... in conjunction with '-i' filter for protocol in state -U ......... show unix domain sockets ('@' indicates abstract sock name, see unix(7)) file flags: R/W/RW ..... read/write/read-write CR ......... create AP ......... append TR ......... truncate -s protocols TCP, UDP -s states (TCP) CLOSED, IDLE, BOUND, LISTEN, ESTABLISHED, SYN_SENT, SYN_RCDV, ESTABLISHED, CLOSE_WAIT, FIN_WAIT1, CLOSING, LAST_ACK, FIN_WAIT_2, TIME_WAIT -s states (UDP) Unbound, Idle","breadcrumbs":"Resource analysis & monitor » lsof » lsof(8)","id":"186","title":"lsof(8)"},"187":{"body":"","breadcrumbs":"Resource analysis & monitor » lsof » Examples","id":"187","title":"Examples"},"188":{"body":"Show open files with file flags for process: lsof +fg -p ","breadcrumbs":"Resource analysis & monitor » lsof » File flags","id":"188","title":"File flags"},"189":{"body":"Show open tcp connections for $USER: lsof -a -u $USER -i TCP Note : -a ands the results. If -a is not given all open files matching $USER and all tcp connections are listed ( ored ).","breadcrumbs":"Resource analysis & monitor » lsof » Open TCP connections","id":"189","title":"Open TCP connections"},"19":{"body":"# default value\nbar=${foo:-some_val} # if $foo set, then bar=$foo else bar=some_val # alternate value\nbar=${foo:+bla $foo} # if $foo set, then bar=\"bla $foo\" else bar=\"\" # check param set\nbar=${foo:?msg} # if $foo set, then bar=$foo else exit and print msg # indirect\nFOO=foo\nBAR=FOO\nbar=${!BAR} # deref value of BAR -> bar=$FOO # prefix\n${foo#prefix} # remove prefix when expanding $foo\n# suffix\n${foo%suffix} # remove suffix when expanding $foo # substitute\n${foo/pattern/string} # replace pattern with string when expanding foo\n# pattern starts with\n# '/' replace all occurences of pattern\n# '#' pattern match at beginning\n# '%' pattern match at end Note: prefix/suffix/pattern are expanded as pathnames .","breadcrumbs":"Tools » bash » Parameter","id":"19","title":"Parameter"},"190":{"body":"Show open connections to localhost for $USER: lsof -a -u $USER -i @localhost","breadcrumbs":"Resource analysis & monitor » lsof » Open connection to specific host","id":"190","title":"Open connection to specific host"},"191":{"body":"Show open connections to port :1234 for $USER: lsof -a -u $USER -i :1234","breadcrumbs":"Resource analysis & monitor » lsof » Open connection to specific port","id":"191","title":"Open connection to specific port"},"192":{"body":"lsof -i 4TCP -s TCP:ESTABLISHED","breadcrumbs":"Resource analysis & monitor » lsof » IPv4 TCP connections in ESTABLISHED state","id":"192","title":"IPv4 TCP connections in ESTABLISHED state"},"193":{"body":"This may help to find which processes keep devices busy when trying to unmount and the device is currently busy. # Assuming /proc is a mount point.\nlsof /proc","breadcrumbs":"Resource analysis & monitor » lsof » List open files in a mounted directory.","id":"193","title":"List open files in a mounted directory."},"194":{"body":"ss [option] [filter] [option] -p ..... Show process using socket -l ..... Show sockets in listening state -4/-6 .. Show IPv4/6 sockets -x ..... Show unix sockets -n ..... Show numeric ports (no resolve) -O ..... Oneline output per socket [filter] dport/sport PORT .... Filter for destination/source port dst/src ADDR ........ Filter for destination/source address and/or .............. Logic operator ==/!= ............... Comparison operator (EXPR) .............. Group exprs","breadcrumbs":"Resource analysis & monitor » ss » ss(8)","id":"194","title":"ss(8)"},"195":{"body":"Show all tcp IPv4 sockets connecting to port 443: ss -4 'dport 443' Show all tcp IPv4 sockets that don't connect to port 443 or connect to address 1.2.3.4. ss -4 'dport != 443 or dst 1.2.3.4'","breadcrumbs":"Resource analysis & monitor » ss » Examples","id":"195","title":"Examples"},"196":{"body":"pidstat [opt] [interval] [cont] -U [user] show username instead UID, optionally only show for user -r memory statistics -d I/O statistics -h single line per process and no lines with average","breadcrumbs":"Resource analysis & monitor » pidstat » pidstat(1)","id":"196","title":"pidstat(1)"},"197":{"body":"pidstat -r -p [interval] [count] minor_pagefault: Happens when the page needed is already in memory but not allocated to the faulting process, in that case the kernel only has to create a new page-table entry pointing to the shared physical page (not required to load a memory page from disk). major_pagefault: Happens when the page needed is NOT in memory, the kernel has to create a new page-table entry and populate the physical page (required to load a memory page from disk).","breadcrumbs":"Resource analysis & monitor » pidstat » Page fault and memory utilization","id":"197","title":"Page fault and memory utilization"},"198":{"body":"pidstat -d -p [interval] [count]","breadcrumbs":"Resource analysis & monitor » pidstat » I/O statistics","id":"198","title":"I/O statistics"},"199":{"body":"pgrep [opts] -n only list newest matching process -u only show matching for user -l additionally list command -a additionally list command + arguments","breadcrumbs":"Resource analysis & monitor » pgrep » pgrep(1)","id":"199","title":"pgrep(1)"},"2":{"body":"","breadcrumbs":"Tools » zsh » zsh(1)","id":"2","title":"zsh(1)"},"20":{"body":"* match any string\n? match any single char\n\\\\ match backslash\n[abc] match any char of 'a' 'b' 'c'\n[a-z] match any char between 'a' - 'z'\n[^ab] negate, match all not 'a' 'b'\n[:class:] match any char in class, available: alnum,alpha,ascii,blank,cntrl,digit,graph,lower, print,punct,space,upper,word,xdigit With extglob shell option enabled it is possible to have more powerful patterns. In the following pattern-list is one ore more patterns separated by | char. ?(pattern-list) matches zero or one occurrence of the given patterns\n*(pattern-list) matches zero or more occurrences of the given patterns\n+(pattern-list) matches one or more occurrences of the given patterns\n@(pattern-list) matches one of the given patterns\n!(pattern-list) matches anything except one of the given patterns Note: shopt -s extglob/shopt -u extglob to enable/disable extglob option.","breadcrumbs":"Tools » bash » Pathname","id":"20","title":"Pathname"},"200":{"body":"For example attach gdb to newest zsh process from $USER. gdb -p $(pgrep -n -u $USER zsh)","breadcrumbs":"Resource analysis & monitor » pgrep » Debug newest process","id":"200","title":"Debug newest process"},"201":{"body":"pmap [opts] Dump virtual memory map of process. Compared to /proc//maps it shows the size of the mappings.\nopts: -p show full path in the mapping -x show details (eg RSS usage of each segment)","breadcrumbs":"Resource analysis & monitor » pmap » pmap(1)","id":"201","title":"pmap(1)"},"202":{"body":"pstack Dump stack for all threads of process.","breadcrumbs":"Resource analysis & monitor » pstack » pstack(1)","id":"202","title":"pstack(1)"},"203":{"body":"strace ltrace perf OProfile time","breadcrumbs":"Trace and Profile » Trace and Profile","id":"203","title":"Trace and Profile"},"204":{"body":"strace [opts] [prg] -f .......... follow child processes on fork(2) -ff ......... follow fork and separate output file per child -p .... attach to running process -s ... max string size, truncate of longer (default: 32) -e ... expression for trace filtering -o ... log output into -c .......... dump syscall statitics at the end -C .......... like -c but dump regular ouput as well -k .......... dump stack trace for each syscall -P ... only trace syscall accesing path -y .......... print paths for FDs -tt ......... print absolute timestamp (with us precision) -r .......... print relative timestamp -z .......... log only successful syscalls -Z .......... log only failed syscalls -n .......... print syscall numbers -y .......... translate fds (eg file path, socket) -yy ......... translate fds with all information (eg IP) -x .......... print non-ASCII chars as hex string : trace=syscall[,syscall] .... trace only syscall listed trace=file ................. trace all syscall that take a filename as arg trace=process .............. trace process management related syscalls trace=signal ............... trace