An Lsof Primer: Home Blog Study Writing Projects Connect About

10/29/2014
An lsof Primer
Home
Blog
Study
Writing
Projects
Connect
About
AnlsofPrimer
HomeStudyAnlsofPrimer
43
223
80
16
189
KeyOptions
GettingInformationAbouttheNetwork
UserInformation
CommandsandProcesses
FilesandDirectories
Advanced
lsofisthesysadmin/securitybertool.Iuseitmostforgettingnetworkconnectionrelatedinformation
fromasystem,butthatsjustthebeginningforthispowerfulandtoolittleknownapplication.Thetoolis
http://danielmiessler.com/study/lsof/
1/8
10/29/2014
An lsof Primer
aptlycalledlsofbecauseitlistsopenfiles.Andremember,inUNIXjustabouteverything(includinga
networksocket)isafile.
Interestingly,lsofisalsotheLinux/Unixcommandwiththemostswitches.Ithassomanyithastouse
bothminusesandpluses.
usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]]
[-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Asyoucansee,lsofhasatrulystaggeringnumberofoptions.Youcanuseittogetinformationabout
devicesonyoursystem,whatagivenuseristouchingatanygivenpoint,orevenwhatfilesornetwork
connectivityaprocessisusing.
Forme,lsofreplacesbothnetstatandpsentirely.IthaseverythingIgetfromthosetoolsandmuch,
muchmore.Soletslookatsomeofitsprimarycapabilities:
KeyOptions
Itsimportanttounderstandafewkeythingsabouthowlsofworks.Mostimportantly,whenyoure
passingoptionstoit,thedefaultbehavioristoORtheresults.Soifyouarepullingalistofportswith-i
andalsoaprocesslistwith-pyourebydefaultgoingtogetbothresults.
Hereareafewotherslikethattokeepinmind:
default:withoutoptions,lsoflistsallopenfilesforactiveprocesses
grouping:itspossibletogroupoptions,e.g.-abC,butyouhavetowatchforwhichoptionstake
parameters
-a:ANDtheresults(insteadofOR)
-l:showtheuserIDinsteadoftheusernameintheoutput
-h:gethelp
-t:getprocessIDsonly
-U:gettheUNIXsocketaddress
-F:theoutputisreadyforanothercommand,whichcanbeformattedinvariousways,e.g.Fpcfn
(forprocessid,commandname,filedescriptor,andfilename,withanullterminator)
GettingInformationAbouttheNetwork
AsIsaid,oneofmymainusecasesforlsofisgettinginformationabouthowmysystemisinteracting
withthenetwork.Herearesomestaplesforgettingthisinfo:
Showallconnectionswith-i
Someliketousenetstattogetnetworkconnections,butImuchpreferusinglsofforthis.Thedisplay
showsthingsinaformatthatsintuitivetome,andIlikeknowingthatfromthereIcansimplychange
mysyntaxandgetmoreinformationusingthesamecommand.
#lsofi
COMMAND PID USER
FD
TYPE DEVICE SIZE NODE NAME

