Lsof

lsof: lists open files

Show only TCP (works the same for UDP)

lsof -iTCP =]

-i :port shows all networking related to a given port

(:code:) lsof -i :22

To show connections to a specific host, use @host

(:code:) lsof [email protected]

Show connections based on the host and the port using @host:port

(:code:) lsof [email protected]:22

Grepping for "LISTEN" shows what ports your system is waiting for connections on

(:code:) lsof -i| grep LISTEN

Grepping for "ESTABLISHED" shows current active connections

(:code:) lsof -i| grep ESTABLISHED

Show what a given user has open using -u

(:code:) lsof -u daniel

See what files and network connections a command is using with -c

(:code:) lsof -c syslog-ng

Pointing to a file shows what's interacting with that file

(:code:) lsof /var/log/messages

The -p switch lets you see what a given process ID has open, which is good for learning more about unknown processes

(:code:) lsof -p 10075

The -t option returns just a PID

(:code:) lsof -t -c Mail

Using-a allows you to combine search terms, so the query below says, "show me everything running as daniel connected to 1.1.1.1"

(:code:) lsof -a -u daniel -i @1.1.1.1

Using the -t and -c options together you can HUP processes

(:code:) kill -HUP `lsof -t -c sshd`

You can also use the -t with -u to kill everything a user has open

(:code:) kill -9 `lsof -t -u daniel`

lsof +L1 shows you all open files that have a link count less than 1, often indicative of a cracker trying to hide something

(:code:)[= lsof +L1

lsof

Kaynak: http://dmiessler.com/study/lsof/

Show all connections with -i

(:code:) lsof -i

(:code:)