lsof tries to process all mounted filesystems. This warning message is raised because lsof has encountered a GNOME Virtual file system (GVFS). This is a special case of a filesystem in user space (FUSE). It acts as a bridge between GNOME, its APIs and the kernel. No one—not even root—can access one of these file systems, apart from the owner who mounted it (in this case, GNOME). You can ignore this warning.
lsof尝试处理所有已挂载的文件系统。 出现此警告消息是因为lsof遇到了GNOME虚拟文件系统 (GVFS)。 这是用户空间 (FUSE)中文件系统的一种特殊情况。 它充当GNOME,其API和内核之间的桥梁。 除了安装文件的所有者(在本例中为GNOME)之外,没有人(甚至不是root)都可以访问这些文件系统之一。 您可以忽略此警告。
The output from lsof is very wide. The leftmost columns are:
lsof的输出非常宽。 最左边的列是:
The rightmost columns are:
最右边的列是:
lsof列 (The lsof Columns)
All columns do not apply to every type of open file. It is normal for some of them to be blank.
所有列都不适用于每种类型的打开文件。 其中一些空白是正常的。
Command: The name of the command associated with the process that opened the file.
Command :与打开文件的进程关联的命令的名称。
PID: Process Identification number of the process that opened the file.
PID :打开文件的进程的进程标识号。
TID: Task (thread) Identification number. A blank column means it is not a task; it is a process.
TID :任务(线程)标识号。 空白列表示这不是一项任务; 这是一个过程。
User: User ID or name of the user to whom the process belongs, or the user ID or login of the person that owns the directory in
/procwherelsoffinds information about the process.用户 :进程所属的用户的用户ID或名称,或者
/proc中拥有目录的人员的用户ID或登录名,其中lsof可以找到有关进程的信息。FD: Shows the file descriptor of the file. File descriptors are described below.
FD :显示文件的文件描述符。 文件描述符如下所述。
Type: type of node associated with the file. Note types are described below.
类型 :与文件关联的节点的类型。 音符类型如下所述。
Device: Contains either the device numbers, separated by commas, for a character special, block special, regular, directory or NFS file, or a kernel reference address that identifies the file. It might also show the base address or device name of a Linux AX.25 socket device.
设备 :包含特殊字符,特殊块,常规,目录或NFS文件的设备号(用逗号分隔),或标识该文件的内核参考地址。 它还可能显示Linux AX.25套接字设备的基地址或设备名称。
Size/Off: Shows the size of the file or the file offset in bytes.
大小/关闭 :显示文件大小或文件偏移量(以字节为单位)。
Node: Shows the node number of a local file, or the inode number of an NFS file in the server host, or internet protocol type. It might display STR for a stream or the IRQ or inode number of a Linux AX.25 socket device.
节点 :显示本地文件的节点号,或服务器主机中NFS文件的索引号,或Internet协议类型。 它可能显示流的STR或Linux AX.25套接字设备的IRQ或索引节点号。
Name: Shows the name of the mount point and file system on which the file resides.
名称 :显示文件所在的安装点和文件系统的名称。
FD柱 (The FD Column)
The file descriptor in the FD column can be one of many options; the man page list them all.
FD列中的文件描述符可以是许多选项之一。 手册页列出了所有这些 。
The FD column entry can be made up of three parts: a file descriptor, a mode character, and a lock character. Some common file descriptors are:
FD列条目可以由三部分组成:文件描述符,模式字符和锁定字符。 一些常见的文件描述符是:
cwd: Current working directory.
cwd :当前工作目录。
err: FD information error (see NAME column).
err :FD信息错误(请参阅“名称”列)。
ltx: Shared library text (code and data).
ltx :共享库文本(代码和数据)。
m86: DOS Merge mapped file.
m86 :DOS合并映射文件。
mem: Memory-mapped file.
mem :内存映射文件。
mmap: Memory-mapped device.
mmap :内存映射的设备。
pd: Parent directory.
pd :父目录。
rtd: Root directory.
rtd :根目录。
txt: Program text (code and data)
txt :程序文本(代码和数据)
- A number, representing a file descriptor. 一个数字,代表文件描述符。
The mode character can be one of the following:
模式字符可以是以下之一:
r: Read access.
r :读取访问权限。
w: Write access.
w :写访问。
u: Read and Write access.
u :读写访问。
- ‘ ‘: A space character, if the mode is unknown and there is no lock character. '':空格字符,如果模式未知且没有锁定字符。
–: Mode unknown and there is a lock character.
