Power of Linux lsof Command for Daily Usage in Linux

May 9, 2011 | By
| Reply More

"lsof" stands for List Open Files. It is extremely useful for a system administrator to find out the details about files that have been opened and their respective processes. In Linux, everything is just a file -  pipes, directories, inodes, or IP sockets. With the help of this command, you can monitor your system for what is actually going on, and also find out the details about files that are open in some particular partitions. This command helps the professional system administrator to perform advanced level tasks such as disk usage calculations, or mounting/unmounting of removal media etc.

Installing lsof

Considering the popularity and the wide range of utility of this command, almost all modern operating systems have it preinstalled. But if it's still missing on your Linux system, you can install it by running one of the following commands (depending on your Linux distribution type):

yum install lsof  (for Fedora, CentOS and RHEL)
sudo apt –get install lsof (in Debian or Ubuntu)

Once lsof has been installed successfully, you can find help by running "man lsof" command on the terminal.

Let us see how we can use this awesome tool to monitor and manage our linux system. We are listing below the common usage options with example outputs:

1) List processes opened by specific File

In order to list processes that were opened by some specific file, simply run lsof command followed by file path. i.e. to see processes opened by /var/log/messages file, simply run:

lsof /var/log/messages

Sample ouput:

[root@localhost ~]# lsof /var/log/messages
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 1395 root 3w REG 202,0 59932 17322 /var/log/messages

2) List processes using a mount point / partition

When trying to unmount some partition, you might have seen “Device or Resource Busy” error, it happens because that particular partition or mount point is still being used by some other processes. We need to use lsof to find out those processes and kill them before successfully unmounting the partition. In order to see which processes are using some particular partition, use lsof command followed by partition name as follows:

lsof /run

[root@localhost ~]# lsof /run
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-j 1065 root mem REG 0,17 6488064 1362725 /run/log/journal/72863e389b584a4dab36fae7f3bffda2/system.journal
systemd-j 1065 root mem REG 0,17 8 810 /run/systemd/journal/kernel-seqnum
systemd-j 1065 root 12u REG 0,17 6488064 1362725 /run/log/journal/72863e389b584a4dab36fae7f3bffda2/system.journal
systemd-u 1078 root 6u REG 0,17 8 3703 /run/udev/queue.bin
NetworkMa 1388 root 20w FIFO 0,17 0t0 3912 /run/systemd/inhibit/1.ref
rsyslogd 1395 root mem REG 0,17 6488064 1362725 /run/log/journal/72863e389b584a4dab36fae7f3bffda2/system.journal

3) List files opened by some specific users

In order to see the list of files opened by some particular user, use “-u” option along with lsof commad.

lsof –u username

[root@localhost ~]# lsof -u root

COMMAND     PID USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME

systemd       1 root  cwd       DIR              202,0      4096          2 /

systemd       1 root  rtd       DIR              202,0      4096          2 /

systemd       1 root  txt       REG              202,0   1214424       9632 /usr/lib/systemd/systemd

systemd       1 root  mem       REG              202,0     58288      17357 /usr/lib64/libnss_files-2.17.so

systemd       1 root  mem       REG              202,0     90632       9967 /usr/lib64/libz.so.1.2.7

systemd       1 root  mem       REG              202,0     19888       9738 /usr/lib64/libattr.so.1.1.0

systemd       1 root  mem       REG              202,0    113320      17354 /usr/lib64/libnsl-2.17.so

systemd       1 root  mem       REG              202,0    153184       9838 /usr/lib64/liblzma.so.5.0.99

systemd       1 root  mem       REG              202,0    398264       9898 /usr/lib64/libpcre.so.1.2.0

systemd       1 root  mem       REG              202,0     19512      17350 /usr/lib64/libdl-2.17.so

systemd       1 root  mem       REG              202,0   2107600       9733 /usr/lib64/libc-2.17.so

systemd       1 root  mem       REG              202,0    141616       9877 /usr/lib64/libpthread-2.17.so

systemd       1 root  mem       REG              202,0     88720      17522 /usr/lib64/libgcc_s-4.8.2-20140120.so.1

systemd       1 root  mem       REG              202,0    304536       9762 /usr/lib64/libdbus-1.so.3.7.4

systemd       1 root  mem       REG              202,0     44048      17367 /usr/lib64/librt-2.17.so

