Linux which process is downloading

Find which program caused a core dump file

I’ve been going through intense program/package installation recently, so I can’t tell for sure which of the newly installed programs (or old programs) caused the appearance of a core file in my home folder. It’s a server, so I better find out any possible sources of instability on the machine.

3 Answers 3

You can simply use the file program to identify them:

# file /var/core/core /var/core/core: ELF 64-bit MSB core file SPARCV9 Version 1, from 'crs_stat.bin' 

Sometimes I have had core files that for whatever reason «file» cannot identify — in those cases, the fact that the last line of the output of strings on the corefile often contains the path to the executable can help. e.g. «strings /path/to/corefile | tail -n 1» often works, or look at the last few lines.

@jsegal: Good find, but I needed strings core | grep ^/ | tail -1 when find told me: too many program header sections .

Often using the file program on the core file will show the errant executable, as explained by @Benj in the accepted answer (code from Benj’s answer):

# file /var/core/core /var/core/core: ELF 64-bit MSB core file SPARCV9 Version 1, from 'crs_stat.bin' 

However, sometimes you may get a complaint about «too many program header sections»:

core.some-lib.nnnn.nnnn: ELF 64-bit LSB core file x86-64, version 1 (SYSV), too many program header sections (1850) 

In this case, you can try some alternatives:

• Tail the last several strings of the corefile (the app was about 25 back for me): strings core.some-lib.nnnn.nnnn | tail -50
• Use gdb itself: gdb -c core.some-lib.nnnn.nnnn This will often tell you something like this: Core was generated by ‘/usr/local/bin/some-executable’

Источник

Find the Process That is Using a File in Linux

There may be a situation where, despite the fact that no one is attempting to access the share to your knowledge, you are unable to unmount it. This is typically seen while mounting a share. The potential error that you could experience is «the file is busy», or we may occasionally see the notice «the file is busy» when attempting to access a file. This indicates that a process is active on the system that is using the file and keeping it open for reading or writing. Sometimes, when this occurs, we’ll want to figure out which process is using the file.

The process that uses a file will be identified in this tutorial.

Note − Linux commands are case-sensitive.

Commands to find the process

There are a few commands that can assist us in locating processes that work with files, so we’ll start there. These commands collect information from the Linux kernel since it manages programs and file systems, among other things.

fuser command

A Linux command called fuser can be used to determine which process is using a specific file, directory, or socket. Additionally, it offers details on the sort of access and the user who is in charge of operating that process.

fuser can also be used in verbose mode by using the -v option. To generate additional output so the user can see what fuser is doing, use the verbose option. Run fuser with the -v option,

Output

USER PID ACCESS COMMAND /run/sripts.txt: student 64589 ..c.. less

The -k flag in the fuser command can also be used to stop or kill processes from running on particular ports.

Output

To reverify whether the process has been killed or not, we will again lookout for the “scripts.txt” file,

Output

none of the processes are using scripts.txt

Again, I’ve encountered instances, where some deleted processes continue to lock files until their parent process or an application connected to that process, has finished running. You might need to use extra options, such as those in the example below, to view certain files.

lsof command

The lsof command stands for «list open files,» but it can serve other purposes as well. It’s a frequent misconception that everything in Linux is a file. That’s true in many ways, therefore a tool that identifies open files is actually rather helpful.

To find out who is utilising any files on a file system, use the lsof command. Running the lsof command on a Linux filesystem will produce the following result, which shows the owner and process details for any processes utilising the file.

Output

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 student 0r CHR 1,3 0t0 6 /dev/run/files sh 1501 student 0r CHR 1,3 0t0 6 /dev/run/files sh 1501 student 1w CHR 1,3 0t0 6 /dev/run/files dbus-daem 1530 student 0u CHR 1,3 0t0 6 /dev/run/files Xfce4-seb 1603 student 0r CHR 1,3 0t0 6 /dev/run/files xfce4-ses 1603 student 1w CHR 1,3 0t0 6 /dev/run/files at-spi-b 1604 student 0r CHR 1,3 0t 6 /dev/run/files dbus-daem 1609 student 0u CHR 1,3 0t0 6 /dev/run/files

Run the following command, to list user-specific opened files

Output

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1480 student cwd DIR 8,3 4096 2 / systemd 1480 student rtd DIR 8,3 4096 2 / systemd 1480 student txt REG 8,3 1595792 3147496

Conclusion

In this tutorial, we learned some examples of how to monitor in-use ports and directories on a Linux system using the fuser and lsof commands. These commands can be especially helpful if you’re attempting to identify any unknown programs that might be active on your system. I hope you find these examples of the commands useful.

Источник

How to figure out a download or upload is in process on a linux system

I’ve written some anomaly detection program that recognize abnormal traffic on system, but it sometimes detect normal download or upload traffic as abnormal. Is there any way to check if a download or upload now is in process or not to reduce this false positive?

@Pogrindis :I’ve used knn algorithm for data that contain 3 parameters: cpu, (network traffic)transmitted bytes and receieved bytes

@Mjina and what is your definition of abnormal traffic? could you identify the procID runtime of the download / upload process ?

