Linux-lsof 小鱼儿 2021-12-13 00:07 301阅读 0赞 ### Linux-lsof ### 1. lsof简介 2. 输出列 2.1 FD 文件描述符 2.2 Type 文件类型 3. 常用选项 4. 示例 4.1 manpage-Examples 5. 特别用法 5.1 恢复删除的文件 5.2 杀死某个特定用户的所有活动 5.3 找回被删除文件占用的空间 ## 1. lsof简介 ## lsof(list open files)列出当前系统打开的文件。 进程打开的文件;打开文件的进程;进程打开的端口(TCP,UDP);等... 由于Linux系统一切皆文件,所以lsof打开的文件可以是: a regular file, 常规文件 a directory, 目录 a block special file, 块特殊文件 a character special file, 字符特殊文件 an executing text reference, 执行文本参考, a library, 库文件 a stream or a network file (Internet socket, NFS file or UNIX domain socket.) 流或网络文件(网络socket,NFS文件, UNIX域socket) A specific file or all the files in a file system may be selected by path. 可用选项: $ lsof -h 详细说明: $ man lsof ## 2. 输出列 ## Lsof每次运行时动态调整输出列的大小,保证每列的最小大小。它还保证每列与其前一列至少隔开一个空格。 Lsof不会为每个进程或文件集生成所有字段,只会生成可用的字段。某些字段是互斥的: * 文件设备字符和文件主要/次要设备号; * 文件inode编号和协议名称; * 文件名和流识别; * 文件大小和偏移量。(-s/-o) 这些互斥集合中的一个或另一个成员将出现在字段输出中,但不会出现在两者中。 $ lsof |less COMMAND 命令名(默认长度为9,+c w可设置长度,arch linux最大15); PID 进程ID(-p 指定PID); TID 线程ID; TASKCMD 任务名(-K?); PPID 父进程号(仅在使用-R时显示) PGID 与进程关联的进程组号(仅在使用-g时显示) USER 用户(-u 指定用户); FD 文件描述符 (详见下表)(-d 排除或包含FD字段); TYPE 与文件关联的节点的类型 (详见下表); 当n被指定为+f时,NODE-ID(或某些方言的INODE-ADDR)包含文件节点的唯一标识符(通常是内核vnode或inode地址,但有时也是设备和节点号的串联); DEVICE 指定磁盘的名称; SIZE/OFF 文件的大小/偏移量(-s/-o); NLINK 包含指定+L时的文件链接计数; NODE 索引节点(文件在磁盘上的标识); NAME 打开文件的确切名称; ### 2.1 FD 文件描述符 ### <table> <tbody> <tr> <td align="right"><strong>FD</strong></td> <td align="left"><strong>FD是文件的文件描述符编号或:</strong></td> <td align="left"><strong> </strong></td> <td align="center"><strong>wc -l</strong></td> </tr> <tr> <td align="right">cwd</td> <td align="left">current working directory;</td> <td align="left">当前工作目录</td> <td align="right">381</td> </tr> <tr> <td align="right">txt</td> <td align="left">program text (code and data);</td> <td align="left">程序文件或共享库</td> <td align="right">381</td> </tr> <tr> <td align="right">rtd</td> <td align="left">root directory;</td> <td align="left">root目录</td> <td align="right">381</td> </tr> <tr> <td align="right">mem</td> <td align="left">memory-mapped file;</td> <td align="left">内存映射文件;</td> <td align="right">36728</td> </tr> <tr> <td align="right">mmap</td> <td align="left">memory-mapped device;</td> <td align="left">内存映射设备;</td> <td align="left"> </td> </tr> <tr> <td align="right">Lnn</td> <td align="left">library references (AIX);</td> <td align="left">库引用(AIX);</td> <td align="left"> </td> </tr> <tr> <td align="right">jld</td> <td align="left">jail directory (FreeBSD);</td> <td align="left">jail目录(FreeBSD);</td> <td align="left"> </td> </tr> <tr> <td align="right">ltx</td> <td align="left">shared library text (code and data);</td> <td align="left">共享库文本(代码和数据);</td> <td align="left"> </td> </tr> <tr> <td align="right">Mxx</td> <td align="left">hex memory-mapped type number xx.</td> <td align="left">十六进制内存映射类型号xx。</td> <td align="left"> </td> </tr> <tr> <td align="right">m86</td> <td align="left">DOS Merge mapped file;</td> <td align="left">DOS合并映射文件;</td> <td align="left"> </td> </tr> <tr> <td align="right">err</td> <td align="left">information error (see NAME column);</td> <td align="left">错误的FD信息错误;</td> <td align="left"> </td> </tr> <tr> <td align="right">pd</td> <td align="left">parent directory;</td> <td align="left">父目录;</td> <td align="left"> </td> </tr> <tr> <td align="right">tr</td> <td align="left">kernel trace file (OpenBSD);</td> <td align="left">内核跟踪文件(OpenBSD);</td> <td align="left"> </td> </tr> <tr> <td align="right">v86</td> <td align="left">VP/ix mapped file;</td> <td align="left">VP/ix映射文件;</td> <td align="left"> </td> </tr> <tr> <td align="right">DEL</td> <td align="left"> </td> <td align="left"> </td> <td align="right">3743</td> </tr> <tr> <td align="right"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td align="right"><strong>Mode</strong></td> <td align="left"><strong>FD后跟其中一个字符,描述文件打开的模式:</strong></td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td align="right">u</td> <td