Among the many benefits of using the Linux Operating system, lies the ability to obtain extensive information about the processes running at any given moment and the resources they consume. This article introduces two very useful Linux commands: lsof, and netstat which will give you a complete list of all open files or network connections on your system along with their corresponding processes.
One evident advantage this capability is security. For example, if a spyware or other malware program was sending information from your computer to the Internet or to a file on your hard disk, it would show up in the output of these commands.
lsof – list open files
This simple command often ran with no arguments, and does just what it says: lists every single open file by every program running at the time.
The output of lsof typically looks like this:
kain@slickbox:~> lsof COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME init 1 root cwd unknown /proc/1/cwd init 1 root rtd unknown /proc/1/root init 1 root txt unknown /proc/1/exe init 1 root mem REG 8,22 509596 60081 /sbin/init init 1 root mem REG 0,0 0 [heap] init 1 root NOFD /proc/1/fd kthreadd 2 root cwd unknown /proc/2/cwd kthreadd 2 root rtd unknown /proc/2/root kthreadd 2 root txt unknown /proc/2/exe ....
The information in the columns is mostly straightforward.
Usually, lsof outputs too much information to even fit in konsole’s scroll buffer. So generally you’ll want to either dump it do a disk (via lsof > lsof-output.txt) or filter it using various pipe commands.
For example, if one wants to see if the special file /dev/dsp (the sound card) is open by any processes, we run the following command:
kain@slickbox:~> lsof|grep dsp game 3835 kain mem CHR 195,0 13940 /dev/dsp
We can now kill the process if we want to free up the sound card.
kain@slickbox:~> kill -9 3835 kain@slickbox:~> killall -9 game # this also works
In addition to listing open files, lsof can list open network sockets (connections) when given the -i switch.
kain@slickbox:~> lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME kded 4140 kain 15u IPv4 15400 TCP localhost:37435 (LISTEN) kded 4140 kain 19u IPv6 15483 TCP *:5800 (LISTEN) kded 4140 kain 20u IPv6 15488 TCP *:5900 (LISTEN) pidgin 4530 kain 14u IPv4 17075 TCP 192.168.1.104:54623->126.96.36.199:aol (ESTABLISHED) pidgin 4530 kain 15u IPv4 17072 TCP 192.168.1.104:56693->188.8.131.52:aol (ESTABLISHED) pidgin 4530 kain 16u IPv4 49002 TCP 192.168.1.104:37275->184.108.40.206:aol (ESTABLISHED) pidgin 4530 kain 17u IPv4 17092 TCP 192.168.1.104:57145->oam-d09b.blue.aol.com:aol (ESTABLISHED) pidgin 4530 kain 18u IPv4 50809 TCP 192.168.1.104:42839->220.127.116.11:aol (ESTABLISHED) pidgin 4530 kain 23u IPv4 17107 TCP 192.168.1.104:43997->oam-d23c.blue.aol.com:aol (ESTABLISHED) firefox-b 9464 kain 10u IPv4 55549 TCP 192.168.1.104:37274->mu-in-f91.google.com:http (ESTABLISHED) firefox-b 9464 kain 44u IPv4 54630 TCP 192.168.1.104:43427->18.104.22.168:http (ESTABLISHED) firefox-b 9464 kain 45u IPv4 54631 TCP 192.168.1.104:43428->22.214.171.124:http (ESTABLISHED) firefox-b 9464 kain 46u IPv4 54635 TCP 192.168.1.104:49242->126.96.36.199:http
Above, it can be seen that when I ran this command, I was running both my instant messenger software and web browser. The name column contains the addressee of the connection, its port number or service name, and whether or not the socket is listening or established. Listening sockets correspond to server processes running on your box, that are waiting for connections from other parties. Any suspicious listening processes should be thoroughly investigated for security. If a port number is in the list of known services on the system, it’ll show up as named service (as “http” and “aol” have above). You can search the file /etc/services to see what these are.
kain@slickbox:~> cat /etc/services|grep aol aol 5190/tcp # America-Online
To ensure that you get the the full list from lsof, you should run it as root.
netstat – network statistics tool
While lsof -i is a useful way to list network connections, netstat provides an alternative more verbose way to get information about your network.
netstat’s output is typically much longer than lsof -i
kain@slickbox:~> netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.104:56693 188.8.131.52:aol ESTABLISHED tcp 0 0 192.168.1.104:55219 184.108.40.206:aol ESTABLISHED tcp 0 0 192.168.1.104:43997 oam-d23c.blue.aol.c:aol ESTABLISHED tcp 0 0 192.168.1.104:54623 220.127.116.11:aol ESTABLISHED tcp 0 0 192.168.1.104:57145 oam-d09b.blue.aol.c:aol ESTABLISHED tcp 0 0 192.168.1.104:44775 18.104.22.168:aol ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] DGRAM 15294 /var/run/NetworkManager/wpa_ctrl_3020-1 unix 2 [ ] DGRAM 15215 /var/run/wpa_supplicant-global unix 3 [ ] DGRAM 15292 /var/run/wpa_supplicant/eth1 unix 2 [ ] DGRAM 3300 @/org/kernel/udev/udevd unix 2 [ ] DGRAM 8419 /var/lib/dhcp/dev/log ....
Note that netstat also gives you the local address for each connection, and its send and receive queue sizes which helps you monitor activity over these connections. In addition to that, it lists connections made over UNIX sockets, a different mechanism for communicating between processes in Linux.
The output of netstat can be made more similar to that of lsof’s by adding the –A inet and – program switches which tell netstat to only print non-local connections and to include the processes that own them.
slickbox:/home/kain # netstat -A inet --program Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.104:56693 22.214.171.124:aol ESTABLISHED 4530/pidgin tcp 0 0 192.168.1.104:55219 126.96.36.199:aol ESTABLISHED 4530/pidgin tcp 0 0 192.168.1.104:43997 oam-d23c.blue.aol.c:aol ESTABLISHED 4530/pidgin tcp 0 0 192.168.1.104:54623 188.8.131.52:aol ESTABLISHED 4530/pidgin tcp 0 0 192.168.1.104:57145 oam-d09b.blue.aol.c:aol ESTABLISHED 4530/pidgin tcp 0 0 192.168.1.104:44775 184.108.40.206:aol ESTABLISHED 4530/pidgin
That’s all there is to it! Both of these commands have much more capability, which can be seen by reading their respective manual pages (man:/lsof & man:/netstat under kde)