– :模式未知,并且有锁定字符。
The lock character can be one of:
锁定字符可以是以下之一:
r: Read lock on part of the file.
r :读取文件部分的锁定。
R: Read lock on the entire file.
R :读取整个文件的锁定。
w: Write lock on part of the file.
w :在文件的一部分上写锁。
W: Write lock on the entire file.
W :在整个文件上写锁。
u: Read and write lock of any length.
u :读写任意长度的锁。
U: Unknown lock type.
U :未知的锁定类型。
- ‘ ‘: A space character. No lock. '':空格字符。 没有锁
TYPE栏 (The TYPE Column)
There are over 70 entries that might appear in the TYPE column. Some common entries you will see are:
TYPE列中可能会显示70多个条目 。 您将看到一些常见的条目:
REG: Regular filesystem file.
REG :常规文件系统文件。
DIR: Directory.
DIR :目录。
FIFO: First In First Out.
FIFO :先进先出。
CHR: Character special file.
CHR :字符特殊文件。
BLK: Block special file.
BLK :阻止特殊文件。
INET: Internet socket.
INET :Internet套接字。
unix: UNIX domain socket
unix :UNIX域套接字
查看已打开文件的进程 (See Processes That Have Opened a File)
To see the processes that have opened a certain file, provide the name of the file as a parameter to lsof. For example, to see the processes that have opened kern.log file, use this command:
要查看已打开某个文件的进程,请提供文件名作为lsof的参数。 例如,要查看已打开kern.log文件的进程,请使用以下命令:
sudo lsof /var/log/kern.log
lsof responds by displaying the single process, rsyslogd which was started by the user syslog.
lsof通过显示单个进程rsyslogd进行响应,该进程由用户syslog启动。
查看从目录打开的所有文件 (See All Files Opened from a Directory)
To see the files that have been opened from a directory, and the processes that opened them, pass the directory to lsof as a parameter. You must use the +D (directory) option.
要查看已从目录打开的文件以及打开它们的进程,请将目录作为参数传递给lsof 。 您必须使用+D (目录)选项。
To see all the files that are open in the /var/log/ directory, use this command:
要查看/var/log/目录中打开的所有文件,请使用以下命令:
sudo lsof +D /var/log/
lsof responds with a list of all the open files in that directory.
lsof以该目录中所有打开的文件的列表作为响应。
To see all the files that have been opened from the /home directory, use the following command:
要查看从/home目录打开的所有文件,请使用以下命令:
sudo lsof +D /home
The files have been opened from the /home directory are displayed. Note that with shorter descriptions in some of the columns, the whole listing is narrower.
显示从/home目录打开的文件。 请注意,由于某些列中的描述较短,因此整个列表较窄。
列出进程打开的文件 (List Files Opened By a Process)
To see the files that have been opened by a particular process, use the -c (command) option. Note that you can provide more than one search term to lsof at once.
要查看由特定进程打开的文件,请使用-c (命令)选项。 请注意,您可以一次为lsof提供多个搜索词。
sudo lsof -c ssh -c init
lsof provides a list of the files that have been opened by either of the processes provided on the command line.
lsof提供了由命令行上提供的任一进程打开的文件的列表。
查看用户打开的文件 (See Files Opened By a User)
To limit the display to the files that have been opened by a specific user, use the -u (user) option. In this example, we’ll look at the files that have been opened by processes that are owned or launched on behalf of Mary.
要将显示限制为特定用户打开的文件,请使用-u (用户)选项。 在此示例中,我们将查看由Mary拥有或启动的进程打开的文件。
sudo lsof -u mary
All of the files listed have been opened on behalf of the user Mary. This includes files that have been opened by the desktop environment, for example, or simply as a result of Mary having logged in.