align="left">u for read and write access;</td> <td align="left">文件处于读取/写入模式</td> <td align="right">128:5678</td> </tr> <tr> <td align="right">r</td> <td align="left">r for read access;</td> <td align="left">文件处于只读模式</td> <td align="right">78:2924</td> </tr> <tr> <td align="right">w</td> <td align="left">w for write access;</td> <td align="left">文件处于写入模式</td> <td align="right">92:2633</td> </tr> <tr> <td align="right">' ‘</td> <td align="left">space if mode unknown and no lock</td> <td align="left">未知模式,且未锁定</td> <td align="left"> </td> </tr> <tr> <td align="right">-</td> <td align="left">’-’ if mode unknown and lock</td> <td align="left">未知模式,并锁定</td> <td align="left"> </td> </tr> <tr> <td align="right"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td align="right"><strong>Lock</strong></td> <td align="left"><strong>模式字符后跟一个锁定字符,描述应用于文件的锁定类型:</strong></td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td align="right">N</td> <td align="left">N for a Solaris NFS lock of unknown type;</td> <td align="left">未知类型的Solaris NFS锁;</td> <td align="left"> </td> </tr> <tr> <td align="right">r</td> <td align="left">r for read lock on part of the file;</td> <td align="left">r用于部分文件的读锁定;</td> <td align="left"> </td> </tr> <tr> <td align="right">R</td> <td align="left">R for a read lock on the entire file;</td> <td align="left">R表示整个文件的读锁定;</td> <td align="left"> </td> </tr> <tr> <td align="right">w</td> <td align="left">w for a write lock on part of the file;</td> <td align="left">w对文件的一部分进行写锁定;</td> <td align="left"> </td> </tr> <tr> <td align="right">W</td> <td align="left">W for a write lock on the entire file;</td> <td align="left">W表示整个文件的写锁定;</td> <td align="left"> </td> </tr> <tr> <td align="right">u</td> <td align="left">u for a read and write lock of any length;</td> <td align="left">u表示任何长度的读写锁;</td> <td align="left"> </td> </tr> <tr> <td align="right">U</td> <td align="left">U for a lock of unknown type;</td> <td align="left">U表示未知类型的锁;</td> <td align="left"> </td> </tr> <tr> <td align="right">x</td> <td align="left">x for an SCO OpenServer Xenix lock on part of the file;</td> <td align="left">部分文件的SCO OpenServer Xenix锁;</td> <td align="left"> </td> </tr> <tr> <td align="right">X</td> <td align="left">X for an SCO OpenServer Xenix lock on the entire file;</td> <td align="left">整个文件的SCO OpenServer Xenix锁;</td> <td align="left"> </td> </tr> <tr> <td align="right">' ‘</td> <td align="left">space if there is no lock.</td> <td align="left">空格, 没有锁。</td> <td align="left"> </td> </tr> </tbody> </table> ### 2.2 Type 文件类型 ### <table> <tbody> <tr> <td align="left"><strong>TYPE</strong></td> <td align="left"><strong>is the type of the node associated with the file</strong></td> <td align="left"><strong>TYPE是与文件关联的节点的类型</strong></td> <td align="center"><strong>wc-l</strong></td> </tr> <tr> <td align="left">BLK</td> <td align="left">for a block special file</td> <td align="left">用于块特殊文件</td> <td align="right">1</td> </tr> <tr> <td align="left">CHR</td> <td align="left">for a character special file</td> <td align="left">用于字符特殊文件</td> <td align="right">780</td> </tr> <tr> <td align="left">DIR</td> <td align="left">for a directory</td> <td align="left">用于目录</td> <td align="right">770</td> </tr> <tr> <td align="left">REG</td> <td align="left">for a regular file</td> <td align="left">用于常规文件</td> <td align="right">46350</td> </tr> <tr> <td align="left">FIFO</td> <td align="left">for a FIFO special file</td> <td align="left">用于FIFO特殊文件</td> <td align="right">903</td> </tr> <tr> <td align="left">IPv4</td> <td align="left">for an IPv4 socket</td> <td align="left">用于IPv4套接字</td> <td align="right">7</td> </tr> <tr> <td align="left">IPv6</td> <td align="left">for an open IPv6 network file - even if its address is IPv4, mapped in an IPv6 address</td> <td align="left">用于开放的IPv6网络文件 - 即使其地址是IPv4,也映射在IPv6地址中</td> <td align="right">22</td> </tr> <tr> <td align="left">sock</td> <td align="left">for