lsof是系统管理/安全的尤伯工具。将这个工具称之为lsof真实名副其实，因为它是指“列出打开文件（lists openfiles）”。而有一点要切记，在Unix中一切（包括网络套接口）都是文件。

1, 使用 lsof 命令行列出所有打开的文件

#lsof

这可是一个很长的列表，包括打开的文件和网络

上述屏幕截图中包含很多列，例如 PID、user、FD 和 TYPE 等等。

FD-Filedescriptor

FD 列包含这样一些值

cwd-Currentworkingdirectorytxt-Textfilemem-MemoryMappedfilemmap-MemoryMappeddeviceNumber-Itrepresenttheactualfiledescriptor.Forexample,0u,1wand3r

r 是读的意思，w 是写，u 代表读写

Type 代表文件类型，例如：

>REG-Regularfile>DIR-Directory>CHR-Characterspecialfile>FIFO-Firstinfirstout

2, 列出某个用户打开的文件

#lsof-uuser_name

Example:

#lsof-ucrybitCOMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAMEsshd29609crybitcwdDIR144,2334096117711421/sshd29609crybitrtdDIR144,2334096117711421/sshd29609crybittxtREG144,233409488119020186/usr/sbin/sshdsshd29609crybitmemREG144,2412443001619(deleted)/dev/zero(stat:Nosuchfileordirectory)sshd29609crybitmemREG8,37119021850/lib64/libnss_dns-2.5.so(pathdev=144,233)sshd29609crybitmemREG8,37119021984/lib64/security/pam_succeed_if.so(pathdev=144,233)sshd29609crybitmemREG8,37119022000/lib64/security/pam_limits.so(pathdev=144,233)sshd29609crybitmemREG8,37119021960/lib64/security/pam_keyinit.so(pathdev=144,233)sshd29609crybitmemREG8,37119021972/lib64/security/pam_cracklib.so(pathdev=144,233)sshd29609crybitmemREG8,37119021987/lib64/security/pam_nologin.so(pathdev=144,233)sshd29609crybitmemREG8,37119021988/lib64/security/pam_deny.so(pathdev=144,233)sshd29609crybitmemREG8,37119019223/usr/lib64/libcrack.so.2.8.0(pathdev=144,233)..........

3, 列出在某个端口运行的进程

#lsof-i:port_number

Example:

#lsof-i:22COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAMEsshd769root3uIPv622817388440t0TCP*:ssh(LISTEN)sshd769root4uIPv422817388460t0TCP*:ssh(LISTEN)#lsof-i:3306COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAMEmysqld11106mysql10uIPv423409751140t0TCP*:mysql(LISTEN)

4, 只列出使用 IPv4 的打开文件

#lsof-i4-ForIPv4

Example:

#lsof-i4COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAMEsshd769root4uIPv422817388460t0TCP*:ssh(LISTEN)named8362named20uIPv423347510170t0TCPlocalhost.localdomain:domain(LISTEN)named8362named21uIPv423347510190t0TCPcrybit.com:domain(LISTEN)named8362named22uIPv423347510210t0TCPlocalhost.localdomain:rndc(LISTEN)named8362named512uIPv423347510160t0UDPlocalhost.localdomain:domainnamed8362named513uIPv423347510180t0UDPcrybit.com:domaintcpserver9975root3uIPv423354879590t0TCP*:pop3(LISTEN)tcpserver9978root3uIPv423354879670t0TCP*:pop3s(LISTEN)tcpserver9983root3uIPv423354879970t0TCP*:imap(LISTEN)tcpserver9987root3uIPv423354880140t0TCP*:imaps(LISTEN)xinetd10413root5uIPv423360709830t0TCP*:ftp(LISTEN)xinetd10413root6uIPv423360709840t0TCP*:smtp(LISTEN)mysqld11106mysql10uIPv423409751140t0TCP*:mysql(LISTEN)#lsof-i6

Example:

#lsof-i6COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAMEsshd769root3uIPv622817388440t0TCP*:ssh(LISTEN)named8362named23uIPv623347510240t0TCPlocalhost.localdomain:rndc(LISTEN)httpd29241root4uIPv624397772060t0TCP*:http(LISTEN)httpd29241root6uIPv624397772110t0TCP*:https(LISTEN)httpd29243apache4uIPv624397772060t0TCP*:http(LISTEN)httpd29243apache6uIPv624397772110t0TCP*:https(LISTEN)httpd29244apache4uIPv624397772060t0TCP*:http(LISTEN)httpd29244apache6uIPv624397772110t0TCP*:https(LISTEN)httpd29245apache4uIPv624397772060t0TCP*:http(LISTEN)httpd29245apache6uIPv624397772110t0TCP*:https(LISTEN)httpd29246apache4uIPv624397772060t0TCP*:http(LISTEN)

