Open a cache of riches with lsof
With Great Power
Now imagine a scenario in which you've found a file in /tmp
and have no idea where this potentially dangerous file has come from. To find all the processes using this file, you could run the lsof
command in Listing 3.
Listing 3
Finding Processes
As requested, lsof quickly reports the results, as seen in Figure 9.
Around in circles you go: By looking up what lsof knows about PID 14332:
# lsof -p 14332
you reveal a mountain of information (too much to display) relating to the word processor LibreOffice. Therefore, it's most likely not a file to be worried about but instead a temporary copy of a document being written.
Open Up and Lock Down
Now I want to look for open files. I'm running my desktop off a loop disk [1], and I can query all the open files on that (filesystem) device with:
# lsof /dev/loop0
The resulting output scrolls up my screen for a full two seconds with screeds of information. I can also request to list only Unix sockets with:
# lsof -U
Although I've already looked at a specific network port, what about querying all open network ports? Try running this simple command:
# lsof -i
With that entered, my system reports some useful security issues (ports that can be closed down because they're not needed or in use at all), as well as full hostnames, not just IP addresses (listed using DNS so I can immediately tell what my system is connecting to as I type), and which user, which PID, and which commands are responsible for spawning the process to open that port. Figure 10 shows this concisely. You can also see the port that you're connecting to if you look closely. For example, the first ESTABLISHED connection shown (Figure 10, right-hand side near the bottom) is using the remote port 5228.
If that doesn't meet your needs, you can switch off DNS lookups with -n
and just show port numbers without the names with -P
:
# lsof -n -i -P
Checking everything, in the sense of all ports using any protocol, that a remote host is doing is one of my favorite lsof commands:
# lsof -i @another-chris-server.tld
Additional features just keep coming; you can mix up one host with multiple ports or, in this case, a range of ports:
# lsof -i @another-chris-server.tld::5228-6502
Also, you can gain visibility of which files use which file descriptors for every process,
# lsof -d 111,34,67
or simply comma-separate a list of descriptors for a more fine-grained output.
Belly of the Beast
A little more background might increase your understanding of how lsof achieves its powerful output. According to the man page, the magical lsof procures its power from four main files.
It draws information from both the kernel virtual memory device, /dev/kmem
(which isn't present on my desktop, although it appears in linux-headers
) and the physical memory device, /dev/mem
. According to the mem
man page, "The file kmem is the same as mem, except that the kernel virtual memory rather than physical memory is accessed."
The command lsof also references the system swap file, conveniently found at /dev/swap
, and a cache generated partly from a gethostname
lookup.
In other words, it's a busy little utility, and whereas other tools can claim to harvest much of the information held within these ever-changing system files there's certainly an argument that lsof pulls it altogether the most gracefully.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
AlmaLinux 10.0 Beta Released
The AlmaLinux OS Foundation has announced the availability of AlmaLinux 10.0 Beta ("Purple Lion") for all supported devices with significant changes.
-
Gnome 47.2 Now Available
Gnome 47.2 is now available for general use but don't expect much in the way of newness, as this is all about improvements and bug fixes.
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.