This tutorial explains Linux “lsof” command, options and its usage with examples.
Description :
lsof is a command meaning “list open files”, which is used in many Unix-like systems to report a list of all open files and the processes that opened them.
Usage :
lsof [OPTIONS]
Options :
-u s
This option selects the listing of files for the user whose login names or user ID numbers are in the comma-separated set s – e.g., “abe”, or “548,root”. (There should be no spaces in the set.)
-a
The -a option may be used to AND the selections.
-c c
This option selects the listing of files for processes executing the command that begins with the characters of c. Multiple commands may be specified, using multiple -c options. They are joined in a single ORed set before participating in AND option selection.
+D D
This option causes lsof to search for all open instances of directory D and all the files and directories it contains to its complete depth. Symbolic links within directory D are ignored – i.e, not followed.
-i [i]
This option selects the listing of files any of whose Internet address matches the address specified in i. If no address is specified, this option selects the listing of all Internet and x.25 (HP-UX) network files.
If -i4 or -i6 is specified with no following address, only files of the indicated IP version, IPv4 or IPv6, are displayed.
-p s
This option selects the listing of files for the processes whose ID numbers are in the comma-separated set s – e.g., “123” or “123,456”. (There should be no spaces in the set.)
Multiple process ID numbers are joined in a single ORed set before participating in AND option selection.
+|-r [t]
This option puts lsof in repeat mode. There lsof lists open files as selected by other options, delays t seconds (default fifteen), then repeats the listing, delaying and listing repetitively until stopped by a condition defined by the prefix to the option.
If the prefix is a `-‘, repeat mode is endless. Lsof must be terminated with an interrupt or quit signal.
If the prefix is `+’, repeat mode will end the first cycle no open files are listed – and of course when lsof is stopped with an interrupt or quit signal. When repeat mode ends because no files are listed, the process exit code will be zero if any open files were ever listed; one, if none were ever listed.
Examples :
1. List all Open Files with lsof Command
# lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 253,0 4096 2 / init 1 root rtd DIR 253,0 4096 2 / init 1 root txt REG 253,0 145180 147164 /sbin/init init 1 root mem REG 253,0 1889704 190149 /lib/libc-2.12.so init 1 root 0u CHR 1,3 0t0 3764 /dev/null init 1 root 1u CHR 1,3 0t0 3764 /dev/null init 1 root 2u CHR 1,3 0t0 3764 /dev/null init 1 root 3r FIFO 0,8 0t0 8449 pipe init 1 root 4w FIFO 0,8 0t0 8449 pipe init 1 root 5r DIR 0,10 0 1 inotify init 1 root 6r DIR 0,10 0 1 inotify init 1 root 7u unix 0xc1513880 0t0 8450 socket
We’ll review FD & TYPE columns more precisely:
FD – stands for File descriptor and may seen some of the values as:
cwd current working directory
rtd root directory
txt program text (code and data)
mem memory-mapped file
Also in FD column numbers like 1u is actual file descriptor and followed by u,r,w of it’s mode as:
r for read access.
w for write access.
u for read and write access.
TYPE – of files and it’s identification.
DIR – Directory
REG – Regular file
CHR – Character special file.
FIFO – First In First Out
2. List User Specific Opened Files
The below command will display the list of all opened files of user abc.
# lsof -u abc COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1838 abc cwd DIR 253,0 4096 2 / sshd 1838 abc rtd DIR 253,0 4096 2 / sshd 1838 abc txt REG 253,0 532336 188129 /usr/sbin/sshd sshd 1838 abc mem REG 253,0 19784 190237 /lib/libdl-2.12.so sshd 1838 abc mem REG 253,0 122436 190247 /lib/libselinux.so.1 sshd 1838 abc mem REG 253,0 255968 190256 /lib/libgssapi_krb5.so.2.2 sshd 1838 abc mem REG 253,0 874580 190255 /lib/libkrb5.so.3.3
3. Find Processes running on Specific Port
To find out all the running process of specific port, just use the following command with option -i. The below example will list all running process of port 22.
# lsof -i TCP:22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1471 root 3u IPv4 12683 0t0 TCP *:ssh (LISTEN) sshd 1471 root 4u IPv6 12685 0t0 TCP *:ssh (LISTEN)
4. List Only IPv4 & IPv6 Open Files
In below example shows only IPv4 and IPv6 network files open with separate commands.
