lsof Cheatsheet

How to log outgoing connections by pid on linux

when you know ip addresslsof -i -P -n -r 2 | grep 8.8.8.8

when you know ip address and portlsof -i :443 -P -n -r 2 | grep 8.8.8.8

when you know ip address and port (track current datetime also)lsof -i :443 -P -n -r 2 | grep 8.8.8.8 --line-buffered |  sed "s/^/$(date) /"

run in background with track into a filelsof -i :443 -P -n -r 2 | grep 8.8.8.8 --line-buffered | unbuffer -p  sed "s/^/$(date) /" >> /var/log/lsof.log &

kill all processes with established connections by portkill -9 $(lsof -t -i :80)

How to track open files

track open files within a directorylsof +D /var/log

who open the filelsof /var/log/nginx/access.log

open files by userlsof -u www-data

open files by programlsof -c nginx

open files by pidlsof -p 1303

open files by user AND program AND directorylsof -u ubuntu -a -c dotnet -a +D /var/

lsof 4.89 parameters

 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-E] [+|-e s] [+|-f[gG]]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
 [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
  -?|-h list help          -a AND selections (OR)     -b avoid kernel blocks
  -c c  cmd c ^c /c/[bix]  +c w  COMMAND width (9)    +d s  dir s files
  -d s  select by FD set   +D D  dir D tree *SLOW?*   +|-e s  exempt s *RISKY*
  -i select IPv[46] files  -K list tasKs (threads)    -l list UID numbers
  -n no host names         -N select NFS files        -o list file offset
  -O no overhead *RISKY*   -P no port names           -R list paRent PID
  -s list file size        -t terse listing           -T disable TCP/TPI info
  -U select Unix socket    -v list version info       -V verbose search
  +|-w  Warnings (+)       -X skip TCP&UDP* files     -Z Z  context [Z]
  -- end option scan
  -E display endpoint info              +E display endpoint info and files
  +f|-f  +filesystem or -file names     +|-f[gG] flaGs
  -F [f] select fields; -F? for help
  +|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
                                        +m [m] use|create mount supplement
  +|-M   portMap registration (-)       -o o   o 0t offset digits (8)
  -p s   exclude(^)|select PIDs         -S [t] t second stat timeout (15)
  -T qs TCP/TPI Q,St (s) info
  -g [s] exclude(^)|select and print process group IDs
  -i i   select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
  +|-r [t[m<fmt>]] repeat every t seconds (15);  + until no files, - forever.
       An optional suffix to t is m<fmt>; m must separate t from <fmt> and <fmt> is an strftime(3) format for the marker line.
  -s p:s  exclude(^)|select protocol (p = TCP|UDP) states by name(s).
  -u s   exclude(^)|select login|UID set s
  -x [fl] cross over +d|+D File systems or symbolic Links
  names  select named files or files on named file systems

See Also

• Nmap Cheatsheet (on this resource)