2/8
10/29/2014
An lsof Primer
dhcpcd 6061 root 4u IPv4 4510 UDP *:bootpc

sshd 7703 root 3u IPv6 6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)
GetonlyIPv6trafficwith-i 6
#lsofi6
ShowonlyTCPconnections(worksthesameforUDP)
YoucanalsoshowonlyTCPorUDPconnectionsbyprovidingtheprotocolrightafterthe-i.
#lsofiTCP
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Shownetworkingrelatedtoagivenportusing-i :port
Oryoucansearchbyportinstead,whichisgreatforfiguringoutwhatspreventinganotherappfrom
bindingtoagivenport.
#lsofi:22
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Showconnectionstoaspecifichostusing@host
Thisisquiteusefulwhenyourelookingintowhetheryouhaveopenconnectionswithagivenhoston
thenetworkorontheinternet.
#lsofi@172.16.12.5
Showconnectionsbasedonthehostandtheportusing@host:port
Youcanalsocombinethedisplayofhostandport.
#lsofi@172.16.12.5:22
Findlisteningports
Findportsthatareawaitingconnections.
#lsofisTCP:LISTEN
3/8
10/29/2014
An lsof Primer
YoucanalsodothisbygreppingforLISTENaswell.
#lsofi|grepiLISTEN
iTunes
400 daniel
16u IPv4 0x4575228 0t0 TCP *:daap (LISTEN)
Findestablishedconnections
Youcanalsoshowanyconnectionsthatarealreadypinnedup.
#lsofisTCP:ESTABLISHED
YoucanalsodothisjustbysearchingforESTABLISHEDintheoutputviagrep.
#lsofi|grepiESTABLISHED
firefox-b 169 daniel 49u IPv4 0t0 TCP 1.2.3.3:1863->1.2.3.4:http (ESTABLISHED)
UserInformation
Youcanalsogetinformationonvarioususersandwhattheyredoingonthesystem,includingtheir
activityonthenetwork,theirinteractionswithfiles,etc.
Showwhatagivenuserhasopenusing-u
#lsofudaniel
-- snipped -Dock 155 daniel
Dock 155 daniel
Dock 155 daniel
Dock 155 daniel
Dock 155 daniel
-- snipped --
txt REG
txt REG
txt REG
txt REG
txt REG
14,2
14,2
14,2
14,2
14,2
2798436
1580212
2934184
132008
212160
823208 /usr/lib/libicucore.A.dylib
823126 /usr/lib/libobjc.A.dylib
823498 /usr/lib/libstdc++.6.0.4.dylib
823505 /usr/lib/libgcc_s.1.dylib
823214 /usr/lib/libauto.dylib
Showwhatallusersaredoingexceptacertainuserusing-u ^user
#lsofu^daniel
-- snipped -Dock 155 jim txt REG
Dock 155 jim txt REG
-- snipped --
14,2
14,2
14,2
14,2
14,2
2798436
1580212
2934184
132008
212160
823208 /usr/lib/libicucore.A.dylib
823126 /usr/lib/libobjc.A.dylib
823498 /usr/lib/libstdc++.6.0.4.dylib
823505 /usr/lib/libgcc_s.1.dylib
823214 /usr/lib/libauto.dylib
Killeverythingagivenuserisdoing
Itsnicetobeabletonukeeverythingbeingrunbyagivenuser.
#kill9`lsoftudaniel`
4/8
10/29/2014
An lsof Primer
CommandsandProcesses
Itsoftenusefultobeabletoseewhatagivenprogramorprocessisupto,andwithlsofyoucandothis
bynameorbyprocessID.Hereareafewoptions:
Seewhatfilesandnetworkconnectionsanamedcommandisusingwith-c
#lsofcsyslogng
COMMAND
PID USER FD
syslog-ng 7547 root cwd
syslog-ng 7547 root rtd
syslog-ng 7547 root txt
-- snipped --
TYPE
DIR
DIR
REG
DEVICE
SIZE
NODE NAME
3,3
4096 2 /
3,3
4096 2 /
3,3 113524 1064970 /usr/sbin/syslog-ng
SeewhatagivenprocessIDhasopenusing-p
#lsofp10075
-- snipped -sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
-- snipped --
mem
mem
mem
mem
mem
mem
mem
mem
mem
mem
mem
REG
REG
REG
REG
REG
REG
REG
REG
REG
REG
REG
3,3 34808 850407 /lib/libnss_files-2.4.so

3,3 34924 850409 /lib/libnss_nis-2.4.so
3,3 26596 850405 /lib/libnss_compat-2.4.so
3,3 200152 509940 /usr/lib/libssl.so.0.9.7
3,3 46216 510014 /usr/lib/liblber-2.3
3,3 59868 850413 /lib/libresolv-2.4.so
3,3 1197180 850396 /lib/libc-2.4.so
3,3 22168 850398 /lib/libcrypt-2.4.so
3,3 72784 850404 /lib/libnsl-2.4.so
3,3 70632 850417 /lib/libz.so.1.2.3
3,3
9992 850416 /lib/libutil-2.4.so
The-toptionreturnsjustaPID
#lsoftcMail
350
FilesandDirectories
Bylookingatagivenfileordirectoryyoucanseewhatallonthesystemisinteractingwithitincluding
users,processes,etc.
Showeverythinginteractingwithagivendirectory
#lsof/var/log/messages/
COMMAND
PID USER
syslog-ng 7547 root
FD TYPE DEVICE SIZE NODE NAME