列出的所有文件均已代表用户Mary打开。 例如,这包括由桌面环境打开的文件,或者仅仅是由于Mary登录而打开的文件。
排除用户打开的文件 (Excluding FIles Opened by a User)
To exclude the files that have been opened by a user, use the ^ operator. Excluding users from the listing makes it easier to find the information you are interested in. You must use the -u option as before, and add the ^ character to the start of the user’s name.
要排除用户已打开的文件,请使用^运算符。 从列表中排除用户可以更轻松地找到您感兴趣的信息。您必须像以前一样使用-u选项,并将^字符添加到用户名的开头。
sudo lsof +D /home -u ^mary
This time, the listing for the /home directory does not include any of the files that have been opened by the user Mary.
这次, /home目录的列表不包含用户Mary打开的任何文件。
列出进程打开的文件 (List FIles Opened by a Process)
To list the files that have been opened by a specific process, use the -p (process) option and provide the process ID as a parameter.
要列出已由特定进程打开的文件,请使用-p (进程)选项并提供进程ID作为参数。
sudo lsof - p 4610
All of the files that have been opened by the process ID you provide are listed for you.
为您列出了由您提供的进程ID打开的所有文件。
列出已打开文件的进程ID (Listing Process IDs That Have Opened a FIle)
To see the process IDs for the processes that have opened a particular file, use the -t (terse) option and provide the name of the file on the command line.
要查看已打开特定文件的进程的进程ID,请使用-t (简短)选项,并在命令行上提供文件名。
sudo lsof -t /usr/share/mime/mime.cache
The process IDs are displayed in a simple list.
进程ID显示在简单列表中。
使用AND和OR搜索 (Use AND and OR Searches)
Let’s list the files that have been opened by user Mary, that are related to the SSH processes. We know we can provide more than one search item on the command line, so this should be easy.
让我们列出用户Mary打开的与SSH进程相关的文件。 我们知道我们可以在命令行上提供多个搜索项目,因此这应该很容易。
sudo lsof -u mary -c ssh
Now let’s look at the output from lsof. That doesn’t look right; there are entries in the output that were started by root.
现在,让我们看一下lsof的输出。 看起来不太对劲; 在输出中有一些由root启动的条目。
That isn’t what we expected. What happened?
那不是我们所期望的。 发生了什么?
When you provide multiple search terms lsof will return any file that matches the first search term or the second search term, and so on. In other words, it performs an OR search.
当您提供多个搜索词时, lsof将返回与第一个搜索词或第二个搜索词匹配的任何文件,依此类推。 换句话说,它执行“或”搜索。
To make lsof perform an AND search, use the -a (and) option. This means the only files that will be listed will be ones that match the first search term, and the second search term, and so on.
要使lsof执行AND搜索,请使用-a (和)选项。 这意味着将列出的唯一文件将是与第一个搜索词和第二个搜索词匹配的文件,依此类推。
Let’s try that again and use the -a option.
让我们再试一次,然后使用-a选项。
sudo lsof -u mary -c ssh -a
Now every file in the listing is one that has been opened by or on behalf of Mary, and are associated with the SSH command.
现在,清单中的每个文件都是由Mary或代表Mary打开的文件,并且与SSH命令相关联。
自动刷新显示 (Automatically Refreshing The Display)
We can use the +|-r (repeat) option to put lsof into repeat mode. The repeat option can be applied in two ways, either +r or -r. We must also add the number of seconds we want lsof to wait before refreshing the display.
我们可以使用+|-r (重复)选项将lsof置于重复模式。 可以通过两种方式应用repeat选项,即+r或-r 。 我们还必须添加希望lsof等待的秒数,以刷新显示。
Using the repeat option in either format makes lsof display the results as usual, but it adds a dashed line to the bottom of the display. It waits for the number of seconds provided on the command line and then refreshes the display with a new set of results.
使用任一种格式的repeat选项可使lsof显示结果,但会在显示的底部添加虚线。 它等待命令行提供的秒数,然后使用一组新的结果刷新显示。
With the -r option this will continue until you press Ctrl+C. With the +r format, it will continue until there are no results to display, or until you press Ctrl+C.
使用-r选项,此操作将一直持续到您按Ctrl + C为止。 对于+r格式,它将一直持续到没有结果显示或按Ctrl + C为止。
sudo lsof -u mary -c ssh -a -r5
Note the dashed line at the bottom of the listing. This separates each new display of data when the output is refreshed.
请注意清单底部的虚线。 刷新输出时,这将分隔每个新的数据显示。
显示与Internet连接相关的文件 (Displaying Files Associated with Internet Connections)
The -i (internet) option allows you to see the files opened by processes associated with network and internet connections.
-i (互联网)选项使您可以查看由与网络和Internet连接关联的进程打开的文件。
lsof -i
All of the files opened by network and internet connections are displayed.
显示通过网络和Internet连接打开的所有文件。
按进程ID显示与Internet连接关联的文件 (Displaying Files Associated with Internet Connections by Process ID)
To see the files opened by internet connections that are associated with a specific process ID, add the -p option and the -a option.
要查看与特定进程ID关联的Internet连接打开的文件,请添加-p选项和-a选项。
Here we are looking for files opened by an internet or network connection, by a process with an ID of 606.
在这里,我们正在寻找ID为606的进程通过Internet或网络连接打开的文件。
sudo lsof -i -a -p 606
All of the files opened by process ID 606 that are associated with internet or network connections are displayed.
显示由进程ID 606打开的所有与Internet或网络连接相关联的文件。
显示与Internet连接和命令关联的文件 (Displaying Files Associated with Internet Connections and Commands)
We can use the -c (command) option to look for files opened by specific processes. To look for files that have been opened by internet or network connections associated with the ssh process, use the following command:
我们可以使用-c (命令)选项来查找由特定进程打开的文件。 要查找已通过与ssh进程关联的Internet或网络连接打开的文件,请使用以下命令:
lsof -i -a -c ssh
All of the files opened due to the ssh processes are listed in the output.
输出中列出了由于ssh进程而打开的所有文件。
显示与Internet连接和端口相关的文件 (Displaying Files Associated with Internet Connections and Ports)
We can make lsof report on the files that were opened by internet or network connections on a specific port. To do this, we use the : character followed by the port number.
我们可以对由特定端口上的Internet或网络连接打开的文件进行lsof报告。 为此,我们使用:字符和端口号。
Here we’re asking lsof to list the files that have been opened by network or internet connections using port 22.
在这里,我们要求lsof列出使用端口22通过网络或Internet连接打开的文件。
lsof -i :22
All of the listed files were opened by processes associated with port 22 (which is the default port for SSH connections).
列出的所有文件都是由与端口22(这是SSH连接的默认端口)关联的进程打开的。
显示与Internet连接和协议相关的文件 (Displaying Files Associated with Internet Connections and Protocols)
We can ask lsof to show the files that have been opened by processes associated with network and internet connections, that are using a specific protocol. We can choose from TCP, UDP, and SMTP. Let’s use the TCP protocol and see what we get.
我们可以要求lsof显示由使用特定协议的与网络和Internet连接关联的进程打开的文件。 我们可以选择TCP,UDP和SMTP。 让我们使用TCP协议,看看能得到什么。
sudo lsof -i tcp
The only files listed are those opened by processes that are using the TCP protocol.
列出的唯一文件是使用TCP协议的进程打开的文件。
我们只刮了表面 (We’ve Only Scratched the Surface)
That’s a good grounding in some common use cases for lsof, but there is a lot more to it than that. Just how much more can be judged by the fact the man page is over 2,800 lines long.
在lsof一些常见用例中,这是一个很好的基础,但是还有很多。 手册页超过2800行长的事实可以判断出还有多少。
The lsof command can be used to drill ever deeper into the strata of open files and pseudo-files. We’ve provided a sketch map; the atlas is in the man page.
lsof命令可用于深入研究打开文件和伪文件的层次。 我们提供了一个示意图。 该地图集在手册页中 。
翻译自: https://www.howtogeek.com/426031/how-to-use-the-linux-lsof-command/
164
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
