Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationEventAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
10
Help us understand the problem. What are the problem?

More than 3 years have passed since last update.

posted at

updated at

lsof, netstat コマンド

この記事は Linux コマンド 全部オレ Advent Calendar 2017 の2日目の記事です。

lsof

NAME
       lsof - list open files

SYNOPSIS
       lsof  [  -?abChKlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-e s ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ +|-L
       [l] ] [ +|-m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z] ] [
       -- ] [names]

DESCRIPTION
       Lsof revision 4.87 lists on its standard output file information about files opened by processes for the following UNIX dialects:

            Apple Darwin 9 and Mac OS X 10.[567]
            FreeBSD 4.9 and 6.4 for x86-based systems
            FreeBSD 8.2, 9.0 and 10.0 for AMD64-based systems
            Linux 2.1.72 and above for x86-based systems
            Solaris 9, 10 and 11

       (See the DISTRIBUTION section of this manual page for information on how to obtain the latest lsof revision.)

       An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket.)  A specific file or all the files in a file system may be selected by path.

       Instead of a formatted display, lsof will produce output that can be parsed by other programs.  See the -F, option description, and the  OUTPUT  FOR  OTHER PROGRAMS section for more information.

       In  addition  to producing a single output list, lsof will run in repeat mode.  In repeat mode it will produce output, delay, then repeat the output operation until stopped with an interrupt or quit signal.  See the +|-r [t[m<fmt>]] option description for more information.

list open files の略。プロセスが開いているファイルディスクリプタを表示するコマンド。
ファイルディスクリプタなので、a stream or a network file (Internet socket, NFS file or UNIX domain socket.) の通り、ネットワークソケットの情報なども表示できる。

よく使いそうな使い方

ネットワークコネクションを表示する

[sinsnegumi ~]$ sudo /sbin/lsof -i -P
COMMAND      PID   USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
dhclient     810   root    6u  IPv4   14934      0t0  UDP *:68
dhclient     810   root   20u  IPv4   14903      0t0  UDP *:59116
dhclient     810   root   21u  IPv6   14904      0t0  UDP *:57007
snmpd        882   root    7u  IPv4   15827      0t0  UDP *:161
snmpd        882   root    8u  IPv4   15828      0t0  TCP localhost:199 (LISTEN)
xinetd       896   root    5u  IPv6   15598      0t0  TCP *:2105 (LISTEN)
xinetd       896   root    6u  IPv6   15599      0t0  TCP *:543 (LISTEN)
xinetd       896   root    8u  IPv6   15600      0t0  TCP *:544 (LISTEN)
chronyd     1151 chrony    1u  IPv4   17078      0t0  UDP localhost:323
sshd        1305   root    3u  IPv4   18128      0t0  TCP *:22 (LISTEN)
sshd        1305   root    4u  IPv6   18130      0t0  TCP *:22 (LISTEN)
rsyslogd    1997   root    6u  IPv4   21179      0t0  UDP *:56603
rsyslogd    1997   root    8u  IPv4   21343      0t0  UDP *:50551
rsyslogd    1997   root    9u  IPv4   21344      0t0  UDP *:56067
ds_agent    2027   root   10u  IPv6   21355      0t0  TCP *:4118 (LISTEN)
node_expo  85896   root    3u  IPv6 2211068      0t0  TCP *:9100 (LISTEN)
ruby      101960   root   12u  IPv4  827224      0t0  UDP *:33734
nginx     105456   root    6u  IPv4  971061      0t0  TCP *:80 (LISTEN)
nginx     105457  nginx    6u  IPv4  971061      0t0  TCP *:80 (LISTEN)

