How to use Isof command on Linux
If everything in Linux is a file, you'll have more than just the file on your hard drive. This article will show you how to use the lsof command to see all other devices and processes processed as a file.
If everything in Linux is a file, you'll have more than just the file on your hard drive. This article will show you how to use the lsof command to see all other devices and processes processed as a file.
- Basic Linux commands everyone needs to know
- 7 commands to manipulate the most basic files and folders everyone must know
- Search for files and directories in Linux using the command line interface
On Linux, everything is a file
Identifying everything on Linux is a fairly correct file. A file is a collection of bytes. When read in a program or sent to the printer, they create a byte stream. And when written, they accept a byte stream.
Many other system components accept or create byte streams such as keyboards, printers, and communication processes. Because they both accept and create byte streams, these devices can be processed as if they were a very low file.
The concept simplifies the deployment of Linux operating systems. That means a processor of tools, APIs can be created to handle a variety of different resources.
Data and program files on the hard drive are old system files. You can use the ls command to list and find information about them.
So how do we find all other processes and devices that are considered files? Let the lsof command handle that. This command will list open files on the system and anything processed as a file.
Lsof command
We need to use the sudo command with the lsof command because many processes or devices belong to root or are started by root.
The lsof command list is very long, so you should use the less command to shorten it.
sudo lsof | less
When running lsoft command on GNOME, users will receive a warning in the terminal window.
lsof: WARNING: can't stat () fuse.gvfsd-fuse file system / run / user / 1000 / gvfs
Kết quả thông tin có thể trongcomplete.
Lsoft tries to handle all file systems. This warning appears because lsof encountered the GNOME Virtual file system (GVFS) system. This is a special case of the file system in user space (FUSE). It acts as a bridge between GNOME, API and kernel. No one, even root users, can access these file systems except the one who mounts it (in this case, GNOME). You can ignore this warning.
The output of lsof is very long and numerous. You can see the leftmost columns in the picture below:
The far right column:
Columns in lsof command
Here are the full columns of lsoft command. Open files may not be full of columns, some will be empty.
- Command : The name of the command related to the file opening process.
- PID: Process identification code of the file opening process.
- TID : Task identification code (thread). If you see an empty column, it is not a task but a process.
- User : ID or user name belongs to the process or user ID, login information of the owner of the directory in / proc which lsoft found information about the process.
- FD : Displays the file description.
- Type : Type of button associated with the file.
- Device : Contains the number of devices separated by commas for a special character, special file, regular file, directory or NFS file, the kernel reference address determines the file. In addition, it displays the base address or device name of the Linux device AX.25 socket.
- Size / Off : Displays the file size or distance to the beginning of the file (file offset) in bytes.
- Node : Displays the number of nodes of the local file or the inode number of the NFS file in the host or Internet protocol type. It can display STR for a thread or inode number, IRQ for Linux device AX.25 socket.
- Name : Displays the name of the mount point and the file system with the files on it.
Column FD
Section column FD can be made up of three components: file descriptor, node character and lock character. Some common file descriptions are:
- cwd : Current working directory.
- err : FD information error (see column NAME).
- ltx : Shared library text (code and data).
- m86 : DOS Merge mapping file.
- mem : Memory mapping file.
- mmap : Memory mapping device.
- pd : Parent folder.
- rtd : root directory.
- txt : Program text (code and data).
Node character:
- r : Read access.
- w : Access recording.
- u : Read and write access.
- '' : A space character, if no mode is specified, there is no key character.
- - : Unknown mode and has a lock character.
Key characters:
- r : Lock read on part of the file.
- R : Reading lock on the whole file.
- w : Lock written on part of the file.
- W : Record lock on the entire file.
- u : Read and write keys of any length.
- U : Unknown key type.
- '' : A space character. No lock.
Column TYPE
More than 70 items may appear in the TYPE column. Some common items you will see are:
- REG : Regular file system.
- DIR : Folder.
- FIFO : First In First Out.
- CHR : Special character file.
- BLK : File is specially blocked.
- INET : Internet socket
- unix : Socket UNIX domain name
View file opening processes
To see the process of opening a certain file, you need to provide the file name as a parameter for lsof. For example, to see the process of opening the kern.log file, use the following command:
sudo lsof /var/log/kern.log
Lsof returns by displaying a single process, rsyslogd is started by the syslog user.
View all files opened from the library
To see files opened from a library and the process of opening them, provide the directory name for lsof as a parameter. You must use the + D option.
