LINUX - Spying on your system with LSOF - LSOF command list

First read lsof man page: http://linux.die.net/man/8/lsof

see whats using your stuff
-----------------------------
lsof /somemount/
lsof | grep /somemount/ | awk '{print $2}' | xargs kill
lsof | grep /somemount/ | awk '{print $2}' | xargs kill -9

what is connected to internet:
---------------------------------
lsof -P -i -n

all open files bvy particular command:
---------------------------------------
lsof -p 1061
lsof -c minidlna

spy on process with lsof
--------------------------
lsof -p 1061 -r
lsof -c minidlna -r

before starting process:
lsof -rc command >> /tmp/command.txt
then view

spy on process:
------------------
diff <(lsof -p 1061) <(lsof -p 1061)
pid=1061; lsof -p $pid > t1; watch -n1 "lsof -p $pid > t2; diff -y t1 t2"
pid=1061; lsof -p $pid > t1; watch -n1 "lsof -p $pid > t2; diff t1 t2"
pid=1061; lsof -p $pid > t1; watch -n1 "lsof -p $pid > t2; head -n1 t1; diff t1 t2"
pname="minidlna"; lsof -c $pname > t1; watch -n1 "lsof -c $pname > t2; head -n1 t1; diff t1 t2"

what is using sounrd:
----------------------
lsof | grep pcm

spy on whole system - whats different from one moment:
-------------------------------------------------------
lsof > t1; watch -n1 "lsof> t2; head -n1 t1; diff t1 t2 | grep -v 'lsof\|watch'"
lsof > t1; watch -n1 "lsof> t2; head -n1 t1; diff t1 t2 | egrep -v 'lsof|watch'"

spy on whole system - whats different every moment:
------------------------------------------------------
watch "lsof > tnew; (diff tnew told | egrep -v 'lsof|watch';); cat tnew > told"

diff shows too many > and < lets just see the new or old stuff - without greping out watch and lsof
----------------------------------------------------------------------------------------------------
only is new - so whats in tnew:
watch "lsof > tnew; comm -13 tnew told; cat tnew > told"
only in the old things - what went away:
watch "lsof > tnew; comm -23 tnew told; cat tnew > told"
whats unique in both - with tabs:
watch "lsof > tnew; comm -3 tnew told ; cat tnew > told"
without tabs:
watch "lsof > tnew; (comm -3 tnew told | sed 's/^\t//';); cat tnew > told"

diff shows too many > and < lets just see the new or old stuff - greping out watch and lsof
----------------------------------------------------------------------------------------------------
only is new - so whats in tnew:
watch "lsof > tnew; (comm -13 tnew told | egrep -v 'lsof|watch';);cat tnew > told"
only in the old things - what went away:
watch "lsof > tnew; (comm -23 tnew told| egrep -v 'lsof|watch';); cat tnew > told"
whats unique in both - with tabs:
watch "lsof > tnew; (comm -3 tnew told | egrep -v 'lsof|watch';); cat tnew > told"
without tabs:
watch "lsof > tnew; (comm -3 tnew told | sed 's/^\t//' | egrep -v 'lsof|watch';); cat tnew > told"

comm lesson
-------------
comm Another way to look at it:
Show lines that only exist in file a:
comm -23 a b
Show lines that only exist in file b:
comm -13 a b
Show lines that only exist in one file or the other:
comm -3 a b | sed 's/^\t//'


dd across internet and split
------------------------------
dd if=/dev/sda | pv -c | gzip | ssh user@backupserver "split -b 2048m -d - backup-`hostname -s`.img.gz"

Comments