Documentos de Académico
Documentos de Profesional
Documentos de Cultura
An lsof Primer
Home
Blog
Study
Writing
Projects
Connect
About
AnlsofPrimer
HomeStudyAnlsofPrimer
43
223
80
16
189
KeyOptions
GettingInformationAbouttheNetwork
UserInformation
CommandsandProcesses
FilesandDirectories
Advanced
lsofisthesysadmin/securitybertool.Iuseitmostforgettingnetworkconnectionrelatedinformation
fromasystem,butthatsjustthebeginningforthispowerfulandtoolittleknownapplication.Thetoolis
http://danielmiessler.com/study/lsof/
1/8
10/29/2014
An lsof Primer
aptlycalledlsofbecauseitlistsopenfiles.Andremember,inUNIXjustabouteverything(includinga
networksocket)isafile.
Interestingly,lsofisalsotheLinux/Unixcommandwiththemostswitches.Ithassomanyithastouse
bothminusesandpluses.
usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]]
[-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Asyoucansee,lsofhasatrulystaggeringnumberofoptions.Youcanuseittogetinformationabout
devicesonyoursystem,whatagivenuseristouchingatanygivenpoint,orevenwhatfilesornetwork
connectivityaprocessisusing.
Forme,lsofreplacesbothnetstatandpsentirely.IthaseverythingIgetfromthosetoolsandmuch,
muchmore.Soletslookatsomeofitsprimarycapabilities:
KeyOptions
Itsimportanttounderstandafewkeythingsabouthowlsofworks.Mostimportantly,whenyoure
passingoptionstoit,thedefaultbehavioristoORtheresults.Soifyouarepullingalistofportswith-i
andalsoaprocesslistwith-pyourebydefaultgoingtogetbothresults.
Hereareafewotherslikethattokeepinmind:
default:withoutoptions,lsoflistsallopenfilesforactiveprocesses
grouping:itspossibletogroupoptions,e.g.-abC,butyouhavetowatchforwhichoptionstake
parameters
-a:ANDtheresults(insteadofOR)
-l:showtheuserIDinsteadoftheusernameintheoutput
-h:gethelp
-t:getprocessIDsonly
-U:gettheUNIXsocketaddress
-F:theoutputisreadyforanothercommand,whichcanbeformattedinvariousways,e.g.Fpcfn
(forprocessid,commandname,filedescriptor,andfilename,withanullterminator)
GettingInformationAbouttheNetwork
AsIsaid,oneofmymainusecasesforlsofisgettinginformationabouthowmysystemisinteracting
withthenetwork.Herearesomestaplesforgettingthisinfo:
Showallconnectionswith-i
Someliketousenetstattogetnetworkconnections,butImuchpreferusinglsofforthis.Thedisplay
showsthingsinaformatthatsintuitivetome,andIlikeknowingthatfromthereIcansimplychange
mysyntaxandgetmoreinformationusingthesamecommand.
#lsofi
COMMAND PID USER
FD
http://danielmiessler.com/study/lsof/
10/29/2014
An lsof Primer
GetonlyIPv6trafficwith-i 6
#lsofi6
ShowonlyTCPconnections(worksthesameforUDP)
YoucanalsoshowonlyTCPorUDPconnectionsbyprovidingtheprotocolrightafterthe-i.
#lsofiTCP
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 7703 root 3u IPv6 6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)
Shownetworkingrelatedtoagivenportusing-i :port
Oryoucansearchbyportinstead,whichisgreatforfiguringoutwhatspreventinganotherappfrom
bindingtoagivenport.
#lsofi:22
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 7703 root 3u IPv6 6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)
Showconnectionstoaspecifichostusing@host
Thisisquiteusefulwhenyourelookingintowhetheryouhaveopenconnectionswithagivenhoston
thenetworkorontheinternet.
#lsofi@172.16.12.5
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->172.16.12.5:49901 (ESTABLISHED)
Showconnectionsbasedonthehostandtheportusing@host:port
Youcanalsocombinethedisplayofhostandport.