signal related syscalls signal ..................... trace signals delivered to the process","breadcrumbs":"Trace and Profile » strace » strace(1)","id":"204","title":"strace(1)"},"205":{"body":"Trace open(2) & socket(2) syscalls for a running process + child processes: strace -f -e trace=open,socket -p Trace signals delivered to a running process: strace -e signal -e 'trace=!all' -p ","breadcrumbs":"Trace and Profile » strace » Examples","id":"205","title":"Examples"},"206":{"body":"ltrace [opts] [prg] -f .......... follow child processes on fork(2) -p .... attach to running process -o ... log output into -l . show who calls into lib matched by -C .......... demangle","breadcrumbs":"Trace and Profile » ltrace » ltrace(1)","id":"206","title":"ltrace(1)"},"207":{"body":"List which program/libs call into libstdc++: ltrace -l '*libstdc++*' -C -o ltrace.log ./main","breadcrumbs":"Trace and Profile » ltrace » Example","id":"207","title":"Example"},"208":{"body":"perf list show supported hw/sw events perf stat -p .. show stats for running process -I ... show stats periodically over interval -e ... filter for events perf top -p .. show stats for running process -F ... sampling frequency -K ........ hide kernel threads perf record -p ............... record stats for running process -F ................ sampling frequency --call-graph .. [fp, dwarf, lbr] method how to caputre backtrace fp : use frame-pointer, need to compile with -fno-omit-frame-pointer dwarf: use .cfi debug information lbr : use hardware last branch record facility -g ..................... short-hand for --call-graph fp -e ................ filter for events perf report -n .................... annotate symbols with nr of samples --stdio ............... report to stdio, if not presen tui mode -g graph,0.5,caller ... show caller based call chains with value >0.5 Useful : page-faults minor-faults major-faults cpu-cycles` task-clock","breadcrumbs":"Trace and Profile » perf » perf(1)","id":"208","title":"perf(1)"},"209":{"body":"","breadcrumbs":"Trace and Profile » perf » Flamegraph","id":"209","title":"Flamegraph"},"21":{"body":"Note: The trick with bash I/O redirection is to interpret from left-to-right. # stdout & stderr to file\ncommand >file 2>&1\n# equivalent\ncommand &>file # stderr to stdout & stdout to file\ncommand 2>&1 >file The article Bash One-Liners Explained, Part III: All about redirections contains some nice visualization to explain bash redirections.","breadcrumbs":"Tools » bash » I/O redirection","id":"21","title":"I/O redirection"},"210":{"body":"perf record -g -e cpu-cycles -p \nperf script | FlameGraph/stackcollapse-perf.pl | FlameGraph/flamegraph.pl > cycles-flamegraph.svg","breadcrumbs":"Trace and Profile » perf » Flamegraph with single event trace","id":"210","title":"Flamegraph with single event trace"},"211":{"body":"perf record -g -e cpu-cycles,page-faults -p \nperf script --per-event-dump\n# fold & generate as above","breadcrumbs":"Trace and Profile » perf » Flamegraph with multiple event traces","id":"211","title":"Flamegraph with multiple event traces"},"212":{"body":"operf -g -p -g ...... caputre call-graph information opreport [opt] FILE show time spent per binary image -l ...... show time spent per symbol -c ...... show callgraph information (see below) -a ...... add column with time spent accumulated over child nodes ophelp show supported hw/sw events","breadcrumbs":"Trace and Profile » OProfile » OProfile","id":"212","title":"OProfile"},"213":{"body":"# statistics of process run\n/usr/bin/time -v ","breadcrumbs":"Trace and Profile » time » /usr/bin/time(1)","id":"213","title":"/usr/bin/time(1)"},"214":{"body":"od xxd readelf objdump nm","breadcrumbs":"Binary » Binary","id":"214","title":"Binary"},"215":{"body":"od [opts] -An don't print addr info -tx4 print hex in 4 byte chunks -ta print as named character -tc printable chars or backslash escape -w4 print 4 bytes per line -j skip bytes from (hex if start with 0x) -N dump bytes (hex of start with 0x)","breadcrumbs":"Binary » od » od(1)","id":"215","title":"od(1)"},"216":{"body":"echo -n AAAABBBB | od -An -w4 -tx4 >> 41414141 >> 42424242 echo -n '\\x7fELF\\n' | od -tx1 -ta -tc >> 0000000 7f 45 4c 46 0a # tx1 >> del E L F nl # ta >> 177 E L F \\n # tc","breadcrumbs":"Binary » od » ASCII to hex string","id":"216","title":"ASCII to hex string"},"217":{"body":"For example .rodata section from an elf file. We can use readelf to get the offset into the file where the .rodata section starts. readelf -W -S foo >> Section Headers: >> [Nr] Name Type Address Off Size ES Flg Lk Inf Al >> ... >> [15] .rodata PROGBITS 00000000004009c0 0009c0 000030 00 A 0 0 16 With the offset of -j 0x0009c0 we can dump -N 0x30 bytes from the beginning of the .rodata section as follows: od -j 0x0009c0 -N 0x30 -tx4 -w4 foo >> 0004700 00020001 >> 0004704 00000000 >> * >> 0004740 00000001 >> 0004744 00000002 >> 0004750 00000003 >> 0004754 00000004 Note : Numbers starting with 0x will be interpreted as hex by od.","breadcrumbs":"Binary » od » Extract parts of file","id":"217","title":"Extract parts of file"},"218":{"body":"xxd [opts] -p dump continuous hexdump -r convert hexdump into binary ('revert') -e dump as little endian mode -i output as C array","breadcrumbs":"Binary » xxd » xxd(1)","id":"218","title":"xxd(1)"},"219":{"body":"echo -n 'aabb' | xxd -p >> 61616262","breadcrumbs":"Binary » xxd » ASCII to hex stream","id":"219","title":"ASCII to hex stream"},"22":{"body":"j>&i Duplicate fd i to fd j, making j a copy of i. See dup2(2) . Example: command 2>&1 >file duplicate fd 1 to fd 2, effectively redirecting stderr to stdout redirect stdout to file","breadcrumbs":"Tools » bash » Explanation","id":"22","title":"Explanation"},"220":{"body":"echo -n '61616262' | xxd -p -r >> aabb","breadcrumbs":"Binary » xxd » Hex to binary stream","id":"220","title":"Hex to binary stream"},"221":{"body":"echo -n '\\x7fELF' | xxd -p | xxd -p -r | file -p - >> ELF","breadcrumbs":"Binary » xxd » ASCII to binary","id":"221","title":"ASCII to binary"},"222":{"body":"xxd -i <(echo -n '\\x7fELF') >> unsigned char _proc_self_fd_11[] = { >> 0x7f, 0x45, 0x4c, 0x46 >> }; >> unsigned int _proc_self_fd_11_len = 4;","breadcrumbs":"Binary » xxd » ASCII to C array (hex encoded)","id":"222","title":"ASCII to C array (hex encoded)"},"223":{"body":"readelf [opts] -W|--wide wide output, dont break output at 80 chars -h print ELF header -S print section headers -l print program headers + segment mapping -d print .dynamic section (dynamic link information) --syms print symbol tables (.symtab .dynsym) --dyn-syms print dynamic symbol table (exported symbols for dynamic linker) -r print relocation sections (.rel.*, .rela.*)","breadcrumbs":"Binary » readelf » readelf(1)","id":"223","title":"readelf(1)"},"224":{"body":"objdump [opts] -M intel use intil syntax -d disassemble text section -D disassemble all sections -S mix disassembly with source code -C demangle -j display info for section --[no-]show-raw-insn [dont] show object code next to disassembly","breadcrumbs":"Binary » objdump » objdump(1)","id":"224","title":"objdump(1)"},"225":{"body":"For example .plt section: objdump -j .plt -d ","breadcrumbs":"Binary » objdump » Disassemble section","id":"225","title":"Disassemble section"},"226":{"body":"This can be helpful for example as a cheap analysis tool when toying with JIT generating code. We could just write thee binary code buffer to a file and disassemble with objdump. To re-create that case, we just assemble and link some ELF file and then create a raw binary of the text section with objcopy. # file: test.s\n.section .text, \"ax\" .global _start\n_start: xor %rax, %rax mov $0x8, %rax\n1: cmp $0, %rax je 2f dec %rax jmp 1b\n2: # x86-64 exit(2) syscall mov $0, %rdi mov $60, %rax syscall # Assemble & link.\nas -o test.o test.s\nld -o test test.o testc.o\n# ELF -> binary (only take .text section).\nobjcopy -O binary --only-section .text test test-bin # Disassemble raw binary.\nobjdump -D -b binary -m i386:x86-64 test-bin","breadcrumbs":"Binary » objdump » Example: disassemble raw binary","id":"226","title":"Example: disassemble raw binary"},"227":{"body":"nm [opts]