linux 上的 lsof 和 netstat 有什么区别？

Question

I encounted a problem today:

When I started HDP docker container, an error occured:

listen tcp 0.0.0.0:8086: bind: address already in use

According to error message, I know that port 8086 was already in use, so I tried some commands to determine which program was using port 8086. lsof -i:8086 lsof -i tcp:8086 lsof | grep 8086 lsof -i:8086 lsof -i tcp:8086 lsof | grep 8086

But all of commands above make no outputs!

I felt really confused about that, after some searching on google, I tried another command: netstat -pna | grep 8086 netstat -pna | grep 8086

I got correct output from this command.

I know some differences between lsof and netstat , but I really do not know why I cannot get any output from lsof -i:8086 ?.

Here are some differences between two commands I searched from google:

netstat(net statistic) is connection based,it shows NW connections (udp/tcp ports), routing tables, interface, multi-cast membership, etc.

lsof(list of open files) is application based, this is kind of like netstat + ps, there you can see all accessed ports, NW connections, etc. but lsof includes stuff like my local emacs window terminal session (tty dev/pts/n) which is not part of netstat

Answer 1

I faced a similar issue today. The solution was to run the lsof command with sudo privileges.

sudo lsof -i:8086 

should print the desired output.

Answer 2

LSOF: List of Open Files. It lists all the open files belonging to all active processes.

Examples:

sudo lsof -n -i
sudo lsof -n -i4
sudo lsof -n -i :80 

• -n inhibits the conversion of network numbers to host names for network files. Inhibiting conversion may make lsof run faster. It is also useful when host
  lookup is not working properly
• -i selects the listing of files any of whose Internet address matches the address specified in i. If no address is specified, this option selects the listing of all Internet and x.25 (HP-UX) network files. If -i4 or -i6 is specified with no following address, only files of the indicated IP version, IPv4 or IPv6, are displayed.

NETSTAT: It is a tool to get the network statistics. By default, netstat displays a list of open sockets. If you don't specify any address families, then the active sockets of all configured address families will be printed.

Displays the kernel routing tables:

netstat -r 

Display all listening and established connection for both TCP and UDP with PID data:

netstat -plunt

Additionally, You have another command line tool to use which is SS.

SS: It is used to dump socket statistics. It allows showing information similar to netstat. It can display more TCP and state information than other tools.

-plunt gives data for the TCP and UDP connections which are established and listening with process information:

sudo ss -plunt

Answer 3

You should be root to get proper answers to your lsof questions. Your command is fine, assuming something really is listening on that port.

Answer 4

As you already mentioned, lsof is a very useful command which is used to list files opened by a specific process, while netstat is a tool for monitoring network connections.

You should be able to find the PID of the process listening on port 8086 with netstat :

netstat -tunlp |grep :8086

and then use lsof to list the files used by the process:

lsof -p PID