lsof (list openfiles)是一个列出当前系统打开文件的工具。在linux系统环境下,任何事物都可以以文件形式存在,通过文件不仅可以访问常规的数据,还可以访问网络连接和硬件。
适应条件:lsof访问的是核心文件和各种文件,所以必须以root用户的身份运行才能充分发挥其功能
举例:
1,根据进程pid查端口 其中-i是显示所有连接
lsof -i | grep pid
对应的ps可以根据pid查询进程
ps -u --pid 具体pid
2,根据端口port查进程
lsof -i:port
3,显示abc命令正在使用的文件和网络连接
lsof -c abc
4,看进程号为12的进程打开了哪些文内容
lsof -p 12
5,查看oracle用户打开文件类型为txt的进程
[root@centos7 ~]# lsof -d txt -u oracle -a
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/42/gvfs
Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 27822 oracle txt REG 253,0 960376 33607829 /usr/bin/bash
vim 29830 oracle txt REG 253,0 2289640 34181314 /usr/bin/vim
6,@host来显示指定到指定主机的连接 当然使用@host:port显示基于主机与端口的连接
[root@centos7 ~]# lsof -i@192.168.96.22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld 20166 mysql 4u IPv6 132031 0t0 TCP centos7:opsession-prxy->db:28213 (ESTABLISHED)
mysqld 20166 mysql 84u IPv6 134344 0t0 TCP centos7:opsession-prxy->db:28587 (ESTABLISHED)
7,仅显示TCP连接(同理可获得UDP连接)
[root@centos7 ~]# lsof -iTCP
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1091 root 3u IPv4 19736 0t0 TCP *:ssh (LISTEN)
sshd 1091 root 4u IPv6 19738 0t0 TCP *:ssh (LISTEN)
cupsd 1093 root 12u IPv6 19830 0t0 TCP localhost:ipp (LISTEN)
cupsd 1093 root 13u IPv4 19831 0t0 TCP localhost:ipp (LISTEN)
master 1211 root 13u IPv4 20159 0t0 TCP localhost:smtp (LISTEN)
master 1211 root 14u IPv6 20160 0t0 TCP localhost:smtp (LISTEN)
dnsmasq 1278 nobody 6u IPv4 20430 0t0 TCP centos7:domain (LISTEN)
mysqld 20166 mysql 4u IPv6 132031 0t0 TCP centos7:opsession-prxy->prod-db:28213 (ESTABLISHED)
mysqld 20166 mysql 32u IPv6 95691 0t0 TCP *:opsession-prxy (LISTEN)
mysqld 20166 mysql 84u IPv6 134344 0t0 TCP centos7:opsession-prxy->prod-db:28587 (ESTABLISHED)
sshd 27007 root 3u IPv4 131360 0t0 TCP centos7:ssh->192.168.97.103:61221 (ESTABLISHED)
8,指定用户打开了什么 lsof -u oracle
9,除了指定用户打开了什么 lsof -u ^oracle
10,杀死指定用户做的一切事情 kill -9 lsof -t -u oracle 其中-t指定只显示进程id,结合kill可以实现
11,显示监听的端口和建立的连接
[root@centos7 ~]# lsof -i -sTCP:ESTABLISHED #显示建立的连接 等价于netstat -tun
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld 20166 mysql 4u IPv6 132031 0t0 TCP centos7:opsession-prxy->prod-db:28213 (ESTABLISHED)
mysqld 20166 mysql 84u IPv6 134344 0t0 TCP centos7:opsession-prxy->prod-db:28587 (ESTABLISHED)
sshd 27007 root 3u IPv4 131360 0t0 TCP centos7:ssh->192.168.97.103:61221 (ESTABLISHED)
[root@centos7 ~]# lsof -i -sTCP:LISTEN #显示监听的网络服务端口 等价于 netstat -tunl
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1091 root 3u IPv4 19736 0t0 TCP *:ssh (LISTEN)
sshd 1091 root 4u IPv6 19738 0t0 TCP *:ssh (LISTEN)
cupsd 1093 root 12u IPv6 19830 0t0 TCP localhost:ipp (LISTEN)
cupsd 1093 root 13u IPv4 19831 0t0 TCP localhost:ipp (LISTEN)
master 1211 root 13u IPv4 20159 0t0 TCP localhost:smtp (LISTEN)
master 1211 root 14u IPv6 20160 0t0 TCP localhost:smtp (LISTEN)
dnsmasq 1278 nobody 6u IPv4 20430 0t0 TCP centos7:domain (LISTEN)
mysqld 20166 mysql 32u IPv6 95691 0t0 TCP *:opsession-prxy (LISTEN)
一般结合netstat、ps使用,比如:查询mysql端口为3307的连接的信息:
[root@centos7 ~]# ps -ef | grep mysql
mysql 20166 1 0 06:50 ? 00:01:39 /usr/sbin/mysqld --daemonize
root 29631 27152 0 14:27 pts/1 00:00:00 grep --color=auto mysql
[root@centos7 ~]# ps -ef | grep 3307
root 29633 27152 0 14:27 pts/1 00:00:00 grep --color=auto 3307
[root@centos7 ~]# netstat -na | grep 3307 #查找端口为3307的
tcp6 0 0 :::3307 :::* LISTEN
tcp6 0 0 192.168.97.197:3307 192.168.96.22:28213 ESTABLISHED
tcp6 0 0 192.168.97.197:3307 192.168.96.22:28587 ESTABLISHED
[oracle@centos7 ~]$ netstat -tun #列出已连接的网络服务端口
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 216 192.168.97.197:22 192.168.97.103:61221 ESTABLISHED
tcp6 0 0 192.168.97.197:3307 192.168.96.22:28213 ESTABLISHED
tcp6 0 0 192.168.97.197:3307 192.168.96.22:28587 ESTABLISHED
[oracle@centos7 ~]$ netstat -tunl #列出监听的网络服务端口
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp6 0 0 :::3307 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 0.0.0.0:35713 0.0.0.0:*
udp 0 0 192.168.122.1:53 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
[oracle@centos7 ~]$ netstat -tuna
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 52 192.168.97.197:22 192.168.97.103:61221 ESTABLISHED
tcp6 0 0 :::3307 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
tcp6 0 0 192.168.97.197:3307 192.168.96.22:28213 ESTABLISHED
tcp6 0 0 192.168.97.197:3307 192.168.96.22:28587 ESTABLISHED
udp 0 0 0.0.0.0:35713 0.0.0.0:*
udp 0 0 192.168.122.1:53 0.0.0.0:*
udp 0 0 0.0.0.0:67 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
[root@centos7 ~]# lsof -i:3307 #根据端口port查进程
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld 20166 mysql 4u IPv6 132031 0t0 TCP centos7:opsession-prxy->db:28213 (ESTABLISHED)
mysqld 20166 mysql 32u IPv6 95691 0t0 TCP *:opsession-prxy (LISTEN)
mysqld 20166 mysql 84u IPv6 134344 0t0 TCP centos7:opsession-prxy->db:28587 (ESTABLISHED)
一些说明:
netstat 的常用参数: -t、-u、-w和-x分别表示TCP、UDP、RAW和UNIX套接字连接。-a标记,还会显示出等待连接(也就是说处于监听模式)的套接字。
-l 显示正在被监听(listen)的端口, -n表示直接显示端口数字而不是通过察看/etc/service来转换为端口名,-p选项表示列出监听的程序