Wednesday, April 10, 2013

Lsof Commands

lsof -t: Show only PIDs 

lsof -c abc: Show processes starting with abc

lsof -c /abc/: If you start and end with a slash, abc is assumed to be a regular expression. Only processes matching this pattern are displayed. lsof -c /^abc/ is equivalent to lsof -c abc.

lsof +d dir/: Show all opened instances of this directory and the files it contains (mind the prefix +!). This 
option is equivalent to lsof dir/ dir/*

lsof +D dir/: Does the same but scans the directory recursively. This may be very slow.

lsof -d: Specify a comma separated list of file descriptors (column FD) to include. If you prefix a value with ^, it will instead be excluded from view.

lsof -u user: List files opened by user user. You may pass multiple users separated by commas. 

lsof -U: Show open UNIX sockets.

lsof -i[46][protocol][@hostname|hostaddr][:service|port]:  lists all established Internet connections and listening server daemons

lsof -n: No DNS resolution, may speed up host lookups by only showing plain IP addresses instead of hostnames. This is mainly used with -i.

lsof -P: Don't resolve port names, display only plain port numbers instead of their names as defined in /etc/services. This is handy in combination with -i if something is wrong with port name resolution or if you don't know which port number a name is mapped to.

lsof -l: Display UIDs instead of login names for file users.

lsof -p: Comma separated list of PIDs to include or to exclude (again, prefix ^ excludes PIDs). If you want to see all files opened by a specific process, just run lsof -p 123 without any further parameter (of course replace 123 with the particular PID).

"show me everything running as root connected to" : lsof -a -u root -i @ 

Kill a Process : kill -9 `lsof -t -u root`

lsof -i@ : To show connections to a specific host, use @host

lsof -i@ : Show connections based on the host and the port using @host:port

lsof -c syslog-ng : See what files and network connections a command is using with –c

lsof -p 10075 : The -p switch lets you see what a given process ID has open, which is good for learning more about unknown processes

Open On Port 80 
netstat -alnp | grep ::80 Or lsof -nPi tcp:80