-P は、well-known を自動で置換(80 -> HTTP etc)するのを抑制する。

プロセスが開いているファイルディスクリプタを表示する

[sinsengumi ~]$ sudo /sbin/lsof -p 105457 -P
COMMAND    PID  USER   FD      TYPE             DEVICE SIZE/OFF     NODE NAME
nginx   105457 nginx  cwd       DIR              253,2      281       64 /
nginx   105457 nginx  rtd       DIR              253,2      281       64 /
nginx   105457 nginx  txt       REG              253,2  1264584 25312354 /usr/sbin/nginx
nginx   105457 nginx  mem       REG              253,2   155744 25420012 /usr/lib64/libselinux.so.1
nginx   105457 nginx  mem       REG              253,2   111080 25401993 /usr/lib64/libresolv-2.17.so
nginx   105457 nginx  mem       REG              253,2    36392 17873397 /usr/nhnkrb5/lib/libkrb5support.so.0.1
nginx   105457 nginx  mem       REG              253,2   154696 17873385 /usr/nhnkrb5/lib/libk5crypto.so.3.1
nginx   105457 nginx  mem       REG              253,2    15848 25420024 /usr/lib64/libcom_err.so.2.1
nginx   105457 nginx  mem       REG              253,2   602952 17873395 /usr/nhnkrb5/lib/libkrb5.so.3.3
nginx   105457 nginx  mem       REG              253,2    11384 25377296 /usr/lib64/libfreebl3.so
nginx   105457 nginx  mem       REG              253,2  2127336 25377325 /usr/lib64/libc-2.17.so
nginx   105457 nginx  mem       REG              253,2    90664 25420015 /usr/lib64/libz.so.1.2.7
nginx   105457 nginx  mem       REG              253,2  2512448 25736459 /usr/lib64/libcrypto.so.1.0.2k
nginx   105457 nginx  mem       REG              253,2   470336 25736461 /usr/lib64/libssl.so.1.0.2k
nginx   105457 nginx  mem       REG              253,2   402384 25402043 /usr/lib64/libpcre.so.1.2.0
nginx   105457 nginx  mem       REG              253,2    41080 25377329 /usr/lib64/libcrypt-2.17.so
nginx   105457 nginx  mem       REG              253,2   144792 25401991 /usr/lib64/libpthread-2.17.so
nginx   105457 nginx  mem       REG              253,2    19776 25377331 /usr/lib64/libdl-2.17.so
nginx   105457 nginx  mem       REG              253,2   164264 25377318 /usr/lib64/ld-2.17.so
nginx   105457 nginx  mem       REG              253,2   217032 27823251 /var/db/nscd/group
nginx   105457 nginx  mem       REG              253,2   217032 27823250 /var/db/nscd/passwd
nginx   105457 nginx  mem       REG              253,2   189096 17873381 /usr/nhnkrb5/lib/libgssapi_krb5.so.2.2
nginx   105457 nginx  DEL       REG               0,10            971075 /[aio]
nginx   105457 nginx  DEL       REG                0,4            971062 /dev/zero
nginx   105457 nginx    0u      CHR                1,3      0t0     4856 /dev/null
nginx   105457 nginx    1u      CHR                1,3      0t0     4856 /dev/null
nginx   105457 nginx    2w      REG              253,2     1182 41943130 /var/log/nginx/error.log
nginx   105457 nginx    4w      REG              253,2     1182 41943130 /var/log/nginx/error.log
nginx   105457 nginx    5w      REG              253,2 44411701 41943129 /var/log/nginx/access.log
nginx   105457 nginx    6u     IPv4             971061      0t0      TCP *:80 (LISTEN)
nginx   105457 nginx    7u     unix 0xffff880028402800      0t0   971071 socket
nginx   105457 nginx    8u  a_inode                0,9        0     4852 [eventpoll]
nginx   105457 nginx    9u  a_inode                0,9        0     4852 [eventfd]
nginx   105457 nginx   10u  a_inode                0,9        0     4852 [eventfd]

[sinsengumi ~]$ sudo /sbin/lsof -p 105457 -a -i
COMMAND    PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   105457 nginx    6u  IPv4 971061      0t0  TCP *:http (LISTEN)

AND 条件にしたい場合は -a を付ける必要がある。

特定のファイルを開いているプロセスを特定する

[sinsengumi ~]$ sudo /sbin/lsof /var/log/nginx/access.log
COMMAND    PID  USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
tail     57244  root    3r   REG  253,2 44411701 41943129 /var/log/nginx/access.log
ruby    101960  root   16r   REG  253,2 44411701 41943129 /var/log/nginx/access.log
nginx   105456  root    5w   REG  253,2 44411701 41943129 /var/log/nginx/access.log
nginx   105457 nginx    5w   REG  253,2 44411701 41943129 /var/log/nginx/access.log

