If everything in Linux is a file, there must be more to it than just the files on your hard drive. This tutorial will show you how to use lsof to view all other devices and processes that are treated as files.
In Linux everything is a file
The oft-quoted phrase that everything in Linux is a file is kind of true. A file is a collection of bytes. When they are read in program or sent to the printer, they create byte stream. When they are recorded , they accept byte stream.
Many other system components accept or generate byte streams, such as keyboards, sockets, printers, and communication processes. Because they receive, generate, or receive and generate streams of bytes, these devices can be treated — at a very low level — as files.
This design concept simplified the implementation of the Unix operating system. This meant that a small set of handlers, tools, and APIs could be created to handle a wide variety of different resources.
The data and program files that reside on your hard drive are ordinary file system files. We can use the command ls to bring them out and find out some details about them.
How do we know about all other processes and devices that are treated as files? We use the command lsof . This is a list of open files on the system. That is, it lists everything that is processed as if it were a file.
CONNECTED: What does «All this is a file» mean in Linux?
lsof command
Many processes or devices that lsof can report whether they are owned by root or have been started by root, so you will need to use the command sudo With lsof .
And since this list is going to be very long, we’re going to show it less .
Судо Лсоф | Меньше
Before lsof output lsof GNOME users may see a warning message in the terminal window.
lsof: ПРЕДУПРЕЖДЕНИЕ: невозможно stat () fuse.gvfsd-fuse файловая система / run / user / 1000 / gvfs Выходная информация может быть неполной.
lsof tries to process all mounted filesystems. This is a warning message lsof because lsof discovered the GNOME Virtual File System (GVFS). This is a special case of the user-space (FUSE) file system. It acts as a bridge between GNOME, its API, and the core. No one, not even root, can access one of these filesystems other than the owner who mounted it (in this case, GNOME). You can ignore this warning.
Conclusion from lsof very wide. Leftmost columns:
Far right columns:
Columns of Lsof
All columns do not apply to every type of open file. It is normal for some of them to be empty.
- Team : The name of the command associated with the process that opened the file.
- PID : Identification number of the process that opened the file.
- TID : Task (thread) Identification number. An empty column means that this is not a task; it’s a process.
- User : the user ID or username that owns the process, or the user ID or username that owns a directory in
/procwherelsoffinds information about the process. - FD : shows the file descriptor of the file. File descriptors are described below.
- Type of : The type of node associated with the file. Note types are described below.
- Device : contains either comma-separated device numbers for a special character, special block, regular file, directory, or NFS, or a kernel reference address that identifies the file. The base address or device name of a Linux AX.25 socket device may also be displayed.
- Size / Off .: Shows the file size or file offset in bytes.
- Knot : Shows the node number of the local file or the node number of the NFS file on the server host or Internet protocol type. It may show the STR for the stream, IRQ, or the inode number of a device with a Linux AX.25 socket.
- Name : Shows the name of the mount point and the file system where the file resides.
FD column
The file descriptor in the FD column can be one of many options; on the man page, list them all.
An entry in the FD column can consist of three parts: a file descriptor, a mode character, and a lock character. Some common file descriptors:
- cwd : current working directory.
- err : FD information error (see NAME column).
- ltx : shared library text (code and data).
- m86 : mapped DOS Merge file.
- meme : memory-mapped file.
- mmap : Memory mapped device.
- pd : parent directory.
- rtd : root directory.
- TXT : program text (code and data)
- A number representing the file descriptor.
The mode symbol can be one of the following:
- r : Read access.
- w : write access.
- U : Read and write access.
- ‘: Space if the mode is unknown and there is no lock character.
- — : The mode is unknown and there is a lock symbol.
The lock character can be one of:
- r : read lock on part of file.
- R : Read lock on the entire file.
- w : write lock for part of the file.
- W : Write lock on the whole file.
- u : read and write lock of any length.
- U : Unknown lock type.
- ‘: Space character. No blocking
Column TYPE
More than 70 entries can be displayed in the TYPE column. Some common entries you will see:
- REG : a normal file system file.
- DIR : Handbook.
- FIFO : first on first.
- CHR : special character file.
- BLK : lock special file.
- INET : internet socket.
- Unix : UNIX domain socket
See processes that have a file open
To see the processes that have opened a specific file, specify the file name as a parameter to lsof . For example, to see the processes that have a file open kern.log use this command:
sudo lsof /var/log/kern.log
lsof responds by displaying one process rsyslogd which was launched by the user syslog .
View all files opened from a directory
To see the files that were opened from a directory and the processes that opened them, pass the directory to lsof as a parameter. You must use the option +D (catalog).
To see all files that are open in a directory /var/log/ use this command:
sudo lsof + D / var / log /
lsof responds with a list of all open files in that directory.
To see all files that have been opened from a directory /home use the following command:
sudo lsof + D / home
Files were opened from directory /home . Note that with shorter descriptions in some columns, the entire list is narrower.
List of files opened by the process
To see files that have been opened by a particular process, use the option -c (team). Please note that you can lsof more than one search term for lsof simultaneously.
sudo lsof -c ssh -c init
lsof provides a list of files that have been opened by any of the processes presented on the command line.