4) Find out processes using some particular port

Many times we find that some services cannot bind to a port since the port is already being used by other processes. In such cases, it is necessary to find that process using the port and kill it. Here is one example which may help:

 lsof -i :25

5) List Network connections

You can use lsof to list network connections . Use 'option 'i' along with lsof to see these details.

[root@localhost ~]# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1383 avahi 12u IPv4 3397 0t0 UDP *:mdns
avahi-dae 1383 avahi 13u IPv4 3398 0t0 UDP *:53376
chronyd 1393 chrony 1u IPv4 2712 0t0 UDP *:ntp
chronyd 1393 chrony 2u IPv6 2713 0t0 UDP *:ntp
chronyd 1393 chrony 3u IPv4 2714 0t0 UDP localhost:323
chronyd 1393 chrony 5u IPv6 2715 0t0 UDP localhost:323
dhclient 1497 root 6u IPv4 4179 0t0 UDP *:bootpc
dhclient 1497 root 20u IPv4 4151 0t0 UDP *:24561
dhclient 1497 root 21u IPv6 4152 0t0 UDP *:20528
sshd 1707 root 3u IPv4 4897 0t0 TCP *:ssh (LISTEN)
sshd 1707 root 4u IPv6 4908 0t0 TCP *:ssh (LISTEN)
sshd 25453 root 3u IPv4 1601772 0t0 TCP li978-9.members.linode.com:ssh->182.188.228.74:casp (ESTABLISHED)

6) Find out files opened by some particular daemon

To display all the files opened by a specific daemon, use option 'c' with lsof followed by daemon name.

 lsof –c mysql
mysqld 991 admin cwd DIR 8,3 240 148743 /home/admin/novell/idm/mysql/data
mysqld 991 admin rtd DIR 8,3 536 2 /
mysqld 991 admin txt REG 8,3 5464060 148691 /home/admin/novel/bin/mysqld
mysqld 991 admin 0r CHR 1,3 41715 /dev/null
mysqld 991 admin 1w REG 8,3 1250 149954 /home/admin/novell/mysql/mysql.log
mysqld 991 admin 2w REG 8,3 1250 149954 /home/admin/novell/mysql/mysql.log
mysqld 991 admin 3u IPv4 86990 TCP

7) List all open files by process ID

You can use option 'p' along with lsof command to find out the list of files opened by any particular process.

lsof -p PID

Replce PID with the process ID.

[root@localhost ~]# lsof -p 484

COMMAND   PID USER   FD      TYPE DEVICE SIZE/OFF NODE NAME

fsnotify_ 484 root  cwd       DIR  202,0     4096    2 /

fsnotify_ 484 root  rtd       DIR  202,0     4096    2 /

fsnotify_ 484 root  txt   unknown                      /proc/484/exe

8) Kill processes for some particular user

You can kill all processes belonging to some particular user by using the following command, replace USERNAME with your actual username:

kill -9 `lsof -t -u USERNAME

9) Find out Ports and Services Mapping

You can find out ports and their affiliated services mapping on a Linux system using lsof command. The following command will show you the mapping details for the various running services and their associated ports on IPV4 network interface:

