6.11. The file "lsof"

The file lsof.txt contains the output of the command lsof, which is used to display the list of open file descriptors (files, pipes, sockets).

Figure 6.83. Output of the file "lsof.txt"

COMMAND     PID   USER   FD   TYPE   DEVICE     SIZE    NODE NAME
[...]
sshd       6198  admin  cwd    DIR     8,69     4096       2 /
sshd       6198  admin  rtd    DIR     8,69     4096       2 /
sshd       6198  admin  txt    REG     8,69   444313   33830 /usr/sbin/sshd
sshd       6198  admin  mem    REG     8,69   113224   39572 /lib64/ld-2.3.4.so
sshd       6198  admin  mem    REG     8,69    36144   39578 /lib64/libpam.so.0.77
sshd       6198  admin  mem    REG     8,69    17000   39624 /lib64/libdl-2.3.4.so
sshd       6198  admin  mem    REG     8,69  1565275    3019 /opt/rbt/lib/libcrypto.so.0.9 \
    .8
sshd       6198  admin  mem    REG     8,69    16280   39602 /lib64/libutil-2.3.4.so
sshd       6198  admin  mem    REG     8,69    77072   39560 /usr/lib64/libz.so.1.2.1.2
sshd       6198  admin  mem    REG     8,69   112176   39613 /lib64/libnsl-2.3.4.so
sshd       6198  admin  mem    REG     8,69    42672   39592 /lib64/libcrypt-2.3.4.so
sshd       6198  admin  mem    REG     8,69    90672   39579 /lib64/libresolv-2.3.4.so
sshd       6198  admin  mem    REG     8,69  1630336   39755 /lib64/tls/libc-2.3.4.so
sshd       6198  admin  mem    REG     8,69    63736   39586 /lib64/libaudit.so.0.0.0
sshd       6198  admin  mem    REG     8,69    58872   39582 /lib64/libnss_files-2.3.4.so
sshd       6198  admin  DEL    REG      0,6          2268647 /dev/zero
sshd       6198  admin  mem    REG     8,69    12888   39729 /lib64/security/pam_stack.so
sshd       6198  admin  mem    REG     8,69     8864   39721 /lib64/security/pam_nologin.s \
    o
sshd       6198  admin  mem    REG     8,69    20824   39706 /lib64/security/pam_limits.so
sshd       6198  admin  mem    REG     8,69    53104   39727 /lib64/security/pam_console.s \
    o
sshd       6198  admin  mem    REG     8,69   557176   39237 /usr/lib64/libglib-2.0.so.0.4 \
    00.7
sshd       6198  admin  mem    REG     8,69     4560   39731 /lib64/security/pam_deny.so
sshd       6198  admin  mem    REG     8,69    12624   39743 /lib64/security/pam_env.so
sshd       6198  admin  mem    REG     8,69    57662    2764 /opt/tms/lib/security/pam_rad \
    ius_auth.so
sshd       6198  admin  mem    REG     8,69   145059    2766 /opt/tms/lib/security/pam_uni \
    x.so
sshd       6198  admin  mem    REG     8,69    10692    2767 /opt/tms/lib/security/pam_fai \
    ldelay.so
sshd       6198  admin  mem    REG     8,69    24632   39609 /lib64/libnss_dns-2.3.4.so
sshd       6198  admin  DEL    REG      0,6          2269964 /dev/zero
sshd       6198  admin    0u   CHR      1,3             1102 /dev/null
sshd       6198  admin    1u   CHR      1,3             1102 /dev/null
sshd       6198  admin    2u   CHR      1,3             1102 /dev/null
sshd       6198  admin    3u  IPv4  2268635              TCP 10.0.1.5:ssh->10.0.1.1:40520  \
    (ESTABLISHED)
sshd       6198  admin    4r  FIFO      0,7          2269968 pipe
sshd       6198  admin    5w  FIFO      0,7          2269968 pipe
sshd       6198  admin    7w  FIFO      0,7          2269969 pipe
sshd       6198  admin    8r  FIFO      0,7          2269970 pipe
sshd       6198  admin   10r  FIFO      0,7          2269971 pipe
[...]
sshd      11011  admin    3u  IPv4    25118              TCP *:ssh (LISTEN)
[...]

In this example, the process sshd has the process ID 6198, is running as the user admin, is the binary located in /usr/sbin/sshd has a couple of libraries loaded and has an ESTABLISHED TCP socket between 10.0.1.1:40520 and 10.0.1.5:22.

The process sshd with process ID 11011 has a TCP socket without an IP address and in the LISTEN mode, which means that it is waiting for new TCP sessions.