In Linux, everything is considered as files and organized inside directories. lsof (List of Open File) displays a list of files that are opened. It mainly helps to find out the information about the process which opened the files. Apart from files, it can list a directory, a block special file, a shared library, a character special file, a regular pipe, a named pipe, an internet socket, a UNIX domain socket, and many others.
In this tutorial, we learn about lsof command in Linux using easy-to-understand examples.
lsof command by default is available in most Linux distributions. Very commonly lsof command is used when we are not able to unmount a disk, then the lsof command helps to find the open file and its process causing it.
lsof [options] [names]
The above syntax will list all the files that have been opened by all the processes in the system.
1. List all open files
To quickly get a list of open files, type lsof. It lists all of the files that have been opened by the system's various processes.
Normally the output will be very long, you use
$ sudo lsof | more , if you want to view the contents one screen at a time.
2. List open files by username
lsof has a command that can be used to find a list of specific files that are opened by a specific user.
To list open files by a username use the following command:
$ lsof -u bobbin
For multiple users use the following syntax:
$ lsof -u [username1] -u [username2]
$ lsof -u [username1], [username2]
To list open files except for certain user:
$ lsof -u ^root
To list only the process id use the
$ lsof -t -u sonar
This will be helpful in case you need to kill all processes related to a specific use.
$ kill -9 lsof -t -u sonar
3. List open files by process
lsof can also be used to list files opened by a specific process by using the
-c option followed by the process name.
For example to list all open files by ssh:
$ lsof -c ssh
4. List open files by filename
We can specify the filename as an argument to list all the processes that have opened a specific file.
To list all processes opened by the file /var/log/messages, type:
$ lsof /var/log/messages
5. List open files by Process ID
Each file is assigned a process ID. A single process may open a large number of files. We can use the lsof command to list all the open files for a given Process ID.
For example to list open files with Process ID 2, type:
$ lsof -p 2
Incase to list open files for multiple process ID, type
$ lsof -p 2,3
A system contains a large number of processes, each of which has files open for use. A process may have many child processes, and this process is also known as the parent process.
The lsof command is used with the
-R option to get a list of files opened by PPID (Parent Process IDentification).
$ lsof -R
You can from the output the 5th column will show the PPID of the open files.
To find the PPID for a specific PID, type:
$ lsof -p [PID] -R
6. List open files in a Directory
To list the open files in a specific directory, we can use the lsof command.
+d option to displays a list of open files in the provided directory, however, it does not go into subdirectories.
The following example searches open files in /var/log directory:
$ lsof +d /var/log
The +D option commands lsof to search the whole depth of the directory for all open instances as well as all the files and directories it contains.
In this case, lsof searches for open files in /var/log and its subdirectories:
$ lsof +D /var/log
7. List open files with network protocol
A system can be linked to various networks for various purposes. Everything in Linux is a file, we can examine the files that are opened by some network connection in the system.
To list the open files in the TCP protocol, we can run the following command.
$ lsof -i TCP
To list the open files in the UDP protocol, we can run the following command.
$ sudo lsof -i UDP
8. List open files by port number
lsof has a command that specifically lists the open files on a given port number to list all the processes running on that port.
For example to list open files on port number 443
$ lsof -i :443
You can list open files for multiple ports number as follows:
$ lsof -i :80,443
You may also list open files of TCP or UDP by port ranges.
$ lsof -i TCP:1-49151
9. List open files by IPv4/IPv6
There is an option in lsof to list IPv4 or IPv6 network files open.
To display IPv4 open files, type
$ lsof -i4
The following syntax can be used to display IPv6 open files:
$ lsof -i6
10. Run lsof continuously
The repeat mode enables lsof to continually repeat with updates with specifies delays. Repeat mode can be enabled by using ‘-r’ or ‘+r’ option, where ‘+r’ will end when no open files are found and ‘-r’ will continue to list until a manual interrupt is initiated. Each delay cycle output will be separated by using ‘========’.
$ lsof [options] -r/+r[time-interval]
$ lsof -u sonar -r5
lsof command headers
lsof has various columns.
COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME
The name of the UNIX command associated with the process is stored in the
PID displays the process ID of the command.
USER displays the name of the user associated with the following process.
TID shows the task ID.
FD is a file descriptor that includes abbreviations like cwd (Current Working Directory), txt (Text Files), mem (Memory-mapped file), rtd (root directory), and many others.
TYPE is an abbreviation for a specific file type, such as REG (Regular file), DIR (Directory), CHR (Character special file), and so on.
DEVICE contains the device numbers.
SIZE/OFF contains the file size or file offset in bytes.
NODE column value represents the node number of a local file.
NAME displays the name of the file's mount point and file system, as well as the Internet address.
In this tutorial, we learned about lsof command and its uses with examples. lsof provides a number of options for customizing its output to meet your needs. It enables you to easily and quickly combine multiple arguments to obtain the required output.