Today's command is the UNIX/Linux command "lsof" or "list open files.
In a *NIX system, the "open files" include:
- disk files,
- network sockets,
- hardware and devices, and
- all processes running on the system.
By default, that is if you run "lsof" without any additional parameters, the command will display all the files opened by any processes on the system.
You can select a director, volume of single file to see who is using it. For example, the following command will display who is using the "/etc/passwd" file:
- lsof /etc/passwd
In order to display the process IDs that are utilising the named binary, and only the PID you could use:
- lsof -t `which named`
In order to display all of the open processesfrom a user called john, you could use:
- lsof -u john
To display those files that are using the process with PID 541:
- lsof +p 541
If you wanted to list any open internet protocol sockets or just those related to DNS (on port 53 that is) you could use the following commands respectively:
- lsof -i
- lsof -i :53
To drill down and display the processes that are using a UDP connection to or from A DNS Server at the host ns.nameserver.com (using the default port of 53 UDP) we could use:
The command "lsof" is a valuable testing, audit, incident respense and foresinc utility. Make sure that you know the options associated with this command.
An Open File Search
In *NIX, even a solitary open file will (usually) stop a user from unmounting filesystem. Running "lsof" as the superuser (root) in order to display the open files for a mounted volume will allow you to check if the volume can be dismounted. For instance, the following command displays the open files for the volume "/export/home":
# lsof /export/home
bob 1541 user 3u VREG 14,6 4096 6542 /export/home/file.tmp