List all open files linux

Linux — How to track all files accessed by a process?

Is there a way to track all file I/O for a given process? All I really need is the locations of files being read from/written to from a given process (and ideally if it was a read or write operation although that’s not as important). I can run the process and track it rather than needing to attach to an existing process which I would assume is significantly simpler. Is there any kind of wrapper utility I can run a process though that will monitor file access?

4 Answers 4

lsof :

Try doing this as a starter :

this command will list all currently open files, fd, sockets for the process with the passed process ID.

For your special needs, see what I can offer as a solution to monitor a php script :

php foo.php & _pid=$! lsof -r1 -p $_pid kill %1 # if you want to kill php script 

strace :

I recommend the use of strace . Unlike lsof , it stays running for as long as the process is running. It will print out which syscalls are being called when they are called. -e trace=file filters only for syscalls that access the filesystem:

sudo strace -f -t -e trace=file php foo.php 

or for an already running process :

sudo strace -f -t -e trace=file -p

Thanks that’s a good starting point! It works for processes already running at the moment it’s run. I’m trying to do this for a PHP script for its entire execution, tracking the files from the start of the process until it exists. Looking at the help, There’s a -r repeat option but this seems to periodically scan the files that are open by the process rather than have been opened. Essentially I want to do this: lsof -p $$ && exec php foo.php This doesn’t seem to list files that are opened by foo.php

thanks, that’s certainly providing more relevant information and showing all the php extensions being loaded, the script contains unfortunately, file.txt is not listed in the output. I can verify the file is being opened by amending the script to print the contents of file.txt but I still don’t see file.txt in the output of lsof.

To properly trace an AppImage, I needed to run strace as root but the command using my own user. This got the job done: sudo strace -fte trace=%file -u $(id -un)

Mixing your two solutions together becomes perfect: php foo.php & sudo strace -f -t -e trace=file -p $! especially for short running tasks.

Besides strace there is another option which does not substantially slow down the monitored process. Using the Liunx kernel’s fanotify (not to be confused with the more popular inotify) it is possible to monitor whole mount-points for IO-activity. With unshared mountnamespaces the mounts of a given process can be isolated fromt the rest of the system (a key technology behind docker).

An implementation of this concept can be found in shournal, which I am the author of.

$ shournal -e sh -c 'cat foo > bar' $ shournal --query --history 1 . 1 written file(s): /home/user/bar 1 read file(s): /home/user/foo 

External links are always highly appreciated as sources, but imagine this one was to become invalid — your solution would be unsalvageable for future SO users. Please consider posting code here and explaining your solution so we all can learn.

@harmonica141: That’s always the problem: what to write and what to omit. A complete, minimal example would be not much shorter than the example at the bottom at man7.org/linux/man-pages/man7/fanotify.7.html . In fact, it could be almost the same with a leading unshare( CLONE_NEWNS); . Do you think it would be helpful to include the full source here?

strace is an amazing tool but its output is a bit verbose.
If you want you can use a tool I’ve written which processes strace output and provide a CSV report of all files accessed (TCP sockets too) with the following data:
1. Filename
2. Read/Written bytes
3. Number of read/write operations
4. Number of time the file was opened

It can be run on new processes or processes already running (using /proc/fd data).
I found it useful for debugging scenarios and performance analysis.
You can find it here: iotrace

Filename, Read bytes, Written bytes, Opened, Read op, Write op /dev/pts/1,1,526512,0,1,8904 socket_127.0.0.1:47948->127.0.0.1:22,1781764,396,0,8905,11 myfile.txt,65,0,9,10,0 pipe:[3339],0,0,0,1,0 

Afterward, you can process the CSV data in Excel or other tools for sorting or other analysis required.
The downside is you need to download & compile and it isn’t always 100% accurate.

Источник

Use of “lsof” Command to Find Open Files

“lsof” stands for List Open Files. It is a Linux utility for listing down all the open files of a system. This command can be combined with different parameters to modify its output as desired. You can see the details of all of its parameters and flags by seeing the help manual of the “lsof” command.

In today’s article, you will be able to learn the correct usage of the “lsof” command for finding all the open files in Linux Mint 20.

Use of “lsof” Command to Find the Open Files in Linux Mint 20

To learn the correct usage of the “lsof” command and use it to find the open files in Linux Mint 20, you can take a look at all the examples that have been shared below.

Example 1: List All the Open Files in Linux Mint 20
To list down all the open files in Linux Mint 20, you will have to execute the following command in the terminal:

This command will display a list of all the currently opened files on your Linux Mint 20 system, as shown in the image below:

Example 2: List All the Open Files Belonging to a Particular Directory in Linux Mint 20
You can also list down all the open files belonging to a particular directory in Linux Mint 20 by specifying the name of that directory with the “lsof” command in the following manner:

Here, you have to replace the directorypath with the actual path of the directory whose open files you want to list down. For example, we have replaced it with “/var/log/”.