lsof -Pnl +M -i4

[root@localhost ~]# lsof -Pnl +M -i4
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1383 70 12u IPv4 3397 0t0 UDP *:5353
avahi-dae 1383 70 13u IPv4 3398 0t0 UDP *:53376
chronyd 1393 998 1u IPv4 2712 0t0 UDP *:123
chronyd 1393 998 3u IPv4 2714 0t0 UDP 127.0.0.1:323
dhclient 1497 0 6u IPv4 4179 0t0 UDP *:68
dhclient 1497 0 20u IPv4 4151 0t0 UDP *:24561
sshd 1707 0 3u IPv4 4897 0t0 TCP *:22 (LISTEN)
sshd 25453 0 3u IPv4 1601772 0t0 TCP 45.33.24.9:22->182.188.228.74:1130 (ESTABLISHED)
sshd 25549 0 3u IPv4 1602514 0t0 TCP 45.33.24.9:22->115.230.126.149:60138 (ESTABLISHED)
sshd 25550 74 3u IPv4 1602514 0t0 TCP 45.33.24.9:22->115.230.126.149:60138 (ESTABLISHED)

The following command will show you mapping information for IPV6 network interface:

lsof -Pnl +M -i6

[root@localhost ~]# lsof -Pnl +M -i6
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 1393 998 2u IPv6 2713 0t0 UDP *:123
chronyd 1393 998 5u IPv6 2715 0t0 UDP [::1]:323
dhclient 1497 0 21u IPv6 4152 0t0 UDP *:20528
sshd 1707 0 4u IPv6 4908 0t0 TCP *:22 (LISTEN)
[root@localhost ~]# lsof -Pnl +M -i4

10) Find program running by unknown port

In order to check whether there are any suspicious ports on your system just run the netstat command:

netstat –an
udp 0 0 0.0.0.0:32853 0.0.0.0:*
udp 0 0 0.0.0.0:56655 0.0.0.0:*
udp 0 0 0.0.0.0:5500 0.0.0.0:*
udp 0 0 0.0.0.0:78 0.0.0.0:*

From the above result, you can see that port 5500 is unknown. So, you can locate the program using the port with the following command:

 lsof -i udp:5500

11) View all TCP or UDP connections

Use the following command to view both TCP and UDP connections on your Linux system:

lsof -i tcp; lsof -i udp;

[root@localhost ~]# lsof -i tcp; lsof -i udp;
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1707 root 3u IPv4 4897 0t0 TCP *:ssh (LISTEN)
sshd 1707 root 4u IPv6 4908 0t0 TCP *:ssh (LISTEN)
sshd 25453 root 3u IPv4 1601772 0t0 TCP li978-9.members.linode.com:ssh->182.188.228.74:casp (ESTABLISHED)
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1383 avahi 12u IPv4 3397 0t0 UDP *:mdns
avahi-dae 1383 avahi 13u IPv4 3398 0t0 UDP *:53376
chronyd 1393 chrony 1u IPv4 2712 0t0 UDP *:ntp
chronyd 1393 chrony 2u IPv6 2713 0t0 UDP *:ntp
chronyd 1393 chrony 3u IPv4 2714 0t0 UDP localhost:323
chronyd 1393 chrony 5u IPv6 2715 0t0 UDP localhost:323
dhclient 1497 root 6u IPv4 4179 0t0 UDP *:bootpc
dhclient 1497 root 20u IPv4 4151 0t0 UDP *:24561
dhclient 1497 root 21u IPv6 4152 0t0 UDP *:20528

12) Run lsof in repeat mode

We can run lsof in repeat mode too, which means it will display results once and then take break for few seconds and then it will display updated results once again on the basis of the same criteria. It is very useful for troubleshooting Linux system performance issues. Run lsof command followed by "-r" option and the delay interval in seconds.

lsof -i :25 -r5

Conclusion

We hope you found this article useful. In case you have any questions, please do let us know in the comments. Utilities like lsof are a real blessing for system administrators. It is a lightweight, easy to use tool which is used on a daily basis by thousands of system administrators to troubleshoot issues with Linux systems.

Filed Under : HOWTOS, LINUX HOWTO

Tagged With :

Free Linux Ebook to Download

Leave a Reply

Commenting Policy:
Promotion of your products ? Comment gets deleted.
All comments are subject to moderation.