document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-22 23:00:57 +08:00
Code Issues Packages Projects Releases Wiki Activity
d1565bf490
TranslateProject/sources/tech/20141009 Linux Terminal--An lsof Primer.md

251 lines
10 KiB
Markdown
Raw Normal View History

20141009-2 选题
2014-10-09 16:29:20 +08:00
Linux Terminal: An lsof Primer
================================================================================
![](http://cdn.linuxaria.com/wp-content/uploads/2011/06/tux-terminal.jpg)
Article by Daniel Miessler first posted on his [blog][1]
**lsof** is the sysadmin/[security][2] über-tool. I use it most for getting [network][3] connection related information from a system, but thats just the beginning for this powerful and too-little-known application. The tool is aptly called lsof because it “**lists openfiles**“. And remember, in UNIX just about everything (including a network socket) is a file.
Interestingly, lsof is also the Linux/Unix command with the most switches. It has so many it has to use both minuses andpluses.
usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]]
[-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
As you can see, lsof has a truly staggering number of options. You can use it to get information about devices on your system, what a given user is touching at any given point, or even what files or network connectivity a process is using.
For me, lsof replaces both netstat and ps entirely. It has everything I get from those tools and much, much more. So lets look at some of its primary capabilities:
### Key Options ###
Its important to understand a few key things about how lsofworks. Most importantly, when youre passing options to it, the default behavior is to OR the results. So if you are pulling a list of ports with -i and also a process list with -p youre by default going to get both results.
Here are a few others like that to keep in mind:
- **default** : without options, lsof lists all open files for active processes
- **grouping** : its possible to group options, e.g. -abC, but you have to watch for which options take parameters
- **-a** : AND the results (instead of OR)
- **-l** : show the userID instead of the username in the output
- **-h** : get help
- **-t** : get process IDs only
- **-U** : get the UNIX socket address
- **-F** : the output is ready for another command, which can be formatted in various ways, e.g. -F pcfn (for process id, command name, file descriptor, and file name, with a null terminator)
#### Getting Information About the Network ####
As I said, one of my main usecases for lsof is getting information about how my system is interacting with the network. Here are some staples for getting this info:
### Show all connections with -i ###
Some like to use netstat to get network connections, but I much prefer using lsof for this. The display shows things in a format thats intuitive to me, and I like knowing that from there I can simply change my syntax and get more information using the same command.
# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dhcpcd 6061 root 4u IPv4 4510 UDP *:bootpc
sshd 7703 root 3u IPv6 6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)
### Get only IPv6 traffic with -i 6 ###
# lsof -i 6
### Show only TCP connections (works the same for UDP) ###
You can also show only TCP or UDP connections by providing the protocol right after the -i.
# lsof -iTCP
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 7703 root 3u IPv6 6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)
### Show networking related to a given port using -i :port ###
Or you can search by port instead, which is great for figuring out whats preventing another app from binding to a given port.
# lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 7703 root 3u IPv6 6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)
### Show connections to a specific host using @host ###
This is quite useful when youre looking into whether you have open connections with a given host on the network or on the internet.
# lsof -i@172.16.12.5
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->172.16.12.5:49901 (ESTABLISHED)
### Show connections based on the host and the port using@host:port ###
You can also combine the display of host and port.
# lsof -i@172.16.12.5:22
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)
### Find listening ports ###
Find ports that are awaiting connections.
# lsof -i -sTCP:LISTEN
You can also do this by grepping for “LISTEN” as well.
# lsof -i | grep -i LISTEN
iTunes 400 daniel 16u IPv4 0x4575228 0t0 TCP *:daap (LISTEN)
### Find established connections ###
You can also show any connections that are already pinned up.
# lsof -i -sTCP:ESTABLISHED
You can also do this just by searching for “ESTABLISHED” in the output via grep.
# lsof -i | grep -i ESTABLISHED
firefox-b 169 daniel 49u IPv4 0t0 TCP 1.2.3.3:1863->1.2.3.4:http (ESTABLISHED)
#### User Information ####
You can also get information on various users and what theyre doing on the system, including their activity on the network, their interactions with files, etc.
