Linux命令 - lsof

1
2
3
4
5
lsof [ -?abChlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-e s ] 
        [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ +|-L [l] ] 
        [ +|-m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] 
        [ -S [t] ] [ -T [t] ] [  -u  s  ]  [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z] ] 
        [ -- ] [names]

描述

显示进程打开文件信息。

选项

默认列出所有活动进程打开的所有文件。
-U显示Unix套接字,-N显示NFS文件,-u指定所属用户。

-? -h: 显示帮助。

-a: 设置选择模式为AND模式。

-A A: 

This option is available on systems configured for AFS whose AFS kernel code is implemented via dynamic modules.   It  allows
the  lsof  user to specify A as an alternate name list file where the kernel addresses of the dynamic modules might be found.
See the lsof FAQ (The FAQ section gives its location.)  for more information about dynamic modules, their  symbols,  and  how they affect lsof.

-b: 该选项避免可能阻塞的内核函数 - lstat(2), readlink(2), and stat(2).
参考 BLOCKS AND TIMEOUTSAVOIDING KERNEL BLOCKS 部分。

-c c: 选择以c字符串开头的命令所执行进程的文件。可以指定多个-c选项。它们在指定AND选项前以OR模式设置。
若c以‘^’开始,则为取反模式,即指定不以c字符串开头的命令进程。
若c以斜线‘/’开始和结束,其中的字符解释为正则表达式。正则表达式中的Shell元字符需要进行转义。结束斜线后可以跟以下字符:

  • b: 基本正则表达式
  • i: 忽略大小写
  • x: 扩展正则表达式(默认)
    先测简单参数,fail之后再测正则表达式。若指定-V选项,会产生‘‘no command found for regex:’’消息提示。

+c w: 显示命令名称的字符数,由UNIX dialect支持。默认是9。许多系统做了最大限制,Linux是15个字符。w为0时,打印最大限制字符数;w小于该列标题‘‘COMMAND’’的大小(7)时,会自动提升至该大小。

-C: 禁止内核命名缓存中的路径名称组件提供报告。参考 KERNEL NAME CACHE 部分。

+d s: 只查找指定目录下进程打开的子目录和文件(不下溯查找)。+D D选项下溯查找目录树。+d选项默认不处理软链接,可以通过指定-x-x l选项启用处理软链;默认不处理目录中的挂载点,可以通过指定-x-x f选项启用。
注意:权限相关参考系统函数stat(2).

-d s: 该选项指定一系列排除或包含的输出文件描述符。文件描述符以逗号分隔,如’cwd,1,3’,’^6,^2’。其中不能有任何空格。
若集合的所有项以’^’开始,则该列表是排除列表。若没有以’^’开头的项,则列表是包含列表。目前不支持混合列表。
文件描述符数字区间表示法,如’0-7’,’3-10’。若以’^’开头,如’^0-7’,则为排除区间,即排除所有0至7之间的文件描述符。
设置AND模式前,所有文件描述符数字以OR模式组合。

+D D: 查找目录D下所有打开实例(下溯查找)。默认不下溯软链和挂载点。参考-x-x l-x f
注意:权限相关参考系统函数stat(2)。

注意:该选项可能处理较慢,且需要较大的动态内存。原因在于它需要下溯D的整个目录树,对每个文件和目录调用stat(2),创建所有文件的列表,依照列表查找其中每一个打开的文件。谨慎使用该选项!

-D D: 该选项与lsof处理设备缓存文件功能有关。参考 DEVICE CACHE FILE 部分。
后面必须跟一个功能字符,该字符后可跟一个路径。目前支持以下功能字符:

  • ? - 报告设备缓存文件路径
  • b - 构建设备缓存文件
  • i - 忽略设备缓存文件
  • r - 读取设备缓存文件
  • u - 读取并更新设备缓存文件

后面跟路径的b、r和u有时是受限制的。

The  b,  r,  and  u functions, accompanied by a path name, are
sometimes restricted.  When these  functions  are  restricted,
they  will not appear in the description of the -D option that
accompanies -h or -?  option output.   See  the  DEVICE  CACHE
FILE section and the sections that follow it for more informa-
tion on these functions and when they’re restricted.

