SUSE Conversations


Finding Open Files and Network Connections



By: mlfarrell

November 30, 2007 2:12 pm

Reads:195

Comments:0

Rating:0

Among the many benefits of using the Linux Operating system, lies the ability to obtain extensive information about the processes running at any given moment and the resources they consume. This article introduces two very useful Linux commands: lsof, and netstat which will give you a complete list of all open files or network connections on your system along with their corresponding processes.

One evident advantage this capability is security. For example, if a spyware or other malware program was sending information from your computer to the Internet or to a file on your hard disk, it would show up in the output of these commands.

lsof – list open files

This simple command often ran with no arguments, and does just what it says: lists every single open file by every program running at the time.

The output of lsof typically looks like this:

kain@slickbox:~> lsof
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
init 1 root cwd unknown /proc/1/cwd
init 1 root rtd unknown /proc/1/root
init 1 root txt unknown /proc/1/exe
init 1 root mem REG 8,22 509596 60081 /sbin/init
init 1 root mem REG 0,0 0 [heap]
init 1 root NOFD /proc/1/fd
kthreadd 2 root cwd unknown /proc/2/cwd
kthreadd 2 root rtd unknown /proc/2/root
kthreadd 2 root txt unknown /proc/2/exe
....

The information in the columns is mostly straightforward.

Usually, lsof outputs too much information to even fit in konsole’s scroll buffer. So generally you’ll want to either dump it do a disk (via lsof > lsof-output.txt) or filter it using various pipe commands.

For example, if one wants to see if the special file /dev/dsp (the sound card) is open by any processes, we run the following command:

kain@slickbox:~> lsof|grep dsp
game 3835 kain mem CHR 195,0 13940 /dev/dsp

We can now kill the process if we want to free up the sound card.

kain@slickbox:~> kill -9 3835
kain@slickbox:~> killall -9 game # this also works

In addition to listing open files, lsof can list open network sockets (connections) when given the -i switch.

kain@slickbox:~> lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
kded 4140 kain 15u IPv4 15400 TCP localhost:37435 (LISTEN)
kded 4140 kain 19u IPv6 15483 TCP *:5800 (LISTEN)
kded 4140 kain 20u IPv6 15488 TCP *:5900 (LISTEN)
pidgin 4530 kain 14u IPv4 17075 TCP 192.168.1.104:54623->205.188.9.158:aol (ESTABLISHED)
pidgin 4530 kain 15u IPv4 17072 TCP 192.168.1.104:56693->205.188.5.214:aol (ESTABLISHED)
pidgin 4530 kain 16u IPv4 49002 TCP 192.168.1.104:37275->64.12.30.80:aol (ESTABLISHED)
pidgin 4530 kain 17u IPv4 17092 TCP 192.168.1.104:57145->oam-d09b.blue.aol.com:aol
(ESTABLISHED)
pidgin 4530 kain 18u IPv4 50809 TCP 192.168.1.104:42839->64.12.30.92:aol (ESTABLISHED)
pidgin 4530 kain 23u IPv4 17107 TCP 192.168.1.104:43997->oam-d23c.blue.aol.com:aol
(ESTABLISHED)
firefox-b 9464 kain 10u IPv4 55549 TCP 192.168.1.104:37274->mu-in-f91.google.com:http
(ESTABLISHED)
firefox-b 9464 kain 44u IPv4 54630 TCP 192.168.1.104:43427->132.235.194.70:http (ESTABLISHED)
firefox-b 9464 kain 45u IPv4 54631 TCP 192.168.1.104:43428->132.235.194.70:http (ESTABLISHED)
firefox-b 9464 kain 46u IPv4 54635 TCP 192.168.1.104:49242->132.235.194.69:http

Above, it can be seen that when I ran this command, I was running both my instant messenger software and web browser. The name column contains the addressee of the connection, its port number or service name, and whether or not the socket is listening or established. Listening sockets correspond to server processes running on your box, that are waiting for connections from other parties. Any suspicious listening processes should be thoroughly investigated for security. If a port number is in the list of known services on the system, it’ll show up as named service (as “http” and “aol” have above). You can search the file /etc/services to see what these are.

kain@slickbox:~> cat /etc/services|grep aol
aol 5190/tcp # America-Online

To ensure that you get the the full list from lsof, you should run it as root.

netstat – network statistics tool

While lsof -i is a useful way to list network connections, netstat provides an alternative more verbose way to get information about your network.

netstat’s output is typically much longer than lsof -i

kain@slickbox:~> netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.104:56693 205.188.5.214:aol ESTABLISHED
tcp 0 0 192.168.1.104:55219 64.12.30.80:aol ESTABLISHED
tcp 0 0 192.168.1.104:43997 oam-d23c.blue.aol.c:aol ESTABLISHED
tcp 0 0 192.168.1.104:54623 205.188.9.158:aol ESTABLISHED
tcp 0 0 192.168.1.104:57145 oam-d09b.blue.aol.c:aol ESTABLISHED
tcp 0 0 192.168.1.104:44775 64.12.30.92:aol ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 15294 /var/run/NetworkManager/wpa_ctrl_3020-1
unix 2 [ ] DGRAM 15215 /var/run/wpa_supplicant-global
unix 3 [ ] DGRAM 15292 /var/run/wpa_supplicant/eth1
unix 2 [ ] DGRAM 3300 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 8419 /var/lib/dhcp/dev/log
....

Note that netstat also gives you the local address for each connection, and its send and receive queue sizes which helps you monitor activity over these connections. In addition to that, it lists connections made over UNIX sockets, a different mechanism for communicating between processes in Linux.

The output of netstat can be made more similar to that of lsof’s by adding the –A inet and – program switches which tell netstat to only print non-local connections and to include the processes that own them.

slickbox:/home/kain # netstat -A inet --program
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.104:56693 205.188.5.214:aol ESTABLISHED 4530/pidgin
tcp 0 0 192.168.1.104:55219 64.12.30.80:aol ESTABLISHED 4530/pidgin
tcp 0 0 192.168.1.104:43997 oam-d23c.blue.aol.c:aol ESTABLISHED 4530/pidgin
tcp 0 0 192.168.1.104:54623 205.188.9.158:aol ESTABLISHED 4530/pidgin
tcp 0 0 192.168.1.104:57145 oam-d09b.blue.aol.c:aol ESTABLISHED 4530/pidgin
tcp 0 0 192.168.1.104:44775 64.12.30.92:aol ESTABLISHED 4530/pidgin

That’s all there is to it! Both of these commands have much more capability, which can be seen by reading their respective manual pages (man:/lsof & man:/netstat under kde)

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Enterprise Linux, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS