lsof information - Security

This is a discussion on lsof information - Security ; Can anyone point me to some clearly written explanations of the output of lsof? Man lsof gives ather densely worded pages that presume more background knowledge than I have. Just dicking around here with a Mandriva 2006 install, and doing ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: lsof information

  1. lsof information

    Can anyone point me to some clearly written explanations of the output of
    lsof? Man lsof gives ather densely worded pages that presume more
    background knowledge than I have. Just dicking around here with a
    Mandriva 2006 install, and doing lsof with no parameters produced a huge
    list. I read disturbing things in there like "unknown protocol" and
    "heap: unknown file or directory".
    any clues happily taken

  2. Re: lsof information

    prodigal1 wrote:
    > Can anyone point me to some clearly written explanations of the output of
    > lsof? Man lsof gives ather densely worded pages that presume more
    > background knowledge than I have. Just dicking around here with a
    > Mandriva 2006 install, and doing lsof with no parameters produced a huge
    > list. I read disturbing things in there like "unknown protocol" and
    > "heap: unknown file or directory".
    > any clues happily taken


    For the default output, my version of lsof (4.76) on my machine
    (amd64) starts out with the following:

    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    sh 5050 klausman cwd DIR 8,5 73728 258048 /home/klausman
    sh 5050 klausman rtd DIR 8,1 4096 2 /
    sh 5050 klausman txt REG 8,1 767152 200617 /bin/bash
    sh 5050 klausman mem REG 0,0 0 [heap] (stat: No such...
    sh 5050 klausman mem REG 8,1 115690 899694 /lib64/ld-2.3.6.so
    sh 5050 klausman mem REG 8,1 378 913703 /usr/lib64/locale/en_...
    ......

    (I removed some whitespace and cut the last part of too-long
    lines)

    COMMAND is the binary name of the program that has a reference to this file.
    PID is the program id of the very same program
    USER is the user who the program runs as
    FD is a description of the meaning this file has for the program.
    For example: cwd=current working dir, rtd=root dir, txt=text
    file (binary program), mem=piece of mapped memory (this is
    the heap but also shared libraries)
    TYPE is the type of file (DIR=directory, REG=regular file, FIFO=
    fifo/pipe, unix=unix domain socket)
    DEVICE is the major and minor device number of the device the
    file is on (if applicable). The numbers correspond with the
    major and minor device numbers used for /dev. More info can be
    found in /usr/src/linux/Documentation/devices.txt
    SIZE is just that, the size of the file.
    NODE The I-Node of the file (if applicable). This is what you'd
    see if you'd run stat on the file.
    NAME The name of the file (if applicable).

    Note that on most systems, lsof only reports the files of the
    user it runs as if not running as root. Also note that it's much
    better (faster) to let lsof filter stuff using its command line
    switches than to use convoluted regexen with grep.

    HTH,
    Tobias

    --
    You don't need eyes to see, you need vision.

  3. Re: lsof information

    Tobias Klausmann wrote:
    thanks Tobias, that is helpful

    here's an example of a line that is getting my attention
    udevd 935 root 6u sock 0,4 1345 can't identify protocol

    I'm not happy about that, but don't fully understand enough to know
    whether this is indicative of a problem. Is this normal behaviour for lsof?
    Cheers

  4. Re: lsof information

    prodigal1 wrote:
    > Tobias Klausmann wrote:
    > thanks Tobias, that is helpful
    >
    > here's an example of a line that is getting my attention
    > udevd 935 root 6u sock 0,4 1345 can't identify protocol
    >
    > I'm not happy about that, but don't fully understand enough to know
    > whether this is indicative of a problem. Is this normal behaviour for lsof?


    This nothing to worry about. Lsof has its limitations, some of
    them dependant on the OS.One of them is that it can't always
    identify what protocol is used on a socket (note that this
    needn't be TCP sockets).

    Regards,
    Tobias

    PS: My udevd does the same:
    udevd 546 root 4u sock 0,4 757 can't identify protocol


    --
    You don't need eyes to see, you need vision.

  5. Re: lsof information


    prodigal1 wrote:
    > Can anyone point me to some clearly written explanations of the output of
    > lsof? Man lsof gives ather densely worded pages that presume more
    > background knowledge than I have. Just dicking around here with a
    > Mandriva 2006 install, and doing lsof with no parameters produced a huge
    > list. I read disturbing things in there like "unknown protocol" and
    > "heap: unknown file or directory".
    > any clues happily taken


    Don't overlook the many other files of documentation that come with the
    lsof source distribution. In particular the 00FAQ file describes
    unusual
    messages that appear in the NAME column like "can't identify protocol"
    and the 00QUICKSTART file gives a good primer on using lsof with
    examples of the output that appears when using lsof for a particular
    task.

    For exact information about what appears in a specific output column,
    however, the manual page is the authority. It's a reference manual and
    carries the usual burden of reference manuals -- it requires slow and
    careful reading.

    Vic Abell, lsof author


  6. Re: lsof information

    On Mon, 27 Feb 2006 03:02:15 -0800, abe wrote:
    > the manual page is the authority. It's a reference manual and
    > carries the usual burden of reference manuals -- it requires slow and
    > careful reading.
    >
    > Vic Abell, lsof author


    word! thanks Vic,
    the deeper I dig with *nix, the more there is to dig

  7. Re: lsof information

    On Sun, 26 Feb 2006 18:03:15 +0000, Tobias Klausmann wrote:

    > This nothing to worry about. Lsof has its limitations, some of them
    > dependant on the OS.


    thanks Tobias
    I appreciate your information.

+ Reply to Thread