4w REG
3,3 217309 834024 /var/log/messages
Showeverythinginteractingwithagivenfile
5/8
10/29/2014
An lsof Primer
#lsof/home/daniel/firewall_whitelist.txt
AdvancedUsage
Similartotcpdump,thepowerreallyshowsitselfwhenyoustartcombiningqueries.
Showmeeverythingdanielisdoingconnectedto1.1.1.1
#lsofudanieli@1.1.1.1
bkdr
1893 daniel 3u IPv6 3456 TCP 10.10.1.10:1234->1.1.1.1:31337 (ESTABLISHED)
Usingthe-tand-coptionstogethertoHUPprocesses
#killHUP`lsoftcsshd`
lsof +L1showsyouallopenfilesthathavealinkcountlessthan1
Thisisoften(butnotalways)indicativeofanattackertryingtohidefilecontentbyunlinkingit.
#lsof+L1
(hopefully nothing)
Showopenconnectionswithaportrange
#lsofi@fw.google.com:2150=2180
Conclusion
Thisprimerjustscratchesthesurfaceoflsofsfunctionality.Forafullreference,runman lsoforcheck
outtheonlineversion.Ihopethishasbeenusefultoyou,andasalways,commentsandcorrectionsare
welcomed.
Resources
Thelsofmanpage:
http://www.netadmintools.com/html/lsof.man.html
43
223
80
16
189
RecommendedForYou
1. AfindTutorialandPrimer
2. AUnixandLinuxPermissionsPrimer
3. AtarPrimer
4. AtcpdumpPrimer
6/8
10/29/2014
An lsof Primer
5. AnNMAPPrimer
6. AgitPrimer
SignUpForEmailUpdates
Subscribe
Ifyoudlikediscussthiscontent,pleasereplyonTwitter,emailme,orcommentbelow.
Follow@danielmiessler
1Comment
22.5Kfollowers
danielmiessler.com
Login
Share Favorite
SortbyBest
Jointhediscussion
JoeBaloney 2monthsago
Nicelistofcommands,thoughonmymachine"lsofu<user>i@<addr>"justcombinesthe
two,scrollinguptothetopofyourtutorialIaddedthereferenced"a"optionanditdidas
expected.
Reply Share
WHAT'STHIS?
ALSOONDANIELMIESSLER.COM
WhyImGettingtheiPhone6Plus
BetterNamesfortheInternetofThings
4comments2monthsago
2commentsamonthago
ErikBruchezMyownthoughtsonwhyI
SteveSteinerIagreewithyoursentiment.I
ordereda6Plus
http://blog.bruchez.name/2014/...
thinkthereneedstobe2names.Onefor
developersand
MyPredictionsonEbola'sSpread
Through2016
TrickleDownisaLie
3commentsamonthago
2comments18daysago
LukeBreuerFunfact:trickledownisanti
CarlMIthinkyouoverestimatethespeedat
whichavaccinewillbecreatedandthatyou
VASTLYoverestimate
Subscribe
AddDisqustoyoursite
Jesus:Thenthemotherofthesonsof
Zebedeecameuptohimwithher
Privacy
Search
7/8
10/29/2014
Searchthiswebsite
An lsof Primer
Search
::SubscribeviaRSS
::FollowonTwitter
::ConnectonGithub
GetEmailUpdates
Enteryouremailaddress
Subscribe
MostPopular
AvimTutorial
AtcpdumpPrimer
Uncommon*NixCommands
FromScreentoTmux
ChangingOpinions
RelatedPosts
1. AfindTutorialandPrimer
2. AUnixandLinuxPermissionsPrimer
3. AtarPrimer
4. AtcpdumpPrimer
5. AnNMAPPrimer
6. AgitPrimer
RecentPosts
Walgreens>CVSandRiteAid
IslamandtheSwastika
ChipandPinCreditCardTechnologyExplained
PlacesThatAcceptApplePay
Producersvs.Nurturers
TheGOPsProblem
Discovered
AlsoconsiderexploringmydiscoveredfeedalivecollectionofeverythingIfindinterestingonline.*
Syndication|Sitemap
PoweredbyStackusingSetup
danielmiessler|19992014|Share|PrivacyPolicy
8/8

An Lsof Primer: Home Blog Study Writing Projects Connect About

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

An Lsof Primer: Home Blog Study Writing Projects Connect About

Transféré par

Droits d'auteur :

Formats disponibles

10/29/2014

TYPE DEVICE SIZE NODE NAME

dhcpcd 6061 root 4u IPv4 4510 UDP *:bootpc

16u IPv4 0x4575228 0t0 TCP *:daap (LISTEN)

3,3 34808 850407 /lib/libnss_files-2.4.so

FD TYPE DEVICE SIZE NODE NAME

1893 daniel 3u IPv6 3456 TCP 10.10.1.10:1234->1.1.1.1:31337 (ESTABLISHED)

Vous aimerez peut-être aussi