@Pogrindis:I use knn as a machine learning method, so it will be trained with normal data and abnormal data, and then is expected to detect abnormal, the problem is that download and upload sometimes are so fast that resemble an attack like DoS which rise the traffic rates. your second question is just what I’m looking for, how to identify the process which is downloading/uploading?!

1 Answer 1

The best answer i can think of and it will require some input from you in order to work with the data is nethogs!

Install nethogs (should be in repo)

And it will work like this :

nethogs nethogs eth1 nethogs [option] eth0 eth1 nethogs [option] eth0 eth1 ppp0 sudo /usr/sbin/nethogs eth0 

You will end up with something like this :

With this you will be able to identify the procID which is using the most upload and download..

You can also identify all of the nics and see them listed as one with identifying network controller :

The next step is where im not sure. You might need to create some parser of the info, setup a cron and feed it into your abnormal trafic analyzer.

Sorry its not a complete solution but its the only idea I have right now!

Источник

3 Ways to Find Out Which Process Listening on a Particular Port

A port is a logical entity that represents an endpoint of communication and is associated with a given process or service in an operating system. In previous articles, we explained how to find out the list of all open ports in Linux and how to check if remote ports are reachable using the Netcat command.

In this short guide, we will show different ways of finding the process/service listening on a particular port in Linux.

1. Using netstat Command

netstat (network statistics) command is used to display information concerning network connections, routing tables, interface stats, and beyond. It is available on all Unix-like operating systems including Linux and also on Windows OS.

In case you do not have it installed by default, use the following command to install it.

$ sudo apt-get install net-tools [On Debian/Ubuntu & Mint] $ sudo dnf install net-tools [On CentOS/RHEL/Fedora and Rocky Linux/AlmaLinux] $ pacman -S netstat-nat [On Arch Linux] $ emerge sys-apps/net-tools [On Gentoo] $ sudo dnf install net-tools [On Fedora] $ sudo zypper install net-tools [On openSUSE]

Once installed, you can use it with the grep command to find the process or service listening on a particular port in Linux as follows (specify the port).

In the above command, the flags.

• l – tells netstat to only show listening sockets.
• t – tells it to display tcp connections.
• n – instructs it to show numerical addresses.
• p – enables showing of the process ID and the process name.
• grep -w – shows matching of exact string (:80).

Note: The netstat command is deprecated and replaced by the modern ss command in Linux.

2. Using lsof Command

lsof command (List Open Files) is used to list all open files on a Linux system.

To install it on your system, type the command below.

$ sudo apt-get install lsof [On Debian, Ubuntu and Mint] $ sudo yum install lsof [On RHEL/CentOS/Fedora and Rocky Linux/AlmaLinux] $ sudo emerge -a sys-apps/lsof [On Gentoo Linux] $ sudo pacman -S lsof [On Arch Linux] $ sudo zypper install lsof [On OpenSUSE]

To find the process/service listening on a particular port, type (specify the port).

3. Using fuser Command

fuser command shows the PIDs of processes using the specified files or file systems in Linux.

You can install it as follows:

$ sudo apt-get install psmisc [On Debian, Ubuntu and Mint] $ sudo yum install psmisc [On RHEL/CentOS/Fedora and Rocky Linux/AlmaLinux] $ sudo emerge -a sys-apps/psmisc [On Gentoo Linux] $ sudo pacman -S psmisc [On Arch Linux] $ sudo zypper install psmisc [On OpenSUSE]

You can find the process/service listening on a particular port by running the command below (specify the port).

Then find the process name using PID number with the ps command like so.

$ ps -p 2053 -o comm= $ ps -p 2381 -o comm=

You can also check out these useful guides about processes in Linux.

You might also like:

That’s all! Do you know of any other ways of finding the process/service listening on a particular port in Linux, let us know via the comment form below.

Источник

How find out which process is using a file in Linux?

You can use the fuser command, which is part of the psmisc package, like:

You will receive a list of processes using the file.

You can use different flags with it, in order to receive a more detailed output.

You can find more info in the fuser’s Wikipedia article, or in the man pages.

@khris, might be that not all fuser implementations are the same, or works the same way. Even if -i is defined in POSIX, the particular implementation you are using does not necessarily has the same options as the ones described in the Wikipedia article. For example, I’m using AIX right now, and the fuser available in this system does not have the -i option either.

For some reason, neither fuser nor lsof were working for me on a virtualbox guest. This answer saved me.

@jim’s answer is correct — fuser is what you want.

Additionally (or alternately), you can use lsof to get more information including the username, in case you need permission (without having to run an additional command) to kill the process. (THough of course, if killing the process is what you want, fuser can do that with its -k option. You can have fuser use other signals with the -s option — check the man page for details.)

For example, with a tail -F /etc/passwd running in one window:

ghoti@pc:~$ lsof | grep passwd tail 12470 ghoti 3r REG 251,0 2037 51515911 /etc/passwd 

Note that you can also use lsof to find out what processes are using particular sockets. An excellent tool to have in your arsenal.

Источник