Open a cache of riches with lsof

With Great Power

Now imagine a scenario in which you've found a file in /tmp and have no idea where this potentially dangerous file has come from. To find all the processes using this file, you could run the lsof command in Listing 3.

Listing 3

Finding Processes

 

As requested, lsof quickly reports the results, as seen in Figure 9.

Figure 9: lsof reports that the process using a particular file has PID 14332 and that the command is named soffice.b.

Around in circles you go: By looking up what lsof knows about PID 14332:

# lsof -p 14332

you reveal a mountain of information (too much to display) relating to the word processor LibreOffice. Therefore, it's most likely not a file to be worried about but instead a temporary copy of a document being written.

Open Up and Lock Down

Now I want to look for open files. I'm running my desktop off a loop disk [1], and I can query all the open files on that (filesystem) device with:

# lsof /dev/loop0

The resulting output scrolls up my screen for a full two seconds with screeds of information. I can also request to list only Unix sockets with:

# lsof -U

Although I've already looked at a specific network port, what about querying all open network ports? Try running this simple command:

# lsof -i

With that entered, my system reports some useful security issues (ports that can be closed down because they're not needed or in use at all), as well as full hostnames, not just IP addresses (listed using DNS so I can immediately tell what my system is connecting to as I type), and which user, which PID, and which commands are responsible for spawning the process to open that port. Figure 10 shows this concisely. You can also see the port that you're connecting to if you look closely. For example, the first ESTABLISHED connection shown (Figure 10, right-hand side near the bottom) is using the remote port 5228.

Figure 10: Super-succinct but significantly powerful output relating to open ports.

If that doesn't meet your needs, you can switch off DNS lookups with -n and just show port numbers without the names with -P:

# lsof -n -i -P

Checking everything, in the sense of all ports using any protocol, that a remote host is doing is one of my favorite lsof commands:

#  lsof -i @another-chris-server.tld

Additional features just keep coming; you can mix up one host with multiple ports or, in this case, a range of ports:

#  lsof -i @another-chris-server.tld::5228-6502

Also, you can gain visibility of which files use which file descriptors for every process,

# lsof -d 111,34,67

or simply comma-separate a list of descriptors for a more fine-grained output.

Belly of the Beast

A little more background might increase your understanding of how lsof achieves its powerful output. According to the man page, the magical lsof procures its power from four main files.

It draws information from both the kernel virtual memory device, /dev/kmem (which isn't present on my desktop, although it appears in linux-headers) and the physical memory device, /dev/mem. According to the mem man page, "The file kmem is the same as mem, except that the kernel virtual memory rather than physical memory is accessed."

The command lsof also references the system swap file, conveniently found at /dev/swap, and a cache generated partly from a gethostname lookup.

In other words, it's a busy little utility, and whereas other tools can claim to harvest much of the information held within these ever-changing system files there's certainly an argument that lsof pulls it altogether the most gracefully.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Isof

    Track down and expose intruders with the versatile admin tool lsof.

  • Charly's Column: lsof

    The shorter a command, the longer the list of support parameters. This rule applies to lsof, one of Charly’s favorite commands.

  • Glsof-Queries Check Open Files

    Glsof-Queries is a GUI for the lsof (list open files) UNIX command with many query options. After a complete rework the open source tool is now available in version 1.0.0.

  • Command Line: Processes

    Innumerable processes may be running on your Linux system. We’ll show you how to halt, continue, or kill tasks, and we’ll examine how to send the remnants of crashed programs to the happy hunting grounds.

  • Querying Sockets with ss

    The unassuming ss utility is easy to understand and easy to type, but it adds some powerful options to your admin toolkit.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News