a socket of unknown domain</td> <td align="left">用于未知域的套接字</td> <td align="right">217</td> </tr> <tr> <td align="left">unix</td> <td align="left">for a UNIX domain socket</td> <td align="left">unix套接字的</td> <td align="right">2925</td> </tr> <tr> <td align="left">a_inode</td> <td align="left"> </td> <td align="left"> </td> <td align="right">1384</td> </tr> <tr> <td align="left">netlink</td> <td align="left"> </td> <td align="left"> </td> <td align="right">134</td> </tr> <tr> <td align="left">unknown</td> <td align="left"> </td> <td align="left"> </td> <td align="right">72</td> </tr> <tr> <td align="left">DEL</td> <td align="left">for a Linux map file that has been deleted</td> <td align="left">已删除的Linux映射文件的</td> <td align="left"> </td> </tr> <tr> <td align="left">LINK</td> <td align="left">for a symbolic link file</td> <td align="left">用于符号链接文件</td> <td align="left"> </td> </tr> <tr> <td align="left">MPB</td> <td align="left">for a multiplexed block file</td> <td align="left">用于多路复用块文件</td> <td align="left"> </td> </tr> <tr> <td align="left">MPC</td> <td align="left">for a multiplexed character file</td> <td align="left">用于多路复用字符文件</td> <td align="left"> </td> </tr> <tr> <td align="left">ax25</td> <td align="left">for a Linux AX.25 socket</td> <td align="left">用于Linux AX.25套接字</td> <td align="left"> </td> </tr> <tr> <td align="left">inet</td> <td align="left">for an Internet domain socket</td> <td align="left">用于Internet域套接字</td> <td align="left"> </td> </tr> <tr> <td align="left">lla</td> <td align="left">for a HP-UX link level access file</td> <td align="left">用于HP-UX链路级访问文件</td> <td align="left"> </td> </tr> <tr> <td align="left">rte</td> <td align="left">for an AF_ROUTE socket</td> <td align="left">用于AF_ROUTE套接字</td> <td align="left"> </td> </tr> <tr> <td align="left">x.25</td> <td align="left">for an HP-UX x.25 socket</td> <td align="left">用于HP-UX x.25套接字</td> <td align="left"> </td> </tr> <tr> <td align="left">DOOR</td> <td align="left">for a VDOOR file</td> <td align="left">VDOOR文件的</td> <td align="left"> </td> </tr> <tr> <td align="left">KQUEUE</td> <td align="left">for a BSD style kernel event queue file</td> <td align="left">用于BSD样式的内核事件队列文件</td> <td align="left"> </td> </tr> <tr> <td align="left">NOFD</td> <td align="left">for a Linux /proc/<PID>/fd directory that can't be opened -- the directory path appears in the NAME column, followed by an error message</td> <td align="left">对于无法打开的Linux/proc/<PID>/fd目录的“NOFD - 目录路径出现在NAME列中,后跟一条错误消息</td> <td align="left"> </td> </tr> <tr> <td align="left">PAS</td> <td align="left">for a /proc/as file</td> <td align="left">用于/proc/as文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PAXV</td> <td align="left">for a /proc/auxv file</td> <td align="left">用于/proc/auxv文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PCRE</td> <td align="left">for a /proc/cred file</td> <td align="left">用于/proc/cred文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PCTL</td> <td align="left">for a /proc control file</td> <td align="left">用于/proc控制文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PCUR</td> <td align="left">for the current /proc process</td> <td align="left">用于当前/proc过程</td> <td align="left"> </td> </tr> <tr> <td align="left">PCWD</td> <td align="left">for a /proc current working directory</td> <td align="left">用于/proc当前工作目录</td> <td align="left"> </td> </tr> <tr> <td align="left">PDIR</td> <td align="left">for a /proc directory</td> <td align="left">作为/proc目录</td> <td align="left"> </td> </tr> <tr> <td align="left">PETY</td> <td align="left">for a /proc executable type (etype)</td> <td align="left">用于/proc可执行类型(etype)</td> <td align="left"> </td> </tr> <tr> <td align="left">PFD</td> <td align="left">for a /proc file descriptor</td> <td align="left">用于/proc文件描述符</td> <td align="left"> </td> </tr> <tr> <td align="left">PFDR</td> <td align="left">for a /proc file descriptor directory</td> <td