lsof stands for "list open files." In the context of UNIX-like systems, an "open file" may refer to a regular file, directory, network connection, or more. The lsof is a powerful tool used in Linux systems to display open files and the processes that are currently using them.
Note: In UNIX and Linux operating systems, many entities are treated as files. This includes not just regular files, but also devices, sockets, named pipes (FIFOs), shared libraries utilized by a program, and even network socket connections.
lsof is especially useful for system administrators and developers to:
- Identify which processes are using a specific file or port especially when port conflict happens.
- Files that have been deleted but are still open by processes can consume space. lsof can help identify these.
- Troubleshoot issues like "port is already in use" errors.
- Monitor network activity and open network connections.
- Investigate file access and potential security breaches.
Syntax
This is the basic syntax of the lsof
lsof [option] [names]
option
: These are flags that modify the behavior of the lsof command.names
: This can refer to filenames, PIDs (Process IDs), user names, or even network files (IPv4, IPv6). Depending on the context and provided options, lsof will list open files that match these names.
Using lsof without sudo (superuser privileges) will show you open files related to processes that the executing user has permission to view. However, many processes, especially system processes, run under different users or system accounts. To see all open files on the system, including those owned by other users and system services, you would typically need to use sudo
to run lsof with root (superuser) privileges.
lsof output
When you run the lsof command without any arguments, it will list all open files on the system. The default output columns of lsof represent various attributes of these open files. Here's a breakdown of what each column typically represents:
- COMMAND: The name of the command (process) that has the file open.
- PID: Process ID of the command that has the file open.
- USER: The user who owns the process/command.
- FD: File descriptor associated with the file. Some common values seen in this column include:
cwd
: Current working directorytxt
: Text file (usually this indicates an executable program or script)mem
: Memory-mapped filertd
: Root directoryjld
: Jail directory (primarily seen in FreeBSD)tr
: Kernel trace file (primarily seen in Solaris)DEL
: A file that has been deleted but is still held open by a processERR
: Error indicator (typically followed by an error message in the NAME column)- Numeric values: Actual file descriptors (e.g.,
0u
,1w
,2r
). The appended letter represents the mode in which the file is opened:r
for read,w
for write,u
for read and write.
- TYPE: Type of the node associated with the file. Common types include:
REG
: Regular fileDIR
: DirectoryCHR
: Character special fileBLK
: Block special fileFIFO
: First In First Out (named pipe)SOCK
: SocketIPv4
andIPv6
: Network files.
- DEVICE: Device numbers. For disk files, this column will typically display the device number and the file system's inode number.
- SIZE/OFF: For regular files, this is the file size. For network endpoints, it's the offset into the file or sometimes the inode number.
- NODE: The inode number of the file or directory.
- NAME: The name of the file or the path to the file. For network connections, this column will show the local and remote IP addresses and ports, separated by "->".
The default output is long. Execute sudo lsof | less to scroll through the output.
Listing Files by Process
If you already know the Process ID of the application or service, you can use the -p option followed by the PID to list all open files associated with that process.
For example, if you want to check which files are opened by a process with the PID of 11.
lsof -p 11
You may also pass multiple PIDs as arguments separated by a comma.
Instead of using the PID, you can specify a process by its command name using -c option. For example, to view all the open files by the network process:
lsof -c network
Note: To determine which process is using a particular file in Linux, the fuser command can be employed. By executing the command "fuser filename," a list of processes utilizing the file will be displayed. You may also use other tools like ps, pgrep, or top to find the PID first.
Tip: When you use the -R option, lsof includes an additional column labeled PPID in its output, showing the Parent Process ID for each listed process. This can be quite useful when you want to identify not just which processes have certain files open, but also the parent processes that spawned those processes.
Listing Network Files
Network Files
List All Network Files:
lsof -i
Filter by Protocol
For TCP connections:
lsof -i tcp
For UDP connections:
lsof -i udp
Fir IPv4 network connections files:
sudo lsof -i 4
Replace 4 with 6 for IPv6 files.
Filter by Port Number
For a specific port, say port 631:
lsof -i :631
We can also list multiple port numbers, such as lsof –i :22,443
Or, specify a TCP port range along with the network protocol, such as lsof -i TCP:1-44653
.
Filter by Network Status
To list all listening sockets:
lsof -i | grep LISTEN
List Files Opened by a Specific User
To list files opened by a specific user using lsof, you can use the -u option followed by the username. For instance, if you want to see all the files opened by the user named "tom", you would use the following command:
lsof -u tom
This will display a list of all open files (including network connections, regular files, directories, etc.) associated with the user "tom".
If you want to exclude the files opened by a specific user, you can prefix the username with the ^
character:
lsof -u ^tom
This command will list open files for all users except "tom".
Finding Processes Using a Specific File or Directory
Finding Processes Using a Specific File
If you have a specific file in mind and want to find out which processes are currently using it, you can simply use lsof followed by the file's path:
For example, if you want to see which processes are accessing the file /var/log/syslog, you would use:
lsof /var/log/syslog
Finding Processes Using a Specific Directory
If you want to find out which processes are accessing a specific directory and possibly its contents, you can use:
lsof +D /var/log
Here the +D option enables lsof command to recursively check all files within the directory, so it might take some time for directories with many files or subdirectories.
Display open unlinked files
Sometimes there are open files that are unlinked (i.e., they've been deleted but are still held open by some process) and consume disk space but aren't visible in directory listings. To find those open files we use lsof command with +L1 option. The +L1 option instructs lsof to display all files with fewer than 1 link.
Example:
lsof -a +L1 /var/log
This command list all open files that are unlinked within the /var/log directory. The -a option means "AND." It's used to combine multiple conditions. In this context, it ensures that the results match both the +L1 condition and the /var/log directory.
Real-time Monitoring
The lsof command can be used in a "real-time" monitoring fashion by using the -r option. This repeatedly reports its output at specified intervals (default 15 seconds).
Example:
lsof -r
You can specify the repeat interval (in seconds) by providing a number right after the -r
option.
lsof -r5
This command monitor network connections in real-time every 5 seconds:
Comments