To view all open files in / var / log directory / use the following command:
lsof returns a list of all open files in that directory.
To view all files opened from the / home directory, use the following command:
sudo lsof + D / home
You will see all the files opened in the / home directory. With short descriptions in some columns, the entire list will be narrowed.
List files that are opened by a specific process
To view files opened by a specific process, use the -c option. Note, you can provide multiple search terms for lsoft at the same time.
sudo lsof -c ssh -c init
Lsoft provides a list of files opened by processes in the command line.
View open user files
To limit the display of files opened by specific users, you should use the -u option. In this example, we will find the files opened by the process of ownership or launch instead of Mary users.
sudo lsof -u mary
All files opened by Mary users will be listed. It includes files opened in the desktop environment or simply the result of Mary logging into the system.
Exclude files opened by users
To exclude files opened by users, use the ^ operator to exclude users from the list. This will help you find information more easily. You must use the -u option and add the ^ character to the username.
sudo lsof + D / home -u ^ mary
You will see a list of / home directories without any files opened by Mary users.
List the file due to the open process according to the process ID
To list the file due to the open process, use the -p option and provide the process ID as the parameter.
sudo lsof - p 4610
All files opened by the process ID you provide are listed in the image below.
List file open process ID
To view the process ID for a specific file, use the -t option and provide the file name for the command line.
sudo lsof -t /usr/share/mime/mime.cache
The process ID is displayed in a simple list.
Use AND and OR search
As mentioned above, you can use multiple search terms in the command line. For example, to find files opened by Mary users and related to the SSH process use the following command:
sudo lsof -u mary -c ssh
Below is the output of the above command, something is not right here because there are output items that start with root.
When providing multiple lsoft search terms, it will return any file that matches the first, second, third search term, etc. In other words, it does an OR search.
To make lsoft perform an AND search, use the -a option. That means only files matching the first and second conditions are listed.
sudo lsof -u mary -c ssh -a
Now, all files in the list are opened by or on behalf of Mary and are related to the SSH command.
Automatically refresh results
We can use the + | -r option to put lsof into repeat mode. You can use the repeat option in two ways + r or -r . You need to add the number of seconds you want lsof to wait before refreshing the result.
Use the repeat option with one of the two formats that lsoft displays as normal, but it adds a broken line to the bottom of the screen. It will wait for the number of seconds you provided in the command line and then refresh the screen with a new set of results.
With the -r option it will continue to repeat the process, want to stop, press Ctrl
+ C
With the + r format, it will continue until no results are displayed or press Ctrl
+ C
sudo lsof -u mary -c ssh -a -r5
Note, the dashed line at the end of the data split list is displayed when the output is refreshed.
Display files related to Internet connection.
The -i option allows you to view files opened by network related processes and the Internet.
lsof -i
All files are opened due to internet connection and the network is displayed.
Displays the file associated with the Internet connection by the process ID
To view files opened by a process related to an Internet connection using a specific process ID, add the -p option and -a option.
We will find the files related to the Internet connection or the network opened by the 606 process ID.
sudo lsof -i -a -p 606
All files opened by the ID 606 process associated with the Internet and the network are displayed.
Display files associated with commands and Internet connection
We can use the -c (command) option to search for files opened by specific processes. To find files opened with processes related to Internet connection or networks associated with the ssh process, use the following command:
lsof -i -a -c ssh
All files are opened because the ssh process is listed.
Display files related to Internet connection and ports
Lsoft can report files opened by Internet connection and network on specific port. To do that, use the character : following the port number.
Below lsoft lists the files opened by network connection or Internet using port 22.
lsof -i: 22
All files are opened by the process related to port 22 (this is the default port for SSH connection).
Display files related to Internet connection and protocol
You can request lsof to display the file opened by the process related to network and Internet connection, using specific protocol. You can choose from TCP, UDP and SMTP. Here we find the file using TCP protocol.
- The difference between TCP and UDP protocols
sudo lsof -i tcp
This is the output that is opened by processes using TCP protocol.
Here are some ways to use lsoft command you can use to search files on Linux.
I wish you all success!
You should read it
- Instructions for using find command in Linux
- How to find a specific word in a file on Linux
- 20+ essential Linux security commands
- The Cat command in Linux
- Tail command in Linux
- How to use the which command in Linux
- Search for files and directories in Linux using the command line interface
- How to find and open files with Command Prompt
- Basic Linux commands everyone needs to know
- How to use cURL command in Linux
- How to find the MAC address using the command line in Linux
- How to use the Install command to copy files in Linux