The ?  function reports the read-only  and  write  paths  that
lsof can use for the device cache file, the names of any envi-
ronment variables whose values lsof will examine when  forming
the  device  cache  file path, and the format for the personal
device cache file path.  (Escape the  ‘?’  character  as  your
shell requires.)

When  available,  the b, r, and u functions may be followed by
the  device  cache  file’s  path.   The  standard  default  is
.lsof_hostname  in the home directory of the real user ID that
executes lsof, but this could have been changed when lsof  was
configured  and  compiled.   (The  output  of  the  -h  and -?
options show the current default prefix  -  e.g.,  ‘‘.lsof’’.)
The  suffix,  hostname,  is  the first component of the host’s
name returned by gethostname(2).

When available, the b function directs lsof  to  build  a  new
device cache file at the default or specified path.

The i function directs lsof to ignore the default device cache
file and obtain its information about devices via direct calls
to the kernel.

The  r  function  directs lsof to read the device cache at the
default or specified path, but prevents it from creating a new
device  cache  file  when  none  exists or the existing one is
improperly structured.  The r function, when specified without
a  path name, prevents lsof from updating an incorrect or out-
dated device cache file, or creating a new one in  its  place.
The  r function is always available when it is specified with-
out a path name argument; it may be restricted by the  permis-
sions of the lsof process.

When available, the u function directs lsof to read the device
cache file at the default or specified path, if possible,  and
to rebuild it, if necessary.  This is the default device cache
file function when no -D option has been specified.

+|-e s: 剔除已提交到可能阻塞的内核函数调用的文件系统路径。+e剔除stat(2)lstat(2)readlink(2)-e只剔除stat(2)lstat(2)。多数文件系统将两个选项分开,每个选项都可以剔除readlink(2)调用。
目前仅Linux支持该选项。

         CAUTION: this option can easily be mis-applied to  other  than
         the  file system of interest, because it uses path name rather
         than the more reliable device and inode numbers.  (Device  and
         inode  numbers  are  acquired  via  the  potentially  blocking
         stat(2) kernel call and are thus not available,  but  see  the
         +|-m  m  option as a possible alternative way to supply device
         numbers.)

         Use this option with great care and  fully  specify  the  path
         name  of  the file system to be exempted.  Consider, for exam-
         ple, that specifying ‘‘-e /’’ would exempt all  file  systems,
         since all their paths begin with a ‘/’.

         When  open  files on exempted file systems are reported, it is
         not possible to obtain all their information.  Therefore, some
         information  columns  will  be  blank, the characters ‘‘UNKN’’
         preface the values in the  TYPE  column,  and  the  applicable
         exemption  option  is  added  in parentheses to the end of the
         NAME column.  Some device number  information  might  be  made
         available via the +|-m m option.

+|-f [cfgGn]
         f by itself clarifies how path name arguments are to be inter-
         preted.  When followed by c, f, g, G, or n in any  combination
         it  specifies that the listing of kernel file structure infor-
         mation is to be enabled (‘+’) or inhibited (‘-’).

         Normally a path name argument is taken to  be  a  file  system
         name  if  it  matches  a mounted-on directory name reported by
         mount(8), or if it represents a block  device,  named  in  the
         mount  output  and  associated  with a mounted directory name.
         When +f is specified, all path name arguments will be taken to
         be  file  system names, and lsof will complain if any are not.
         This can be useful, for example, when  the  file  system  name
         (mounted-on  device)  isn’t  a block device.  This happens for
         some CD-ROM file systems.

         When -f is specified by itself, all path name  arguments  will
         be  taken  to be simple files.  Thus, for example, the ‘‘-f --
         /’’ arguments direct lsof to search for open files with a  ‘/’
         path name, not all open files in the ‘/’ (root) file system.

         Be  careful to make sure +f and -f are properly terminated and
         aren’t followed by a character (e.g., of the file or file sys-
         tem  name)  that  might be taken as a parameter.  For example,
         use ‘‘--’’ after +f and -f as in these examples.

              $ lsof +f -- /file/system/name
              $ lsof -f -- /file/name

         The  listing  of  information  from  kernel  file  structures,