align="left">用于/proc文件描述符目录</td> <td align="left"> </td> </tr> <tr> <td align="left">PFIL</td> <td align="left">for an executable /proc file</td> <td align="left">表示可执行文件/proc文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PFPR</td> <td align="left">for a /proc FP register set</td> <td align="left">用于/proc FP寄存器组</td> <td align="left"> </td> </tr> <tr> <td align="left">PGD</td> <td align="left">for a /proc/pagedata file</td> <td align="left">用于/proc/pagedata文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PGID</td> <td align="left">for a /proc group notifier file</td> <td align="left">用于/proc组通知程序文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PIPE</td> <td align="left">for pipes</td> <td align="left">管道</td> <td align="left"> </td> </tr> <tr> <td align="left">PLC</td> <td align="left">for a /proc/lwpctl file</td> <td align="left">表示/proc/lwpctl文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PLDR</td> <td align="left">for a /proc/lpw directory</td> <td align="left">用于/proc/lpw目录</td> <td align="left"> </td> </tr> <tr> <td align="left">PLDT</td> <td align="left">for a /proc/ldt file</td> <td align="left">用于/proc/ldt文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PLPI</td> <td align="left">for a /proc/lpsinfo file</td> <td align="left">用于/proc/lpsinfo文件的</td> <td align="left"> </td> </tr> <tr> <td align="left">PLST</td> <td align="left">for a /proc/lstatus file</td> <td align="left">用于/proc/lstatus文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PLU</td> <td align="left">for a /proc/lusage file</td> <td align="left">用于/proc/lusage文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PLWG</td> <td align="left">for a /proc/gwindows file</td> <td align="left">用于/proc/gwindows文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PLWI</td> <td align="left">for a /proc/lwpsinfo file</td> <td align="left">用于/proc/lwpsinfo文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PLWS</td> <td align="left">for a /proc/lwpstatus file</td> <td align="left">用于/proc/lwpstatus文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PLWU</td> <td align="left">for a /proc/lwpusage file</td> <td align="left">用于/proc/lwpusage文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PLWX</td> <td align="left">for a /proc/xregs file</td> <td align="left">用于/proc/xregs文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PMAP</td> <td align="left">for a /proc map file (map)</td> <td align="left">用于/proc映射文件(map)</td> <td align="left"> </td> </tr> <tr> <td align="left">PMEM</td> <td align="left">for a /proc memory image file</td> <td align="left">用于/proc内存映像文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PNTF</td> <td align="left">for a /proc process notifier file</td> <td align="left">用于/proc进程通知程序文件</td> <td align="left"> </td> </tr> <tr> <td align="left">POBJ</td> <td align="left">for a /proc/object file</td> <td align="left">用于/proc/object文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PODR</td> <td align="left">for a /proc/object directory</td> <td align="left">用于/proc/object目录</td> <td align="left"> </td> </tr> <tr> <td align="left">POLP</td> <td align="left">for an old format /proc light weight process file</td> <td align="left">用于旧格式/proc轻量级处理文件</td> <td align="left"> </td> </tr> <tr> <td align="left">POPF</td> <td align="left">for an old format /proc PID file</td> <td align="left">用于旧格式/proc PID文件</td> <td align="left"> </td> </tr> <tr> <td align="left">POPG</td> <td align="left">for an old format /proc page data file</td> <td align="left">用于旧格式/proc页面数据文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PORT</td> <td align="left">for a SYSV named pipe</td> <td align="left">SYSV命名管道的</td> <td align="left"> </td> </tr> <tr> <td align="left">PREG</td> <td align="left">for a /proc register file</td> <td align="left">用于/proc寄存器文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PRMP</td> <td align="left">for a /proc/rmap file</td> <td