https://github.com/lsof-org/lsof

1. 使用lsof取代iproute中的ss命令

lsof -nP -iTCP:端口号 -sTCP:LISTEN -n 表示不显示主机名 -P 表示不显示端口俗称 不加 sudo 只能查看以当前用户运行的程序

2. lsof输出的各字段的含义

1
2
3

$ lsof -nP -iTCP:4000 -sTCP:LISTEN
COMMAND     PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
VBoxNetNA 35428  hbt   28u  IPv4 0xd28b43dbbf88f80d      0t0  TCP 127.0.0.1:4000 (LISTEN)

FD: 文件描述符的编号，有如下这些值: cwd current working directory; Lnn library references (AIX); err FD information error (see NAME column); jld jail directory (FreeBSD); ltx shared library text (code and data); Mxx hex memory-mapped type number xx. m86 DOS Merge mapped file; mem memory-mapped file; mmap memory-mapped device; pd parent directory; rtd root directory; tr kernel trace file (OpenBSD); txt program text (code and data); v86 VP/ix mapped file;

FD is followed by one of these characters, describing the mode under which the file is open: r for read access; w for write access; u for read and write access; space if mode unknown and no lock character follows; `-’ if mode unknown and lock character follows.

有如下这些lock character N for a Solaris NFS lock of unknown type; r for read lock on part of the file; R for a read lock on the entire file; w for a write lock on part of the file; W for a write lock on the entire file; u for a read and write lock of any length; U for a lock of unknown type; x for an SCO OpenServer Xenix lock on part of the file; X for an SCO OpenServer Xenix lock on the entire file; space if there is no lock.

3. 恢复删除的文件

当进程打开了某个文件，只要该进程保持打开该文件，即使将其删除，它依然存在于磁盘中。 而且，除了该进程之外，这个文件是不可见的，因为已经删除了其对应的目录索引节点。 /proc目录挂载的是在内存中所映射的一块区域，该目录下的文件并不存在于磁盘中，而是在内存中。 假设我们误删了/var/log/messages文件，可以执行如下操作进行恢复：

$ # 找到打开了/var/log/messages文件的进程
$ lsof | grep /var/log/messages
syslogd 1283 root 2w REG 3,3 5381017 1773647 /var/log/messages (deleted)
$ # 从上面的输出中可以看到PID 1283(syslogd)打开/var/log/messages文件时所对应的文件描述符是2。
$ # 因此我们可以在/proc/1283/fd/2中查看到被删除的/var/log/messages文件的内容

上一篇 « 下一篇 »