When a file is in use by a process, it is possible to delete the file - OR at least it may appear that is the case. The filename is no longer visible via the ls command, but it is there until the process using it exits.
For example, let's say Sysadmin1 runs a sniffer process in the background to capture and save packets to a file. The capture file starts growing bigger over time. Instead of killing the process, he/she simply deletes the capture file, thinking this will recover the disk space. It doesn't. Believing everything is well, Sysadmin1 goes home.
Now Sysadmin2 shows up and notices the box is running out of disk space. Naturally, the admin wants to figure out what’s rapidly consuming disk space. The easiest way for the SysAd to locate the growing file is to use the lsof command.
Another instance the lsof would be helpful is when a filesystem refuses to unmount due to open files.
Here are a few practical examples of using the lsof command.
To list all the open files on the var filesystem:
# lsof +D /var
To list all open files in your current directory only:
# lsof +d .
To list all open Internet files:
# lsof -i
To list all files currently open by user joe:
# lsof -u joe
To list all files open by syslog-ng (this is a great quick way to find
logs!):
# lsof -c syslog-ng
To list all files open by pid:
# lsof -p PID
Note: There are additional parameters you can add to the command to narrow the listing to include or exclude types of files and much more!
# lsof -help
Post provided by Mary M. Chaddock
2 comments:
# lsof +L1
For finding files that have a link count less than 1 (ie the file was removed but the process keeps on writing away).
For those times when du and df don't match up.
It's also good for determining who using a device.
lsof /dev/cdrom
List sockets related to port 80
lsof -i :80
Post a Comment