Sep 252012
 

Here’s one that looks up processes that have a file open… well, actually, more like a file expression; “foo” would match “/bar/foo” and “/foo/bar” (by intent), so use full paths if you’re not feeling frisky. And yes… busybox really does have that many duplicate processes with that file open….

[WPCM450 /tmp]$ ./lsof-pid-on-file.sh NVRAM_PrivateStorage00.dat
/bin/fullfw
     /flash/data0/BMC_Data/NVRAM_PrivateStorage00.dat
/bin/fullfw
     /flash/data0/BMC_Data/NVRAM_PrivateStorage00.dat
/bin/fullfw
     /flash/data0/BMC_Data/NVRAM_PrivateStorage00.dat
/bin/fullfw
     /flash/data0/BMC_Data/NVRAM_PrivateStorage00.dat
/bin/fullfw
     /flash/data0/BMC_Data/NVRAM_PrivateStorage00.dat
[...]
pid #'s that use NVRAM_PrivateStorage00.dat:  419 430 431 432 437 448 449 450 451 452 453 454 455 456 457 458 459 460 461 464 465
pid names that use NVRAM_PrivateStorage00.dat: /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw /bin/fullfw

Script.

:

#
# busybox - find network ports being listened to by pid
#

fd="/proc/*/fd"

#
# list of all the stuff everyone is listening to
#
echo "collecting port data..."

# slooow... jumping through more hoops than michael jordon.. ls will produce lines like:
#
# [...]
# /proc/1261/fd:
# /proc/1262/fd:
# /proc/1263/fd:
#  0 lrwx------    1 root     root           64 Sep 25 15:03 3 -> socket:[4535]
# [...]
#
# this will have matching pairs of pid's & inodes of sockets
#
# grab the line before the match as the pid, since ls won't say what is going on
# and find won't work on this
#
all_sox=`ls -asl /proc/[0-9]*/fd 2> /dev/null | egrep 'socket:|fd' |  awk '{ if (/fd:/) { split($1,fd,"/"); } if (/socket/) print fd[3], $NF ; }' | sed -e 's/socket:\[//' -e 's/\]//'`

echo "machine is listening on:"
grep -v local_address /proc/net/?[cd]p* | awk '{print $1, $3, $11}' | while read proto port inode ; do
   if [ "X$proto" != "X" ] ; then
   
     # echo "$proto, $port, $inode"
   
     echo -n $proto | sed -e 's@^.*net/@@' -e 's/://'
     echo -n ":"
     
     #
     # more busybox hoop jumping... sometimes like ice skating with roller skates
     #
     # the amazing sed+ stuff courtesy of http://stackoverflow.com/questions/3675012/hex-to-dec-con
     #
     echo $port | awk -F: '{print $2}' | sed 's,\(..\)\(..\)\(..\)\(..\),\4\3\2\1,g' | (read hex; echo $(( 0x${hex} )))
 
     if [ "X$inode" != "X" ] ; then

        pid=`echo "$all_sox" | grep " $inode"`

# fd=`ls -asl /proc/[0-9]*/fd 2> /dev/null | egrep 'socket:\[4535\]|fd' |  awk '{ if (/fd:/) { split($1,fd,"/"); } if (/socket/) print "FD: ", fd[3]; }'`

        if [ "X$pid" == "X" ] ; then
           echo can\'t find process for inode $inode
           echo
        else
           matching_pids=`echo "$pid" | awk '{ pids=sprintf("%s %s", pids, $1);} END { print pids }'`
 
           # echo "MATCHING: $matching_pids"
   
           for p in $matching_pids ; do
              if [ -f /proc/$p/cmdline ] ; then
                 name=`sed -e 's/\o000/ /g' -e 's/ *$//' -e 's/^ *//' /proc/$p/cmdline`
              else
                       name="?"
              fi
              echo -e "\\t$p = $name"
           done
         echo
         fi
      else
         echo "no inode found associated with port $port"
      fi
   fi

   done

Sorry, the comment form is closed at this time.