### Show what a given user has open using -u ###
# lsof -u daniel
-- snipped --
Dock 155 daniel txt REG 14,2 2798436 823208 /usr/lib/libicucore.A.dylib
Dock 155 daniel txt REG 14,2 1580212 823126 /usr/lib/libobjc.A.dylib
Dock 155 daniel txt REG 14,2 2934184 823498 /usr/lib/libstdc++.6.0.4.dylib
Dock 155 daniel txt REG 14,2 132008 823505 /usr/lib/libgcc_s.1.dylib
Dock 155 daniel txt REG 14,2 212160 823214 /usr/lib/libauto.dylib
-- snipped --
### Show what all users are doing except a certain user using-u ^user ###
# lsof -u ^daniel
-- snipped --
Dock 155 jim txt REG 14,2 2798436 823208 /usr/lib/libicucore.A.dylib
Dock 155 jim txt REG 14,2 1580212 823126 /usr/lib/libobjc.A.dylib
Dock 155 jim txt REG 14,2 2934184 823498 /usr/lib/libstdc++.6.0.4.dylib
Dock 155 jim txt REG 14,2 132008 823505 /usr/lib/libgcc_s.1.dylib
Dock 155 jim txt REG 14,2 212160 823214 /usr/lib/libauto.dylib
-- snipped --
### Kill everything a given user is doing ###
Its nice to be able to nuke everything being run by a given user.
# kill -9 `lsof -t -u daniel`
#### Commands and Processes ####
Its often useful to be able to see what a given program or process is up to, and with lsof you can do this by name or by process ID. Here are a few options:
### See what files and network connections a named command is using with -c ###
# lsof -c syslog-ng
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
syslog-ng 7547 root cwd DIR 3,3 4096 2 /
syslog-ng 7547 root rtd DIR 3,3 4096 2 /
syslog-ng 7547 root txt REG 3,3 113524 1064970 /usr/sbin/syslog-ng
-- snipped --
### See what a given process ID has open using -p ###
# lsof -p 10075
-- snipped --
sshd 10068 root mem REG 3,3 34808 850407 /lib/libnss_files-2.4.so
sshd 10068 root mem REG 3,3 34924 850409 /lib/libnss_nis-2.4.so
sshd 10068 root mem REG 3,3 26596 850405 /lib/libnss_compat-2.4.so
sshd 10068 root mem REG 3,3 200152 509940 /usr/lib/libssl.so.0.9.7
sshd 10068 root mem REG 3,3 46216 510014 /usr/lib/liblber-2.3
sshd 10068 root mem REG 3,3 59868 850413 /lib/libresolv-2.4.so
sshd 10068 root mem REG 3,3 1197180 850396 /lib/libc-2.4.so
sshd 10068 root mem REG 3,3 22168 850398 /lib/libcrypt-2.4.so
sshd 10068 root mem REG 3,3 72784 850404 /lib/libnsl-2.4.so
sshd 10068 root mem REG 3,3 70632 850417 /lib/libz.so.1.2.3
sshd 10068 root mem REG 3,3 9992 850416 /lib/libutil-2.4.so
-- snipped --
### The -t option returns just a PID ###
# lsof -t -c Mail
350
#### Files and Directories ####
By looking at a given file or directory you can see what all on the system is interacting with itincluding users, processes, etc.
#### Show everything interacting with a given directory ####
# lsof /var/log/messages/
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
syslog-ng 7547 root 4w REG 3,3 217309 834024 /var/log/messages
### Show everything interacting with a given file ###
# lsof /home/daniel/firewall_whitelist.txt
#### Advanced Usage ####
Similar to [tcpdump][4], the power really shows itself when you start combining queries.
### Show me everything daniel is doing connected to 1.1.1.1 ###
# lsof -u daniel -i @1.1.1.1
bkdr 1893 daniel 3u IPv6 3456 TCP 10.10.1.10:1234->1.1.1.1:31337 (ESTABLISHED)
### Using the -t and -c options together to HUP processes ###
# kill -HUP `lsof -t -c sshd`
### lsof +L1 shows you all open files that have a link count less than 1 ###
This is often (but not always) indicative of an attacker trying to hide file content by unlinking it.
# lsof +L1
(hopefully nothing)
### Show open connections with a port range ###
# lsof -i @fw.google.com:2150=2180
#### Conclusion ####
This primer just scratches the surface of lsofs functionality. For a full reference, run man lsof or check out [the online version][5]. I hope this has been useful to you, and as always,[comments and corrections are welcomed][6].
### Resources ###
- The lsof man page:[http://www.netadmintools.com/html/lsof.man.html][7]
--------------------------------------------------------------------------------
via: http://linuxaria.com/howto/linux-terminal-an-lsof-primer
作者:[Daniel Miessler][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[a]:https://plus.google.com/101727609700016666852/posts?rel=author
[1]:http://danielmiessler.com/study/lsof/
[2]:http://linuxaria.com/tag/security
[3]:http://linuxaria.com/tag/network
[4]:http://danielmiessler.com/study/tcpdump/
[5]:http://www.netadmintools.com/html/lsof.man.html
[6]:http://danielmiessler.com/connect/
[7]:http://www.netadmintools.com/html/lsof.man.html
Reference in New Issue Copy Permalink