align="left">用于/proc/rmap文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PRTD</td> <td align="left">for a /proc root directory</td> <td align="left">用于/proc根目录</td> <td align="left"> </td> </tr> <tr> <td align="left">PSGA</td> <td align="left">for a /proc/sigact file</td> <td align="left">用于/proc/sigact文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PSIN</td> <td align="left">for a /proc/psinfo file</td> <td align="left">用于/proc/psinfo文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PSTA</td> <td align="left">for a /proc status file</td> <td align="left">用于/proc状态文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PSXSEM</td> <td align="left">for a POSIX semaphore file</td> <td align="left">用于POSIX信号量文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PSXSHM</td> <td align="left">for a POSIX shared memory file</td> <td align="left">用于POSIX共享内存文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PTS</td> <td align="left">for a /dev/pts file</td> <td align="left">用于/dev/pts文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PUSG</td> <td align="left">for a /proc/usage file</td> <td align="left">用于/proc/usage文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PW</td> <td align="left">for a /proc/watch file</td> <td align="left">用于/proc/watch文件</td> <td align="left"> </td> </tr> <tr> <td align="left">PXMP</td> <td align="left">for a /proc/xmap file</td> <td align="left">用于/proc/xmap文件</td> <td align="left"> </td> </tr> <tr> <td align="left">SMT</td> <td align="left">for a shared memory transport file</td> <td align="left">用于共享内存传输文件</td> <td align="left"> </td> </tr> <tr> <td align="left">STSO</td> <td align="left">for a stream socket</td> <td align="left">用于流套接字</td> <td align="left"> </td> </tr> <tr> <td align="left">UNNM</td> <td align="left">for an unnamed type file</td> <td align="left">用于未命名的类型文件</td> <td align="left"> </td> </tr> <tr> <td align="left">XNAM</td> <td align="left">for an OpenServer Xenix special file of unknown type</td> <td align="left">用于未知类型的OpenServer Xenix特殊文件</td> <td align="left"> </td> </tr> <tr> <td align="left">XSEM</td> <td align="left">for an OpenServer Xenix semaphore file</td> <td align="left">用于OpenServer Xenix信号量文件</td> <td align="left"> </td> </tr> <tr> <td align="left">XSD</td> <td align="left">for an OpenServer Xenix shared data file</td> <td align="left">用于OpenServer Xenix共享数据文件</td> <td align="left"> </td> </tr> <tr> <td align="left"> </td> <td align="left">or the four type number octets if the corresponding name isn't known.</td> <td align="left">如果相应的名称未知,则为四个类型数字八位字节。</td> <td align="left"> </td> </tr> </tbody> </table> ## 3. 常用选项 ## \-a And运算 \-b \+c w command宽度 \-c command命令或程序 \+d dir目录 \-d FD列内容的筛选 \-D dir递归目录 \-p PID进程号 <table> <tbody> <tr> <td align="left"> </td> <td align="left">Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.</td> <td align="left">括号中的默认值; 逗号分隔的集合项目; 短划线范围。</td> </tr> <tr> <td align="left">-?|-h</td> <td align="left">list help</td> <td align="left">列表帮助</td> </tr> <tr> <td align="left">-v</td> <td align="left">list version info</td> <td align="left">列表版本信息</td> </tr> <tr> <td align="left">-a</td> <td align="left">AND selections (OR)</td> <td align="left">AND选择(OR)</td> </tr> <tr> <td align="left">-c c</td> <td align="left">cmd c ^c /c/[bix]</td> <td align="left">cmd c ^ c / c / [bix]</td> </tr> <tr> <td align="left">+c w</td> <td align="left">COMMAND width (9)</td> <td align="left">命令宽度(9)最大15?</td> </tr> <tr> <td align="left">-d s</td> <td align="left">select by FD set</td> <td align="left">输出列表中排除或包含的文件描述符(FD)列表。<br>文件描述符在逗号分隔集合s中指定 – 例如,<br>''cwd,1,3'',''^6,^2''.(集合中不应有空格)</td> </tr> <tr> <td align="left">+d s</td> <td align="left">dir s files</td> <td align="left">dirs文件 注:不含符号链接,除非使用-x或-x l选项可包含</td> </tr> <tr> <td align="left">+D D</td> <td align="left">dir D tree *SLOW?*</td> <td align="left">dir D tree * SLOW?