C.7 lsof Program
The name lsof stands for "list open
files." Like tcpdump, it is a publicly available tool that
is handy for debugging and has been ported to many versions of
Unix.
One common use for lsof with networking
is to find which process has a socket open on a specified IP
address or port. netstat tells us which IP addresses and
ports are in use, and the state of the TCP connections, but it does
not identify the process. For example, to find out which process
provides the daytime server, we execute the following:
freebsd % lsof -i TCP:daytime
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
inetd 561 root 5u IPv4 0xfffff8003027a260 0t0 TCP *:daytime (LISTEN)
inetd 561 root 7u IPv6 0xfffff800302b6720 0t0 TCP *:daytime
This tells us the command (this service is
provided by the inetd server), its PID, the owner,
descriptor (5 for IPv4 and 7 for IPv6, and the u means it
is open for read/write), type of socket, address of the protocol
control block, size or offset of the file (not meaningful for a
socket), protocol type, and name.
One common use for this program is when we start
a server that binds its well-known port and get the error that the
address is already in use. We then use lsof to find the
process that is using the port.
Since lsof reports on open files, it
cannot report on network endpoints that are not associated with an
open file: TCP endpoints in the TIME_WAIT state.
ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ is the
location for this program. It was written by Vic Abell.
Some vendors supply their own utility that does
similar things. For example, FreeBSD supplies the fstat
program. The advantage in lsof is that it works under so
many versions of Unix, and using a single tool in a heterogeneous
environment, instead of a different tool for each environment, is a
big advantage.
|