传输层工具总结 —— netstat、ss、lsof

发表于 更新于

lsof

https://linux.die.net/man/8/lsof

-n

This option inhibits the conversion of network numbers to host names for network files.

-P

This option inhibits the conversion of port numbers to port names for network files.

-a
This option causes list selection options to be ANDed, as described above.

-p s

This option excludes or selects the listing of files for the processes whose optional process IDentification (PID) numbers are in the comma-separated set s - e.g., ‘’123’’ or ‘’123,^456’’. (There should be no spaces in the set.)

PID numbers that begin with ‘^‘ (negation) represent exclusions.

-i [46][protocol][@hostname|hostaddr][:service|port]

where:

  • 46 specifies the IP version, IPv4 or IPv6 that applies to the following address. ‘6‘ may be be specified only if the UNIX dialect supports IPv6. If neither ‘4‘ nor ‘6‘ is specified, the following address applies to all IP versions.
  • protocol is a protocol name - TCP, UDP
  • hostname is an Internet host name. Unless a specific IP version is specified, open network files associated with host names of all versions will be selected.
  • hostaddr is a numeric Internet IPv4 address in dot form; or an IPv6 numeric address in colon form, enclosed in brackets, if the UNIX dialect supports IPv6. When an IP version is selected, only its numeric addresses may be specified.
  • service is an /etc/services name - e.g., smtp or a list of them.
  • port is a port number, or a list of them.

Here are some sample addresses:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
-i6 - IPv6 only

-iTCP:25 - TCP and port 25

-i@1.2.3.4 - Internet IPv4 host address 1.2.3.4

-i@[3ffe:1ebc::1]:1234 - Internet IPv6 host address 3ffe:1ebc::1, port 1234

-iUDP:who - UDP who service port

-iTCP@lsof.itap:513 - TCP, port 513 and host name lsof.itap

-iTCP@foo:1-10,smtp,99 - TCP, ports 1 through 10, service name smtp, port 99, host name foo

-iTCP@bar:1-smtp - TCP, ports 1 through smtp, host bar

-i:time - either TCP, UDP or UDPLITE time service port

-s [p:s]

When followed by a protocol name (p), either TCP or UDP, a colon (‘:’) and a comma-separated protocol state name list, the option causes open TCP and UDP files to be

  • excluded if their state name(s) are in the list (s) preceded by a ‘^’;

or

  • included if their state name(s) are not preceded by a ‘^’.

For example, to list only network files with TCP state LISTEN, use:

1
-iTCP -sTCP:LISTEN

State names vary with UNIX dialects, so it’s not possible to provide a complete list. Some common TCP state names are: CLOSED, IDLE, BOUND, LISTEN, ESTABLISHED, SYN_SENT, SYN_RCDV, ESTABLISHED, CLOSE_WAIT, FIN_WAIT1, CLOSING, LAST_ACK, FIN_WAIT_2, and TIME_WAIT.

例子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 按端口号查询(端口占用)
$ lsof -i:端口号

# 查看某个进程的 open files,等价于 /proc/PID/fd/
$ lsof -p PID

# 按 TCP + 端口号 + PID 查询
$ lsof -nP -iTCP:端口号 -a -p PID

# 按 TCP (LISTEN) + PID 查询
$ lsof -nP -iTCP -sTCP:LISTEN -a -p PID
COMMAND  PID    USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
java    6276    dev   36u  IPv4 1097042515      0t0  TCP *:8720 (LISTEN)
java    6276    dev  150u  IPv4 1097044387      0t0  TCP *:8171 (LISTEN)
java    6276    dev  187u  IPv4 1097042576      0t0  TCP *:58077 (LISTEN)
java    6276    dev  202u  IPv4 1097042587      0t0  TCP *:8062 (LISTEN)

参考

https://linux.die.net/man/8/lsof