* 递归列出目录下被打开的文件</td> </tr> <tr> <td align="left">-u s</td> <td align="left">exclude(^)|select login|UID set s</td> <td align="left">exclude(^)|</td> </tr> <tr> <td align="left">-i</td> <td align="left">select IPv[46] files</td> <td align="left">选择IPv[4,6]tcp,udp等文件</td> </tr> <tr> <td align="left">-n</td> <td align="left">no host names</td> <td align="left">#不将IP地址转换为hostname,预设是转换的</td> </tr> <tr> <td align="left">-P</td> <td align="left">no port names</td> <td align="left">#此参数禁止将port number转换为service name,预设为转换</td> </tr> <tr> <td align="left">-l</td> <td align="left">list UID numbers</td> <td align="left">列出UID号码, 禁止将UID转换为登录名。</td> </tr> <tr> <td align="left">-t</td> <td align="left">terse listing</td> <td align="left">简洁列表, 只输出PID</td> </tr> <tr> <td align="left">-s</td> <td align="left">list file size</td> <td align="left">列表文件大小</td> </tr> <tr> <td align="left">-o</td> <td align="left">list file offset</td> <td align="left">它会将SIZE/OFF输出列标题更改为OFFSET 偏移量</td> </tr> <tr> <td align="left">-U</td> <td align="left">select Unix socket</td> <td align="left">选择Unix套接字</td> </tr> <tr> <td align="left">+|-e s</td> <td align="left">exempt s *RISKY*</td> <td align="left">免除路径名为s的文件系统受到可能阻塞的内核函数调用。<br>+e选项免除stat(2),lstat(2)和大多数readlink(2)内核函数调用. <br>-e选项仅免除stat(2)和lstat(2)内核函数调用.<br>可以使用单独的+|-e规范指定多个文件系统,并且每个文件系统可以具有免除或不允许的readlink(2)调用.</td> </tr> <tr> <td align="left">+|-w</td> <td align="left">Warnings (+)</td> <td align="left">警告(+)</td> </tr> <tr> <td align="left">-p s</td> <td align="left">exclude(^)|select PIDs</td> <td align="left">exclude(^)|选择PID</td> </tr> <tr> <td align="left">-R</td> <td align="left">list paRent PID</td> <td align="left">列出PPID</td> </tr> <tr> <td align="left">-g [s]</td> <td align="left">exclude(^)|select and print process group IDs</td> <td align="left">exclude(^)|选择并打印进程组ID</td> </tr> <tr> <td align="left">+|-L [l]</td> <td align="left">list (+) suppress (-) link counts < l (0 = all; default = 0)</td> <td align="left">启用(+)或禁用(-)文件链接计数列表,它们可用-例如,它们不适用于套接字或大多数FIFO和管道.<br>如果指定+L且没有跟数字, 则将列出所有链接计数。<br>指定-L(默认值)时,不会列出任何链接计数。<br>当+L后跟一个数字时,只列出链接数小于该数字的文件。(没有数字可以跟随-L)</td> </tr> </tbody> </table> ## 4. 示例 ## <table> <tbody> <tr> <td align="left">COMMAND</td> <td align="left">PID</td> <td align="left">USER</td> <td align="left">FD</td> <td align="left">TYPE</td> <td align="left">DEVICE</td> <td align="left">SIZE/OFF</td> <td align="left">NODE</td> <td align="left">NAME</td> </tr> <tr> <td colspan="7" align="left"><strong>$ lsof /home/toma/Documents/IO.xls</strong></td> <td align="left"> </td> <td align="left">查找打开该文件的进程</td> </tr> <tr> <td align="left">soffice.b</td> <td align="right">20084</td> <td align="left">toma</td> <td align="left">3uW</td> <td align="left">REG</td> <td align="left">8,23</td> <td align="right">242688</td> <td align="right">1480016</td> <td align="left">/home/toma/Documents/IO.xls</td> </tr> <tr> <td colspan="7" align="left"><strong>$ lsof /home/toma/Downloads/mov/GoT.mp4</strong></td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td align="left">Thunar</td> <td align="right">676</td> <td align="left">toma</td> <td align="left">25u</td> <td align="left">REG</td> <td align="left">8,23</td> <td align="right">11121302</td> <td align="right">1705712</td> <td align="left">/home/toma/Downloads/mov/GoT.mp4</td> </tr> <tr> <td align="left">vlc</td> <td align="right">7975</td> <td align="left">toma</td> <td align="left">22r</td> <td align="left">REG</td> <td align="left">8,23</td> <td align="right">11121302</td> <td align="right">1705712</td> <td align="left">/home/toma/Downloads/mov/GoT.mp4</td> </tr> <tr> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td colspan="7" align="left"><strong>$ lsof -c soffice |grep .xls</strong></td> <td align="left"> </td> <td align="left">查找该进程打开的 *.xls 文件</td> </tr> <tr> <td align="left">soffice.b</td> <td align="right">20084</td> <td align="left">toma</td> <td align="left">3uW</td> <td align="left">REG</td> <td align="left">8,23</td> <td align="right">242688</td> <td align="right">1480016</td> <td align="left">/home/toma/Documents/IO.xls</td> </tr> <tr> <td colspan="7" align="left"><strong>$ lsof -c vlc |grep .mp4</strong></td> <td align="left"> </td> <td align="left">查找该进程打开的 *.mp4 文件</td> </tr> <tr> <td align="left">vlc</td> <td align="right">7975</td> <td align="left">toma</td> <td align="left">23r</td> <td align="left">REG</td> <td align="left">8,23</td> <td align="right">11121302</td> <td align="right">1705712</td> <td align="left">/home/toma/Downloads/mov/GoT.mp4</td> </tr> <tr> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td colspan="7" align="left"><strong>$ lsof /bin/bash</strong></td> <td align="left"> </td> <td align="left">查看谁正在使用某个文件,也就是说查找某个文件相关的进程</td> </tr> <tr> <td align="left">sh</td> <td align="right">528</td> <td align="left">toma</td> <td align="left">txt</td> <td align="left">REG</td> <td align="left">8,22</td> <td align="right">903464</td> <td align="right">1315133</td> <td align="left">/usr/bin/bash</td> </tr> <tr> <td colspan="7" align="left"><strong>$ lsof /usr/bin/fish</strong></td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td align="left">fish</td> <td align="right">738</td> <td align="left">toma</td> <td align="left">txt</td> <td align="left">REG</td> <td align="left">8,22</td> <td align="right">1587184</td> <td align="right">1365002</td> <td align="left">/usr/bin/fish</td> </tr> <tr> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td colspan="7" align="left"><strong>$ lsof /usr/lib/libreoffice/program/soffice.bin</strong></td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td align="left">soffice.b</td> <td align="right">22284</td> <td align="left">toma</td> <td align="left">txt</td> <td align="left">REG</td> <td align="left">8,22</td> <td align="right">14112</td> <td align="right">1456879</td> <td align="left">/usr/lib/libreoffice/program/soffice.bin</td> </tr> <tr> <td colspan="7" align="left"><strong>$ lsof -c soffice.b |grep office.bin</strong></td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td align="left">soffice.b</td> <td align="right">22284</td> <td align="left">toma</td> <td align="left">txt</td> <td align="left">REG</td> <td align="left">8,22</td> <td align="right">14112</td> <td align="right">1456879</td> <td align="left">/usr/lib/libreoffice/program/soffice.bin</td> </tr> <tr> <td colspan="7" align="left"><strong>$ lsof -c soffice |grep office.bin</strong></td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td align="left">soffice.b</td> <td align="right">22284</td> <td align="left">toma</td> <td align="left">txt</td> <td align="left">REG</td> <td align="left">8,22</td> <td align="right">14112</td> <td align="right">1456879</td> <td align="left">/usr/lib/libreoffice/program/soffice.bin</td> </tr> <tr> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> <td align="left"> </td> </tr> <tr> <td colspan="7" align="left"><strong>$ lsof /dev/sda10</strong></td> <td align="left"> </td> <td align="left"><strong>列出 /dev/sda10 设备上打开的所有文件</strong></td> </tr> <tr> <td align="left">vlc</td> <td align="right">29350</td> <td align="left">toma</td> <td align="left">21r</td> <td align="left">REG</td> <td align="left">8,10</td> <td align="right">8500479</td> <td align="right">9728</td> <td align="left">/run/media/toma/TjOe/TDDownload/FROZEN2.mp4</td> </tr> </tbody> </table> ### 4.1 manpage-Examples ### For a more extensive set of examples, documented more fully, see the 00QUICKSTART file of the lsof distribution. 有关更全面的示例,请参阅lsof发行版的00QUICKSTART文件。 