This command will display a list of all the open files that belong to the “/var/log/” directory, as shown in the image below:

Example 3: List All the Open Files Belonging to a Particular User in Linux Mint 20
If you want to list down all the open files belonging to a particular user in Linux Mint 20, then you can do so by executing the “lsof” command in the following manner:

Here, you have to replace the username with the name of the user whose open files you want to list down. For example, we have replaced it with “kbuzdar”.

This command will display a list of all the open files that belong to the specified user, as shown in the image below:

Example 4: List All the Open Files Belonging to a Particular Internet Protocol in Linux Mint 20
You can also try to list down all the open files belonging to a particular Internet protocol in Linux Mint 20 by executing the “lsof” command in the following manner:

You can also replace “6” with “4” if you want to list down all the open files belonging to IPv4.

This command will display a list of all the open files belonging to the IPv6 protocol, as shown in the image below:

Example 5: List All the Open Files Belonging to a Particular File System in Linux Mint 20
If you want to list down all the open files belonging to a particular file system in Linux Mint 20, then you can do so by tweaking the “lsof” command in the following manner:

Here, you can replace “/proc” with any other file system of your choice as well.

This command will display a list of all the open files belonging to the “/proc” file system, as shown in the image below:

Conclusion

By going through all the examples that have been shown to you in this article, you will be able to learn the correct usage of the “lsof” command for finding all the open files in Linux Mint 20.

About the author

Karim Buzdar

Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. He blogs at LinuxWays.

Источник

How to use the Linux ‘lsof’ command to list open files

Linux “open files” FAQ: Can you share some examples of how to show open files on a Linux system — i.e., how to use the lsof command?

Linux lsof command background

The Linux lsof command lists information about files that are open by processes running on the system. The lsof command is an acronym for, “list of open files.” In this article I’ll share some lsof command examples.

I assume you’re logged in as root

One other note: In these examples I’ll assume that you’re logged in as the Unix/Linux root user. If not, you’re lsof command output may be significantly limited. If you’re logged in as a non-root user, either su to root, or use sudo to run these commands.

Basic Linux lsof command examples

Typing the lsof command by itself lists all open files belonging to all active processes on the system:

On my current macOS system, which has been running for a long time, this shows a lot of open files, 1,582 to be specific:

$ lsof | wc -l 1582

Note that I didn’t have to be logged in as the root user to see this information on my Mac system.

Adding the head command to lsof shows what some of this output looks like:

$ lsof | head COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME loginwind 32 Al cwd DIR 14,2 1564 2 / loginwind 32 Al txt REG 14,2 1754096 243026930 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow loginwind 32 Al txt REG 14,2 113744 3190067 /System/Library/LoginPlugins/FSDisconnect.loginPlugin/Contents/MacOS/FSDisconnect loginwind 32 Al txt REG 14,2 425504 117920371 /System/Library/LoginPlugins/DisplayServices.loginPlugin/Contents/MacOS/DisplayServices loginwind 32 Al txt REG 14,2 3144 3161654 /System/Library/ColorSync/Profiles/sRGB Profile.icc loginwind 32 Al txt REG 14,2 96704 242998403 /System/Library/PrivateFrameworks/MachineSettings.framework/Versions/A/MachineSettings loginwind 32 Al txt REG 14,2 51288 251253153 /private/var/folders/h5/h59HESVvEmG+3I4Q8lOAxE+++TI/-Caches-/mds/mdsDirectory.db loginwind 32 Al txt REG 14,2 724688 117923285 /System/Library/LoginPlugins/BezelServices.loginPlugin/Contents/MacOS/BezelServices loginwind 32 Al txt REG 14,2 329376 117923166 /System/Library/Extensions/IOHIDFamily.kext/Contents/PlugIns/IOHIDLib.plugin/Contents/MacOS/IOHIDLib

Common lsof options

As mentioned, these details go on for 1,582 lines, so it helps to have some way to weed through that output, whether that involves using the grep command, or some of the lsof options shown below.

This command lists all open files belonging to PID (process ID) 11925 :

$ lsof -p 11925 

This command lists all open files belonging to processes owned by the user named «al»:

This command lists files that are open in the directory specified, but it does not descend into sub-directories:

$ lsof +d '/Users/al' 

The next command lists files that are open in the directory specified, and also descends into sub-directories. Beware: this can take a very long time to run for large directory structures:

$ lsof +D '/Users/al' 

Summary: Linux lsof examples

I hope these Linux lsof command examples have been helpful. As you can see, the lsof command can be used to generate a list of open files on your Unix and Linux system with a variety of different command line options for different circumstances.

For more information on the lsof command, please see the «Related» block on this page, follow this link to lsof command search results on this website, or leave a note in the Comments section below.

Источник