[clug-talk] using lsof to track down and match connections and PIDs

[Mark Carlson]

On 1/8/09, Gustin Johnson <gustin at echostar.ca> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>  At last nights meeting someone asked Simon and I how to track down which
>  process was pinging Mandriva every 5 seconds.  I was pretty sure that
>  lsof was the right tool for the job, and sure enough, it looks like it is.
>
>  It turns out that one of my favourite sites has even more ideas than I
>  did.
>
>  http://dmiessler.com/study/lsof/
>
>  The short short version is that some of these might be useful:
>
>  To look for the DNS request part
>  lsof -iUDP
>
>  Shows all connections
>  lsof -i
>
>  Shows connections to a given IP or an IP and a port
>  lsof -i@<ip>
>  lsof -i@<ip>:<port>
>
>  Hth,

Awesome!  lsof is a very useful tool.  At first I thought it was
strange I hadn't seen this before, since I usually at least glance at
the man page of every new command I use.  I must not have done it with
lsof though, since the man page is 2500 lines long on my system!  Sure
enough, though, if I had looked at the EXAMPLES section at the end, I
would have seen it.

Good find!

Browsing the examples, it looks like there are quite a few other
things I hadn't thought of before:
- Finding open files on a mounted partition (lsof /dev/sda1)
- Finding open files by login name (lsof -u mark)
- Keep running lsof on a process every few seconds (lsof -c httpd -r 2)

-Mark C.