Tuesday, 20 January 2009

Command: LSOF

Today's command is the UNIX/Linux command "lsof" or "list open files.

In a *NIX system, the "open files" include:

  • disk files,
  • pipes,
  • network sockets,
  • hardware and devices, and
  • all processes running on the system.
*NIX treats all devices and about everything in the system as a file.
By default, that is if you run "lsof" without any additional parameters, the command will display all the files opened by any processes on the system.

You can select a director, volume of single file to see who is using it. For example, the following command will display who is using the "/etc/passwd" file:
  • lsof /etc/passwd

In order to display the process IDs that are utilising the named binary, and only the PID you could use:

  • lsof -t `which named`

In order to display all of the open processesfrom a user called john, you could use:

  • lsof -u john

To display those files that are using the process with PID 541:

  • lsof +p 541

If you wanted to list any open internet protocol sockets or just those related to DNS (on port 53 that is) you could use the following commands respectively:

  • lsof -i
  • lsof -i :53

To drill down and display the processes that are using a UDP connection to or from A DNS Server at the host ns.nameserver.com (using the default port of 53 UDP) we could use:

The command "lsof" is a valuable testing, audit, incident respense and foresinc utility. Make sure that you know the options associated with this command.

An Open File Search
In *NIX, even a solitary open file will (usually) stop a user from unmounting filesystem. Running "lsof" as the superuser (root) in order to display the open files for a mounted volume will allow you to check if the volume can be dismounted. For instance, the following command displays the open files for the volume "/export/home":

# lsof /export/home
bob 1541 user 3u VREG 14,6 4096 6542 /export/home/file.tmp

No comments: