The file
lsof.txt
contains the output of the command
lsof
,
which is used to display the list of open file descriptors (files,
pipes, sockets).
Figure 6.83. Output of the file "lsof.txt"
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME [...] sshd 6198 admin cwd DIR 8,69 4096 2 / sshd 6198 admin rtd DIR 8,69 4096 2 / sshd 6198 admin txt REG 8,69 444313 33830 /usr/sbin/sshd sshd 6198 admin mem REG 8,69 113224 39572 /lib64/ld-2.3.4.so sshd 6198 admin mem REG 8,69 36144 39578 /lib64/libpam.so.0.77 sshd 6198 admin mem REG 8,69 17000 39624 /lib64/libdl-2.3.4.so sshd 6198 admin mem REG 8,69 1565275 3019 /opt/rbt/lib/libcrypto.so.0.9 \ .8 sshd 6198 admin mem REG 8,69 16280 39602 /lib64/libutil-2.3.4.so sshd 6198 admin mem REG 8,69 77072 39560 /usr/lib64/libz.so.1.2.1.2 sshd 6198 admin mem REG 8,69 112176 39613 /lib64/libnsl-2.3.4.so sshd 6198 admin mem REG 8,69 42672 39592 /lib64/libcrypt-2.3.4.so sshd 6198 admin mem REG 8,69 90672 39579 /lib64/libresolv-2.3.4.so sshd 6198 admin mem REG 8,69 1630336 39755 /lib64/tls/libc-2.3.4.so sshd 6198 admin mem REG 8,69 63736 39586 /lib64/libaudit.so.0.0.0 sshd 6198 admin mem REG 8,69 58872 39582 /lib64/libnss_files-2.3.4.so sshd 6198 admin DEL REG 0,6 2268647 /dev/zero sshd 6198 admin mem REG 8,69 12888 39729 /lib64/security/pam_stack.so sshd 6198 admin mem REG 8,69 8864 39721 /lib64/security/pam_nologin.s \ o sshd 6198 admin mem REG 8,69 20824 39706 /lib64/security/pam_limits.so sshd 6198 admin mem REG 8,69 53104 39727 /lib64/security/pam_console.s \ o sshd 6198 admin mem REG 8,69 557176 39237 /usr/lib64/libglib-2.0.so.0.4 \ 00.7 sshd 6198 admin mem REG 8,69 4560 39731 /lib64/security/pam_deny.so sshd 6198 admin mem REG 8,69 12624 39743 /lib64/security/pam_env.so sshd 6198 admin mem REG 8,69 57662 2764 /opt/tms/lib/security/pam_rad \ ius_auth.so sshd 6198 admin mem REG 8,69 145059 2766 /opt/tms/lib/security/pam_uni \ x.so sshd 6198 admin mem REG 8,69 10692 2767 /opt/tms/lib/security/pam_fai \ ldelay.so sshd 6198 admin mem REG 8,69 24632 39609 /lib64/libnss_dns-2.3.4.so sshd 6198 admin DEL REG 0,6 2269964 /dev/zero sshd 6198 admin 0u CHR 1,3 1102 /dev/null sshd 6198 admin 1u CHR 1,3 1102 /dev/null sshd 6198 admin 2u CHR 1,3 1102 /dev/null sshd 6198 admin 3u IPv4 2268635 TCP 10.0.1.5:ssh->10.0.1.1:40520 \ (ESTABLISHED) sshd 6198 admin 4r FIFO 0,7 2269968 pipe sshd 6198 admin 5w FIFO 0,7 2269968 pipe sshd 6198 admin 7w FIFO 0,7 2269969 pipe sshd 6198 admin 8r FIFO 0,7 2269970 pipe sshd 6198 admin 10r FIFO 0,7 2269971 pipe [...] sshd 11011 admin 3u IPv4 25118 TCP *:ssh (LISTEN) [...]
In this example, the process
sshd
has the process ID
6198,
is running as the user
admin,
is the binary located in
/usr/sbin/sshd
has a couple of libraries loaded and has an ESTABLISHED TCP socket
between 10.0.1.1:40520 and 10.0.1.5:22.
The process sshd with process ID 11011 has a TCP socket without an IP address and in the LISTEN mode, which means that it is waiting for new TCP sessions.