C.7 lsof ProgramThe name lsof stands for "list open files." Like tcpdump , it is a publicly available tool that is handy for debugging and has been ported to many versions of Unix. One common use for lsof with networking is to find which process has a socket open on a specified IP address or port. netstat tells us which IP addresses and ports are in use, and the state of the TCP connections, but it does not identify the process. For example, to find out which process provides the daytime server, we execute the following: freebsd % lsof -i TCP:daytime COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME inetd 561 root 5u IPv4 0xfffff8003027a260 0t0 TCP *:daytime (LISTEN) inetd 561 root 7u IPv6 0xfffff800302b6720 0t0 TCP *:daytime This tells us the command (this service is provided by the inetd server), its PID, the owner, descriptor (5 for IPv4 and 7 for IPv6, and the u means it is open for read/write), type of socket, address of the protocol control block, size or offset of the file (not meaningful for a socket), protocol type, and name. One common use for this program is when we start a server that binds its well-known port and get the error that the address is already in use. We then use lsof to find the process that is using the port. Since lsof reports on open files, it cannot report on network endpoints that are not associated with an open file: TCP endpoints in the TIME_WAIT state.
|