#lsofi@172.16.12.5:22
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)
Findlisteningports
Findportsthatareawaitingconnections.
#lsofisTCP:LISTEN
http://danielmiessler.com/study/lsof/
3/8
10/29/2014
An lsof Primer
YoucanalsodothisbygreppingforLISTENaswell.
#lsofi|grepiLISTEN
iTunes
400 daniel
Findestablishedconnections
Youcanalsoshowanyconnectionsthatarealreadypinnedup.
#lsofisTCP:ESTABLISHED
YoucanalsodothisjustbysearchingforESTABLISHEDintheoutputviagrep.
#lsofi|grepiESTABLISHED
firefox-b 169 daniel 49u IPv4 0t0 TCP 1.2.3.3:1863->1.2.3.4:http (ESTABLISHED)
UserInformation
Youcanalsogetinformationonvarioususersandwhattheyredoingonthesystem,includingtheir
activityonthenetwork,theirinteractionswithfiles,etc.
Showwhatagivenuserhasopenusing-u
#lsofudaniel
-- snipped -Dock 155 daniel
Dock 155 daniel
Dock 155 daniel
Dock 155 daniel
Dock 155 daniel
-- snipped --
txt REG
txt REG
txt REG
txt REG
txt REG
14,2
14,2
14,2
14,2
14,2
2798436
1580212
2934184
132008
212160
823208 /usr/lib/libicucore.A.dylib
823126 /usr/lib/libobjc.A.dylib
823498 /usr/lib/libstdc++.6.0.4.dylib
823505 /usr/lib/libgcc_s.1.dylib
823214 /usr/lib/libauto.dylib
Showwhatallusersaredoingexceptacertainuserusing-u ^user
#lsofu^daniel
-- snipped -Dock 155 jim txt REG
Dock 155 jim txt REG
Dock 155 jim txt REG
Dock 155 jim txt REG
Dock 155 jim txt REG
-- snipped --
14,2
14,2
14,2
14,2
14,2
2798436
1580212
2934184
132008
212160
823208 /usr/lib/libicucore.A.dylib
823126 /usr/lib/libobjc.A.dylib
823498 /usr/lib/libstdc++.6.0.4.dylib
823505 /usr/lib/libgcc_s.1.dylib
823214 /usr/lib/libauto.dylib
Killeverythingagivenuserisdoing
Itsnicetobeabletonukeeverythingbeingrunbyagivenuser.
#kill9`lsoftudaniel`
http://danielmiessler.com/study/lsof/
4/8
10/29/2014
An lsof Primer
CommandsandProcesses
Itsoftenusefultobeabletoseewhatagivenprogramorprocessisupto,andwithlsofyoucandothis
bynameorbyprocessID.Hereareafewoptions:
Seewhatfilesandnetworkconnectionsanamedcommandisusingwith-c
#lsofcsyslogng
COMMAND
PID USER FD
syslog-ng 7547 root cwd
syslog-ng 7547 root rtd
syslog-ng 7547 root txt
-- snipped --
TYPE
DIR
DIR
REG
DEVICE
SIZE
NODE NAME
3,3
4096 2 /
3,3
4096 2 /
3,3 113524 1064970 /usr/sbin/syslog-ng
SeewhatagivenprocessIDhasopenusing-p
#lsofp10075
-- snipped -sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
sshd
10068 root
-- snipped --
mem
mem
mem
mem
mem
mem
mem
mem
mem
mem
mem
REG
REG
REG
REG
REG
REG
REG
REG
REG
REG
REG
The-toptionreturnsjustaPID
#lsoftcMail
350
FilesandDirectories
Bylookingatagivenfileordirectoryyoucanseewhatallonthesystemisinteractingwithitincluding
users,processes,etc.
Showeverythinginteractingwithagivendirectory
#lsof/var/log/messages/
COMMAND
PID USER
syslog-ng 7547 root
Showeverythinginteractingwithagivenfile
http://danielmiessler.com/study/lsof/
5/8
10/29/2014
An lsof Primer
#lsof/home/daniel/firewall_whitelist.txt
AdvancedUsage
Similartotcpdump,thepowerreallyshowsitselfwhenyoustartcombiningqueries.