nginx 以外に tail, ruby(fluentd)が開いていることがわかる。3r とか 16r とかなので読み取り専用で開いている。

参考

netstat

NAME
       netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

SYNOPSIS
       netstat  [address_family_options]  [--tcp|-t] [--udp|-u] [--udplite|-U] [--sctp|-S] [--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts]
       [--numeric-ports] [--numeric-users] [--symbolic|-N] [--extend|-e[--extend|-e]] [--timers|-o] [--program|-p]  [--verbose|-v]  [--continuous|-c]  [--wide|-W]
       [delay]

       netstat    {--route|-r}    [address_family_options]    [--extend|-e[--extend|-e]]   [--verbose|-v]   [--numeric|-n]   [--numeric-hosts]   [--numeric-ports]
       [--numeric-users] [--continuous|-c] [delay]

       netstat {--interfaces|-I|-i} [--all|-a] [--extend|-e] [--verbose|-v] [--program|-p] [--numeric|-n]  [--numeric-hosts]  [--numeric-ports]  [--numeric-users]
       [--continuous|-c] [delay]

       netstat {--groups|-g} [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c] [delay]

       netstat {--masquerade|-M} [--extend|-e] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c] [delay]

       netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--udplite|-U] [--sctp|-S] [--raw|-w] [delay]

       netstat {--version|-V}

       netstat {--help|-h}

       address_family_options:

       [-4|--inet]  [-6|--inet6]  [--protocol={inet,inet6,unix,ipx,ax25,netrom,ddp,  ...  }  ] [--unix|-x] [--inet|--ip|--tcpip] [--ax25] [--x25] [--rose] [--ash]
       [--ipx] [--netrom] [--ddp|--appletalk] [--econet|--ec]

NOTES
       This program is obsolete.  Replacement for netstat is ss.  Replacement for netstat -r is ip route.  Replacement for netstat -i is ip -s link.   Replacement
       for netstat -g is ip maddr.

DESCRIPTION
       Netstat prints information about the Linux networking subsystem.  The type of information printed is controlled by the first argument, as follows:

   (none)
       By default, netstat displays a list of open sockets.  If you don't specify any address families, then the active sockets of all configured address families will be printed.

ネットワークコネクションの情報を表示する。
ちなみに、このコマンドは /proc/net/* にある情報を整形して表示しているとのこと。

よく使いそうな使い方

すべてのネットワークコネクションを表示する。

[sinsengumi ~]$ sudo netstat -apn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      105456/nginx: maste
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1305/sshd
tcp        0      0 127.0.0.1:199           0.0.0.0:*               LISTEN      882/snmpd
tcp        0    312 10.127.122.252:2105     10.128.218.44:34469     ESTABLISHED 53367/klogind
tcp        0      0 10.127.122.252:60690    10.114.14.155:80        TIME_WAIT   -
tcp        1      0 10.127.122.252:60512    10.114.14.155:80        CLOSE_WAIT  2071/ds_agent
tcp        0      0 10.127.122.252:33998    10.118.203.103:80       TIME_WAIT   -
tcp        0      0 10.127.122.252:41386    10.32.128.149:9972      TIME_WAIT   -
tcp        0      0 10.127.122.252:35286    10.128.215.195:18000    ESTABLISHED 1653/./box
tcp        0      0 10.127.122.252:2105     10.128.218.44:45677     ESTABLISHED 57178/klogind
tcp        1      0 10.127.122.252:38400    203.104.134.7:80        CLOSE_WAIT  2071/ds_agent
tcp        0      0 10.127.122.252:44732    10.128.215.194:18000    ESTABLISHED 1653/./box
tcp        0      0 10.127.122.252:41666    10.22.31.21:9972        TIME_WAIT   -
tcp        0      0 10.127.122.252:60688    10.114.14.155:80        TIME_WAIT   -
tcp        0      0 10.127.122.252:40554    10.128.215.193:18000    ESTABLISHED 1653/./box
tcp6       0      0 :::9100                 :::*                    LISTEN      85896/node_exporter
tcp6       0      0 :::4118                 :::*                    LISTEN      2027/ds_agent
tcp6       0      0 :::22                   :::*                    LISTEN      1305/sshd
tcp6       0      0 :::2105                 :::*                    LISTEN      896/xinetd
tcp6       0      0 :::543                  :::*                    LISTEN      896/xinetd
tcp6       0      0 :::544                  :::*                    LISTEN      896/xinetd
tcp6       0      0 10.127.122.252:9100     10.127.118.220:40658    ESTABLISHED 85896/node_exporter
udp        0      0 0.0.0.0:59116           0.0.0.0:*                           810/dhclient
udp        0      0 0.0.0.0:56067           0.0.0.0:*                           1997/rsyslogd
udp        0      0 0.0.0.0:33734           0.0.0.0:*                           101960/ruby
udp        0      0 0.0.0.0:68              0.0.0.0:*                           810/dhclient
udp        0      0 0.0.0.0:161             0.0.0.0:*                           882/snmpd
udp        0      0 0.0.0.0:56603           0.0.0.0:*                           1997/rsyslogd
udp        0      0 127.0.0.1:323           0.0.0.0:*                           1151/chronyd
udp        0      0 0.0.0.0:50551           0.0.0.0:*                           1997/rsyslogd
udp6       0      0 :::57007                :::*                                810/dhclient
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  2      [ ]         DGRAM                    6912     1/systemd            /run/systemd/notify
unix  2      [ ]         DGRAM                    6914     1/systemd            /run/systemd/cgroups-agent
unix  2      [ ACC ]     STREAM     LISTENING     6922     1/systemd            /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     11021    1/systemd            /run/systemd/private
  • -a: すべて
  • -p: プロセス ID とプラグラム名を表示
  • -n: well-known を自動で置換(80 -> HTTP etc)するのを抑制