# lsof -i 4 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1203 rpc 6u IPv4 11326 0t0 UDP *:sunrpc rpcbind 1203 rpc 7u IPv4 11330 0t0 UDP *:954 rpcbind 1203 rpc 8u IPv4 11331 0t0 TCP *:sunrpc (LISTEN) avahi-dae 1241 avahi 13u IPv4 11579 0t0 UDP *:mdns avahi-dae 1241 avahi 14u IPv4 11580 0t0 UDP *:58600 # lsof -i 6 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1203 rpc 9u IPv6 11333 0t0 UDP *:sunrpc rpcbind 1203 rpc 10u IPv6 11335 0t0 UDP *:954 rpcbind 1203 rpc 11u IPv6 11336 0t0 TCP *:sunrpc (LISTEN) rpc.statd 1277 rpcuser 10u IPv6 11858 0t0 UDP *:55800 rpc.statd 1277 rpcuser 11u IPv6 11862 0t0 TCP *:56428 (LISTEN) cupsd 1346 root 6u IPv6 12112 0t0 TCP localhost:ipp (LISTEN)
5. List Open Files of TCP Port ranges 1-1024
To list all the running process of open files of TCP Port ranges from 1-1024.
# lsof -i TCP:1-1024 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1203 rpc 11u IPv6 11336 0t0 TCP *:sunrpc (LISTEN) cupsd 1346 root 7u IPv4 12113 0t0 TCP localhost:ipp (LISTEN) sshd 1471 root 4u IPv6 12685 0t0 TCP *:ssh (LISTEN) master 1551 root 13u IPv6 12898 0t0 TCP localhost:smtp (LISTEN) sshd 1834 root 3r IPv4 15101 0t0 TCP 192.168.0.2:ssh->192.168.0.1:conclave-cpp (ESTABLISHED) sshd 1838 tecmint 3u IPv4 15101 0t0 TCP 192.168.0.2:ssh->192.168.0.1:conclave-cpp (ESTABLISHED) sshd 1871 root 3r IPv4 15842 0t0 TCP 192.168.0.2:ssh->192.168.0.1:groove (ESTABLISHED) httpd 1918 root 5u IPv6 15991 0t0 TCP *:http (LISTEN) httpd 1918 root 7u IPv6 15995 0t0 TCP *:https (LISTEN)
6. Exclude User with ‘^’ Character
Here, we have excluded root user. You can exclude a particular user using ‘^’ with command as shown above.
# lsof -i -u^root COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1203 rpc 6u IPv4 11326 0t0 UDP *:sunrpc rpcbind 1203 rpc 7u IPv4 11330 0t0 UDP *:954 rpcbind 1203 rpc 8u IPv4 11331 0t0 TCP *:sunrpc (LISTEN) rpcbind 1203 rpc 9u IPv6 11333 0t0 UDP *:sunrpc rpcbind 1203 rpc 10u IPv6 11335 0t0 UDP *:954 rpcbind 1203 rpc 11u IPv6 11336 0t0 TCP *:sunrpc (LISTEN) avahi-dae 1241 avahi 13u IPv4 11579 0t0 UDP *:mdns avahi-dae 1241 avahi 14u IPv4 11580 0t0 UDP *:58600 rpc.statd 1277 rpcuser 5r IPv4 11836 0t0 UDP *:soap-beep rpc.statd 1277 rpcuser 8u IPv4 11850 0t0 UDP *:55146 rpc.statd 1277 rpcuser 9u IPv4 11854 0t0 TCP *:32981 (LISTEN) rpc.statd 1277 rpcuser 10u IPv6 11858 0t0 UDP *:55800 rpc.statd 1277 rpcuser 11u IPv6 11862 0t0 TCP *:56428 (LISTEN)
7. Find Out who’s Looking What Files and Commands?
Below example shows user abc is using command like ping and /etc directory .
# lsof -i -u abc COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 1839 abc cwd DIR 253,0 12288 15 /etc ping 2525 abc cwd DIR 253,0 12288 15 /etc
8. List all Network Connections
The following command with option ‘-i’ shows the list of all network connections ‘LISTENING & ESTABLISHED’.
# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1203 rpc 6u IPv4 11326 0t0 UDP *:sunrpc rpcbind 1203 rpc 7u IPv4 11330 0t0 UDP *:954 rpcbind 1203 rpc 11u IPv6 11336 0t0 TCP *:sunrpc (LISTEN) avahi-dae 1241 avahi 13u IPv4 11579 0t0 UDP *:mdns avahi-dae 1241 avahi 14u IPv4 11580 0t0 UDP *:58600 rpc.statd 1277 rpcuser 11u IPv6 11862 0t0 TCP *:56428 (LISTEN) cupsd 1346 root 6u IPv6 12112 0t0 TCP localhost:ipp (LISTEN) cupsd 1346 root 7u IPv4 12113 0t0 TCP localhost:ipp (LISTEN) sshd 1471 root 3u IPv4 12683 0t0 TCP *:ssh (LISTEN) master 1551 root 12u IPv4 12896 0t0 TCP localhost:smtp (LISTEN) master 1551 root 13u IPv6 12898 0t0 TCP localhost:smtp (LISTEN) sshd 1834 root 3r IPv4 15101 0t0 TCP 192.168.0.2:ssh->192.168.0.1:conclave-cpp (ESTABLISHED) httpd 1918 root 5u IPv6 15991 0t0 TCP *:http (LISTEN) httpd 1918 root 7u IPv6 15995 0t0 TCP *:https (LISTEN) clock-app 2362 narad 21u IPv4 22591 0t0 TCP 192.168.0.2:45284->www.gov.com:http (CLOSE_WAIT) chrome 2377 narad 61u IPv4 25862 0t0 TCP 192.168.0.2:33358->maa03s04-in-f3.1e100.net:http (ESTABLISHED) chrome 2377 narad 80u IPv4 25866 0t0 TCP 192.168.0.2:36405->bom03s01-in-f15.1e100.net:http (ESTABLISHED)
9. Search by PID
The below example only shows whose PID is 1 [One].
# lsof -p 1 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 253,0 4096 2 / init 1 root rtd DIR 253,0 4096 2 / init 1 root txt REG 253,0 145180 147164 /sbin/init init 1 root mem REG 253,0 1889704 190149 /lib/libc-2.12.so init 1 root mem REG 253,0 142472 189970 /lib/ld-2.12.so
10. List processes which opened a specific file
You can list only the processes which opened a specific file, by providing the filename as arguments.
# lsof /var/log/syslog COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog
11. List opened files under a directory
You can list the processes which opened files under a specified directory using ‘+D’ option. +D will recurse the sub directories also. If you don’t want lsof to recurse, then use ‘+d’ option.
# lsof +D /var/log/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog rsyslogd 488 syslog 2w REG 8,1 2405 269616 /var/log/auth.log console-k 144 root 9w REG 8,1 10871 269369 /var/log/ConsoleKit/history
12. List opened files based on process names starting with
You can list the files opened by process names starting with a string, using ‘-c’ option. -c followed by the process name will list the files opened by the process starting with that processes name. You can give multiple -c switch on a single command line.
# lsof -c ssh -c init COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root txt REG 8,1 124704 917562 /sbin/init init 1 root mem REG 8,1 1434180 1442625 /lib/i386-linux-gnu/libc-2.13.so init 1 root mem REG 8,1 30684 1442694 /lib/i386-linux-gnu/librt-2.13.so ... ssh-agent 1528 abc 1u CHR 1,3 0t0 4369 /dev/null ssh-agent 1528 abc 2u CHR 1,3 0t0 4369 /dev/null ssh-agent 1528 abc 3u unix 0xdf70e240 0t0 10464 /tmp/ssh-sUymKXxw1495/agent.1495
13. Kill all process that belongs to a particular user
When you want to kill all the processes which has files opened by a specific user, you can use ‘-t’ option to list output only the process id of the process, and pass it to kill as follows
# kill -9 `lsof -t -u abc1`
The above command will kill all process belonging to user ‘abc1’, which has files opened.
14. Execute lsof in repeat mode
lsof also support Repeat mode. It will first list files based on the given parameters, and delay for specified seconds and again list files based on the given parameters. It can be interrupted by a signal.
Repeat mode can be enabled by using ‘-r’ or ‘+r’. If ‘+r’ is used then, the repeat mode will end when no open files are found. ‘-r’ will continue to list,delay,list until a interrupt is given irrespective of files are opened or not.
Each cycle output will be separated by using ‘=======’. You also also specify the time delay as ‘-r’ | ‘+r’.
# lsof -u abc -c init -a -r5 ======= ======= COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME inita.sh 2971 abc cwd DIR 8,1 4096 393218 /home/abc inita.sh 2971 abc rtd DIR 8,1 4096 2 / inita.sh 2971 abc txt REG 8,1 83848 524315 /bin/dash inita.sh 2971 abc mem REG 8,1 1434180 1442625 /lib/i386-linux-gnu/libc-2.13.so inita.sh 2971 abc mem REG 8,1 117960 1442612 /lib/i386-linux-gnu/ld-2.13.so inita.sh 2971 abc 0u CHR 136,4 0t0 7 /dev/pts/4 inita.sh 2971 abc 1u CHR 136,4 0t0 7 /dev/pts/4 inita.sh 2971 abc 2u CHR 136,4 0t0 7 /dev/pts/4 inita.sh 2971 abc 10r REG 8,1 20 393578 /home/abc/inita.sh =======
Sanfoundry Global Education & Learning Series – 1000 Linux Tutorials.
- Practice Programming MCQs
- Apply for Programming Internship
- Check Information Technology Books
- Check Linux Books