Showmeeverythingdanielisdoingconnectedto1.1.1.1
#lsofudanieli@1.1.1.1
bkdr
Usingthe-tand-coptionstogethertoHUPprocesses
#killHUP`lsoftcsshd`
lsof +L1showsyouallopenfilesthathavealinkcountlessthan1
Thisisoften(butnotalways)indicativeofanattackertryingtohidefilecontentbyunlinkingit.
#lsof+L1
(hopefully nothing)
Showopenconnectionswithaportrange
#lsofi@fw.google.com:2150=2180
Conclusion
Thisprimerjustscratchesthesurfaceoflsofsfunctionality.Forafullreference,runman lsoforcheck
outtheonlineversion.Ihopethishasbeenusefultoyou,andasalways,commentsandcorrectionsare
welcomed.
Resources
Thelsofmanpage:
http://www.netadmintools.com/html/lsof.man.html
43
223
80
16
189
RecommendedForYou
1. AfindTutorialandPrimer
2. AUnixandLinuxPermissionsPrimer
3. AtarPrimer
4. AtcpdumpPrimer
http://danielmiessler.com/study/lsof/
6/8
10/29/2014
An lsof Primer
5. AnNMAPPrimer
6. AgitPrimer
SignUpForEmailUpdates
Subscribe
Ifyoudlikediscussthiscontent,pleasereplyonTwitter,emailme,orcommentbelow.
Follow@danielmiessler
1Comment
22.5Kfollowers
danielmiessler.com
Login
Share Favorite
SortbyBest
Jointhediscussion
JoeBaloney 2monthsago
Nicelistofcommands,thoughonmymachine"lsofu<user>i@<addr>"justcombinesthe
two,scrollinguptothetopofyourtutorialIaddedthereferenced"a"optionanditdidas
expected.
Reply Share
WHAT'STHIS?
ALSOONDANIELMIESSLER.COM
WhyImGettingtheiPhone6Plus
BetterNamesfortheInternetofThings
4comments2monthsago
2commentsamonthago
ErikBruchezMyownthoughtsonwhyI
SteveSteinerIagreewithyoursentiment.I
ordereda6Plus
http://blog.bruchez.name/2014/...
thinkthereneedstobe2names.Onefor
developersand
MyPredictionsonEbola'sSpread
Through2016
TrickleDownisaLie
3commentsamonthago
2comments18daysago
LukeBreuerFunfact:trickledownisanti
CarlMIthinkyouoverestimatethespeedat
whichavaccinewillbecreatedandthatyou
VASTLYoverestimate
Subscribe
AddDisqustoyoursite
Jesus:Thenthemotherofthesonsof
Zebedeecameuptohimwithher
Privacy
Search
http://danielmiessler.com/study/lsof/
7/8
10/29/2014
Searchthiswebsite
An lsof Primer
Search
::SubscribeviaRSS
::FollowonTwitter
::ConnectonGithub
GetEmailUpdates
Enteryouremailaddress
Subscribe
MostPopular
AvimTutorial
AtcpdumpPrimer
Uncommon*NixCommands
FromScreentoTmux
ChangingOpinions
RelatedPosts
1. AfindTutorialandPrimer
2. AUnixandLinuxPermissionsPrimer
3. AtarPrimer
4. AtcpdumpPrimer
5. AnNMAPPrimer
6. AgitPrimer
RecentPosts
Walgreens>CVSandRiteAid
IslamandtheSwastika
ChipandPinCreditCardTechnologyExplained
PlacesThatAcceptApplePay
Producersvs.Nurturers
TheGOPsProblem
Discovered
AlsoconsiderexploringmydiscoveredfeedalivecollectionofeverythingIfindinterestingonline.*
Syndication|Sitemap
PoweredbyStackusingSetup
danielmiessler|19992014|Share|PrivacyPolicy
http://danielmiessler.com/study/lsof/
8/8