{"id":598,"date":"2012-09-25T23:10:15","date_gmt":"2012-09-25T23:10:15","guid":{"rendered":"https:\/\/trouble.org\/?p=598"},"modified":"2012-09-25T23:10:15","modified_gmt":"2012-09-25T23:10:15","slug":"lsof-lite-iiiii","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=598","title":{"rendered":"lsof lite (II\/III)"},"content":{"rendered":"

Here’s one that looks up processes that have a file open… well, actually, more like a file expression; “foo” would match “\/bar\/foo” and “\/foo\/bar” (by intent), so use full paths if you’re not feeling frisky. And yes… busybox really does have that many duplicate processes with that file open….<\/p>\n

[WPCM450 \/tmp]$ .\/lsof-pid-on-file.sh NVRAM_PrivateStorage00.dat
\n\/bin\/fullfw
\n     \/flash\/data0\/BMC_Data\/NVRAM_PrivateStorage00.dat
\n\/bin\/fullfw
\n     \/flash\/data0\/BMC_Data\/NVRAM_PrivateStorage00.dat
\n\/bin\/fullfw
\n     \/flash\/data0\/BMC_Data\/NVRAM_PrivateStorage00.dat
\n\/bin\/fullfw
\n     \/flash\/data0\/BMC_Data\/NVRAM_PrivateStorage00.dat
\n\/bin\/fullfw
\n     \/flash\/data0\/BMC_Data\/NVRAM_PrivateStorage00.dat
\n[...]
\npid #'s that use NVRAM_PrivateStorage00.dat:  419 430 431 432 437 448 449 450 451 452 453 454 455 456 457 458 459 460 461 464 465
\npid names that use NVRAM_PrivateStorage00.dat: \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw \/bin\/fullfw<\/div><\/div>\n

Script.<\/p>\n

:
\n
\n#<\/span>
\n# busybox - find network ports being listened to by pid<\/span>
\n#<\/span>
\n
\nfd<\/span>="\/proc\/*\/fd"<\/span>
\n
\n#<\/span>
\n# list of all the stuff everyone is listening to<\/span>
\n#<\/span>
\necho<\/span> "collecting port data..."<\/span>
\n
\n# slooow... jumping through more hoops than michael jordon.. ls will produce lines like:<\/span>
\n#<\/span>
\n# [...]<\/span>
\n# \/proc\/1261\/fd:<\/span>
\n# \/proc\/1262\/fd:<\/span>
\n# \/proc\/1263\/fd:<\/span>
\n#  0 lrwx------    1 root     root           64 Sep 25 15:03 3 -> socket:[4535]<\/span>
\n# [...]<\/span>
\n#<\/span>
\n# this will have matching pairs of pid's & inodes of sockets<\/span>
\n#<\/span>
\n# grab the line before the match as the pid, since ls won't say what is going on<\/span>
\n# and find won't work on this<\/span>
\n#<\/span>
\nall_sox<\/span>=`<\/span>ls<\/span> -asl<\/span> \/<\/span>proc\/<\/span>[<\/span>0<\/span>-9<\/span>]<\/span>*\/<\/span>fd 2<\/span>><\/span> \/<\/span>dev\/<\/span>null |<\/span> egrep<\/span> 'socket:|fd'<\/span> |<\/span>  awk<\/span> '{ if (\/fd:\/) { split($1,fd,"\/"); } if (\/socket\/) print fd[3], $NF ; }'<\/span> |<\/span> sed<\/span> -e<\/span> 's\/socket:\\[\/\/'<\/span> -e<\/span> 's\/\\]\/\/'<\/span>`<\/span>
\n
\necho<\/span> "machine is listening on:"<\/span>
\ngrep<\/span> -v<\/span> local_address \/<\/span>proc\/<\/span>net\/<\/span>?[<\/span>cd<\/span>]<\/span>p*<\/span> |<\/span> awk<\/span> '{print $1, $3, $11}'<\/span> |<\/span> while<\/span> read<\/span> proto port inode ; do<\/span>
\n   if<\/span> [<\/span> "X$proto<\/span>"<\/span> !<\/span>= "X"<\/span> ]<\/span> ; then<\/span>
\n   
\n     # echo "$proto, $port, $inode"<\/span>
\n   
\n     echo<\/span> -n<\/span> $proto<\/span> |<\/span> sed<\/span> -e<\/span> 's@^.*net\/@@'<\/span> -e<\/span> 's\/:\/\/'<\/span>
\n     echo<\/span> -n<\/span> ":"<\/span>
\n     
\n     #<\/span>
\n     # more busybox hoop jumping... sometimes like ice skating with roller skates<\/span>
\n     #<\/span>
\n     # the amazing sed+ stuff courtesy of http:\/\/stackoverflow.com\/questions\/3675012\/hex-to-dec-con<\/span>
\n     #<\/span>
\n     echo<\/span> $port<\/span> |<\/span> awk<\/span> -F: '{print $2}'<\/span> |<\/span> sed<\/span> 's,\\(..\\)\\(..\\)\\(..\\)\\(..\\),\\4\\3\\2\\1,g'<\/span> |<\/span> (<\/span>read<\/span> hex; echo<\/span> $(<\/span>(<\/span> 0x${hex}<\/span> )<\/span>)<\/span>)<\/span>
\n 
\n     if<\/span> [<\/span> "X$inode<\/span>"<\/span> !<\/span>= "X"<\/span> ]<\/span> ; then<\/span>
\n
\n        pid<\/span>=`<\/span>echo<\/span> "$all_sox<\/span>"<\/span> |<\/span> grep<\/span> " $inode<\/span>"<\/span>`<\/span>
\n
\n# fd=`ls -asl \/proc\/[0-9]*\/fd 2> \/dev\/null | egrep 'socket:\\[4535\\]|fd' |  awk '{ if (\/fd:\/) { split($1,fd,"\/"); } if (\/socket\/) print "FD: ", fd[3]; }'`<\/span>
\n
\n        if<\/span> [<\/span> "X$pid<\/span>"<\/span> == "X"<\/span> ]<\/span> ; then<\/span>
\n           echo<\/span> can\\'<\/span>t find<\/span> process for<\/span> inode $inode<\/span>
\n           echo<\/span>
\n        else<\/span>
\n           matching_pids<\/span>=`<\/span>echo<\/span> "$pid<\/span>"<\/span> |<\/span> awk<\/span> '{ pids=sprintf("%s %s", pids, $1);} END { print pids }'<\/span>`<\/span>
\n 
\n           # echo "MATCHING: $matching_pids"<\/span>
\n   
\n           for<\/span> p in<\/span> $matching_pids<\/span> ; do<\/span>
\n              if<\/span> [<\/span> -f<\/span> \/<\/span>proc\/<\/span>$p<\/span>\/<\/span>cmdline ]<\/span> ; then<\/span>
\n                 name<\/span>=`<\/span>sed<\/span> -e<\/span> 's\/\\o000\/ \/g'<\/span> -e<\/span> 's\/ *$\/\/'<\/span> -e<\/span> 's\/^ *\/\/'<\/span> \/<\/span>proc\/<\/span>$p<\/span>\/<\/span>cmdline`<\/span>
\n              else<\/span>
\n                       name<\/span>="?"<\/span>
\n              fi<\/span>
\n              echo<\/span> -e<\/span> "\\\\t<\/span>$p<\/span> = $name<\/span>"<\/span>
\n           done<\/span>
\n         echo<\/span>
\n         fi<\/span>
\n      else<\/span>
\n         echo<\/span> "no inode found associated with port $port<\/span>"<\/span>
\n      fi<\/span>
\n   fi<\/span>
\n
\n   done<\/span><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"

Here’s one that looks up processes that have a file open… well, actually, more like a file expression; “foo” would match “\/bar\/foo” and “\/foo\/bar” (by intent), so use full paths if you’re not feeling frisky. And yes… busybox really does have that many duplicate processes with that file open…. [WPCM450 \/tmp]$ .\/lsof-pid-on-file.sh NVRAM_PrivateStorage00.dat \/bin\/fullfw   […]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[31,154,4,6],"tags":[158,157,334,155,156],"class_list":["post-598","post","type-post","status-publish","format-standard","hentry","category-code","category-ipmi-2","category-security","category-tech","tag-bmc","tag-busybox","tag-hack","tag-lsof","tag-shell"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=598"}],"version-history":[{"count":3,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/598\/revisions"}],"predecessor-version":[{"id":617,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/598\/revisions\/617"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=598"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=598"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}