This program is obsolete

ss コマンドを使えとのこと。

[sinsnegumi ~]$ sudo /sbin/ss -anpt
State       Recv-Q Send-Q                                      Local Address:Port                                                     Peer Address:Port
LISTEN      0      511                                                     *:80                                                                  *:*                   users:(("nginx",pid=105457,fd=6),("nginx",pid=105456,fd=6))
LISTEN      0      128                                                     *:22                                                                  *:*                   users:(("sshd",pid=1305,fd=3))
LISTEN      0      128                                             127.0.0.1:199                                                                 *:*                   users:(("snmpd",pid=882,fd=8))
ESTAB       0      248                                        10.127.122.252:2105                                                    10.128.218.44:37863               users:(("klogind",pid=63186,fd=2),("klogind",pid=63186,fd=1),("klogind",pid=63186,fd=0))
CLOSE-WAIT  1      0                                          10.127.122.252:39448                                                   203.104.134.7:80                  users:(("ds_am",pid=2071,fd=13))
ESTAB       0      0                                          10.127.122.252:35286                                                  10.128.215.195:18000               users:(("box",pid=1653,fd=7))
ESTAB       0      0                                          10.127.122.252:44732                                                  10.128.215.194:18000               users:(("box",pid=1653,fd=8))
CLOSE-WAIT  1      0                                          10.127.122.252:32768                                                   10.114.14.155:80                  users:(("ds_am",pid=2071,fd=15))
TIME-WAIT   0      0                                          10.127.122.252:34888                                                  10.118.203.103:80
ESTAB       0      0                                          10.127.122.252:40554                                                  10.128.215.193:18000               users:(("box",pid=1653,fd=9))
LISTEN      0      4096                                                   :::9100                                                               :::*                   users:(("node_exporter",pid=85896,fd=3))
LISTEN      0      5                                                      :::4118                                                               :::*                   users:(("ds_agent",pid=2027,fd=10))
LISTEN      0      128                                                    :::22                                                                 :::*                   users:(("sshd",pid=1305,fd=4))
LISTEN      0      64                                                     :::2105                                                               :::*                   users:(("xinetd",pid=896,fd=5))
LISTEN      0      64                                                     :::543                                                                :::*                   users:(("xinetd",pid=896,fd=6))
LISTEN      0      64                                                     :::544                                                                :::*                   users:(("xinetd",pid=896,fd=8))
ESTAB       0      0                                   ::ffff:10.127.122.252:9100                                            ::ffff:10.127.118.220:40658               users:(("node_exporter",pid=85896,fd=5))

参考

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
10
Help us understand the problem. What are the problem?