To list all open Internet, x.25 (HP-UX), and UNIX domain files, use: 要列出所有打开的Internet,x.25(HP-UX)和UNIX域文件,请使用: $ lsof -i -U To list all open IPv4 network files in use by the process whose PID is 1234, use: 要列出PID为1234的进程正在使用的所有打开的IPv4网络文件,请使用: $ lsof -i 4 -a -p 1234 Presuming the UNIX dialect supports IPv6, to list only open IPv6 network files, use: 假设UNIX方言支持IPv6,要仅列出打开的IPv6网络文件,请使用: $ lsof -i 6 To list all files using any protocol on ports 513, 514, or 515 of host wonderland.cc.purdue.edu, use: 要在主机wonderland.cc.purdue.edu的端口513,514或515上使用任何协议列出所有文件,请使用: $ lsof -i @wonderland.cc.purdue.edu:513-515 To list all files using any protocol on any port of mace.cc.purdue.edu (cc.purdue.edu is the default domain), use: 要在mace.cc.purdue.edu的任何端口上使用任何协议列出所有文件(cc.purdue.edu是默认域),请使用: $ lsof -i @mace To list all open files for login name ''abe'', or user ID 1234, or process 456, or process 123, or process 789, use: 要列出登录名“abe”,或用户ID 1234,或流程456,流程123或流程789的所有打开文件,请使用: $ lsof -p 456,123,789 -u 1234,abe To send a SIGHUP to the processes that have /u/abe/bar open, use: 要将SIGHUP发送到打开/ u / abe / bar的进程,请使用: $ kill -HUP 'lsof -t /u/abe/bar' To find any open file, including an open UNIX domain socket file, with the name /dev/log, use: 要查找任何打开的文件,包括名为/ dev / log的打开的UNIX域套接字文件,请使用: $ lsof /dev/log To find processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible, and presuming your mount table supplies the device number for /nfs/mount/point, use: 要在名为/ nfs / mount / point且服务器不可访问的NFS文件系统上查找具有打开文件的进程,并假设您的挂载表提供/ nfs / mount / point的设备编号,请使用: $ lsof -b /nfs/mount/point To do the preceding search with warning messages suppressed, use: 要在禁用警告消息的情况下执行上述搜索,请使用: $ lsof -bw /nfs/mount/point To ignore the device cache file, use: 要忽略设备缓存文件,请使用: $ lsof -Di To obtain PID and command name field output for each process, file descriptor, file device number, and file inode number for each file of each process, use: 要为每个进程获取PID和命令名称字段输出,文件描述符,文件设备编号和每个进程的每个文件的文件inode编号,请使用: $ lsof -FpcfDi To list the files at descriptors 1 and 3 of every process running the lsof command for login ID ''abe'' every 10 seconds, use: 要列出每10秒执行登录ID“abe”的lsof命令的每个进程的描述符1和3的文件,请使用: $ lsof -c lsof -a -d 1 -d 3 -u abe -r10 To list the current working directory of processes running a command that is exactly four characters long and has an 'o' or 'O' in character three, use this regular expression form of the -c c option: 要列出运行命令的进程的当前工作目录,该命令长度正好为四个字符且在字符3中具有“o”或“O”,请使用-c c选项的此正则表达式形式: $ lsof -c /^..o.$/i -a -d cwd To find an IP version 4 socket file by its associated numeric dot-form address, use: 要通过其关联的数字点形式地址查找IP版本4套接字文件,请使用: $ lsof -i@128.210.15.17 To find an IP version 6 socket file (when the UNIX dialect supports IPv6) by its associated numeric colon-form address, use: 要通过关联的数字冒号形式地址查找IP版本6套接字文件(当UNIX方言支持IPv6时),请使用: $ lsof -i@\[0:1:2:3:4:5:6:7\] To find an IP version 6 socket file (when the UNIX dialect supports IPv6) by an associated numeric colon-form address that has a run of zeroes in it - e.g., the loop-back address - use: 要通过关联的数字冒号形式地址查找IP版本6套接字文件(当UNIX方言支持IPv6时),其中包含一连串的零 - 例如,回送地址 - 使用: $ lsof -i@\[::1\] To obtain a repeat mode marker line that contains the current time, use: 要获得包含当前时间的重复模式标记线,请使用: $ lsof -rm====%T==== To add spaces to the previous marker line, use: 要向前一个标记行添加空格,请使用: $ lsof -r "m==== %T ====" ## 5. 特别用法 ## ### 5.1 恢复删除的文件 ### 对于许多应用程序,尤其是日志文件和数据库,这种恢复删除文件的方法非常有用。 $ lsof |grep .mp4 播放视频文件中... FROZEN2.mp4 vlc 30573 toma 20r REG 8,10 8500479 9728 /run/media/toma/TjOe/TDDownload/FROZEN2.mp4 $ lsof |grep .mp4 放入回收站后 显示如下: 从回收站恢复即可 vlc 30573 toma 20r REG 8,10 8500479 9728 /run/media/toma/TjOe/.Trash-1001/files/FROZEN2.mp4 $ lsof |grep .mp4 直接删除(shift + delete),显示如下,后面多了(deleted)标记 vlc 30573 toma 20r REG 8,10 8500479 9728 /run/media/toma/TjOe/TDDownload/FROZEN2.mp4 (deleted) $ ls -l /proc/30573/fd/20 列出pid信息,/proc/30573/fd/20 链接到已删除文件。 lr-x------ 1 /proc/30573/fd/20 -> '/run/media/toma/TjOe/TDDownload/FROZEN2.mp4 (deleted)' $ cat /proc/30573/fd/20 > /home/toma/te.mp4 使用查看命令打开并 重定向到新文件即可 $ ls -l /home/toma/te.mp4 列出恢复的新文件 \-rwxrwxrwx 1 toma 8500479 te.mp4 ### 5.2 杀死某个特定用户的所有活动 ### \# kill -9 \`lsof -t -u named\` 对于服务器或多用户共用的环境比较有用。 ### 5.3 找回被删除文件占用的空间 ### 找到仍被打开,但已被删除的文件 $ lsof | grep deleted 查看后关闭相应程序或杀死进程即可 $ ps -ef | grep pid $ sudo kill -9 pid 转载于:https://www.cnblogs.com/sztom/p/11070309.html
还没有评论,来说两句吧...