5, 列出端口在 1-1024 之间的所有进程

#lsof-i:1-1024

Example:

#lsof-i:1-1024COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAMEsshd769root3uIPv622817388440t0TCP*:ssh(LISTEN)sshd769root4uIPv422817388460t0TCP*:ssh(LISTEN)named8362named20uIPv423347510170t0TCPlocalhost.localdomain:domain(LISTEN)named8362named21uIPv423347510190t0TCPcrybit.com:domain(LISTEN)named8362named22uIPv423347510210t0TCPlocalhost.localdomain:rndc(LISTEN)named8362named23uIPv623347510240t0TCPlocalhost.localdomain:rndc(LISTEN)tcpserver9975root3uIPv423354879590t0TCP*:pop3(LISTEN)tcpserver9978root3uIPv423354879670t0TCP*:pop3s(LISTEN)tcpserver9983root3uIPv423354879970t0TCP*:imap(LISTEN)tcpserver9987root3uIPv423354880140t0TCP*:imaps(LISTEN)xinetd10413root5uIPv423360709830t0TCP*:ftp(LISTEN)xinetd10413root6uIPv423360709840t0TCP*:smtp(LISTEN)httpd29241root4uIPv624397772060t0TCP*:http(LISTEN)httpd29241root6uIPv624397772110t0TCP*:https(LISTEN)httpd29243apache4uIPv624397772060t0TCP*:http(LISTEN)........

6, 根据进程id来列出打开的文件

#lsof-pPID

Example:

#lsof-p11106COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAMEmysqld11106mysqlcwdDIR144,2334096119025114/var/lib/mysqlmysqld11106mysqlrtdDIR144,2334096117711421/mysqld11106mysqltxtREG144,2339484782119025094/usr/libexec/mysqldmysqld11106mysqlmemREG8,37119025094/usr/libexec/mysqld(pathdev=144,233)mysqld11106mysqlmemREG8,37119021850/lib64/libnss_dns-2.5.so(pathdev=144,233)mysqld11106mysqlmemREG8,37119021830/lib64/libnss_files-2.5.so(pathdev=144,233)mysqld11106mysqlmemREG8,37119021841/lib64/libsepol.so.1(pathdev=144,233)mysqld11106mysqlmemREG8,37119021801/lib64/libselinux.so.1(pathdev=144,233)mysqld11106mysqlmemREG8,37119021785/lib64/libresolv-2.5.so(pathdev=144,233)mysqld11106mysqlmemREG8,37119021920/lib64/libkeyutils-1.2.so(pathdev=144,233)mysqld11106mysqlmemREG8,37119017006/usr/lib64/libkrb5support.so.0.1(pathdev=144,233)........

7, 杀掉某个用户的所有活动进程

#killall-9`lsof-t-uusername`

8, 列出某个目录中被打开的文件

#lsof+Dpath_of_the_directory

Example:

#lsof+D/var/log/COMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAMEsyslogd9729root1wREG144,2330119019158/var/log/kernelsyslogd9729root2wREG144,233350722119021699/var/log/messagessyslogd9729root3wREG144,233591577119019159/var/log/securesyslogd9729root4wREG144,233591577119019159/var/log/secure

9, 根据进程名称列出打开的文件

#lsof-cprocess_name

Example:

#lsof-csshCOMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAMEsshd483rootcwdDIR8,940962/sshd483rootrtdDIR8,940962/sshd483roottxtREG8,95234881193409/usr/sbin/sshd

10, 列出所有网络连接

#lsof-i

该命令列出所有侦听和已建立的网络连接 Example:

#lsof-iCOMMANDPIDUSERFDTYPEDEVICESIZE/OFFNODENAMEsshd769root3uIPv622817388440t0TCP*:ssh(LISTEN)sshd769root4uIPv422817388460t0TCP*:ssh(LISTEN)named8362named20uIPv423347510170t0TCPlocalhost.localdomain:domain(LISTEN)named8362named21uIPv423347510190t0TCPcrybit.com:domain(LISTEN)named8362named22uIPv423347510210t0TCPlocalhost.localdomain:rndc(LISTEN)named8362named23uIPv623347510240t0TCPlocalhost.localdomain:rndc(LISTEN)named8362named512uIPv423347510160t0UDPlocalhost.localdomain:domain