C.7 lsof Program
The name lsof stands for "list open files." Like tcpdump, it is a publicly available tool that is handy for debugging and has been ported to many versions of Unix.
One common use for lsof with networking is to find which process has a socket open on a specified IP address or port. netstat tells us which IP addresses and ports are in use, and the state of the TCP connections, but it does not identify the process. For example, to find out which process provides the daytime server, we execute the following:
freebsd % lsof -i TCP:daytime
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
inetd 561 root 5u IPv4 0xfffff8003027a260 0t0 TCP *:daytime (LISTEN)
inetd 561 root 7u IPv6 0xfffff800302b6720 0t0 TCP *:daytime
This tells us the command (this service is provided by the inetd server), its PID, the owner, descriptor (5 for IPv4 and 7 for IPv6, and the u means it is open for read/write), type of socket, address of the protocol control block, size or offset of the file (not meaningful for a socket), protocol type, and name.
One common use for this program is when we start a server that binds its well-known port and get the error that the address is already in use. We then use lsof to find the process that is using the port.
Since lsof reports on open files, it cannot report on network endpoints that are not associated with an open file: TCP endpoints in the TIME_WAIT state.
ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ is the location for this program. It was written by Vic Abell. Some vendors supply their own utility that does similar things. For example, FreeBSD supplies the fstat program. The advantage in lsof is that it works under so many versions of Unix, and using a single tool in a heterogeneous environment, instead of a different tool for each environment, is a big advantage.
|