Lsof command stands for 'List Open Files'. It is extremely useful to find out the details about files that have been opened and their respective processes. With the help of this command, you can monitor your system for what is actually going on, and also find out the details about files that are open in some particular partitions.
In this tutorial, I am listing the common usage of lsof command with examples.
1) List processes opened by specific File
In order to list processes that were opened by some specific file, simply run lsof command followed by file path. i.e. to see processes opened by /var/log/messages file, simply run:
# lsof /var/log/messagesSample output:
# lsof /var/log/messages
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 1395 root 3w REG 202,0 59932 17322 /var/log/messages2) List processes using a mount point/partition
When trying to unmount some partition, you might have seen “Device or Resource Busy” error, it happens because that particular partition or mount point is still being used by some other processes. We need to use lsof to find out those processes and kill them before successfully unmounting the partition. In order to see which processes are using some particular partition, use lsof command followed by partition name as follows:
# lsof /runSample output:
# lsof /run
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-j 1065 root mem REG 0,17 6488064 1362725 /run/log/journal/72863e389b584a4dab36fae7f3bffda2/system.journal
systemd-j 1065 root mem REG 0,17 8 810 /run/systemd/journal/kernel-seqnum
systemd-j 1065 root 12u REG 0,17 6488064 1362725 /run/log/journal/72863e389b584a4dab36fae7f3bffda2/system.journal
systemd-u 1078 root 6u REG 0,17 8 3703 /run/udev/queue.bin
NetworkMa 1388 root 20w FIFO 0,17 0t0 3912 /run/systemd/inhibit/1.ref
rsyslogd 1395 root mem REG 0,17 6488064 1362725 /run/log/journal/72863e389b584a4dab36fae7f3bffda2/system.journal3) List files opened by some specific users
In order to see the list of files opened by some particular user, use “-u” option along with lsof commad.
# lsof –u username
# lsof -u root
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 202,0 4096 2 /
systemd 1 root rtd DIR 202,0 4096 2 /
systemd 1 root txt REG 202,0 1214424 9632 /usr/lib/systemd/systemd
systemd 1 root mem REG 202,0 58288 17357 /usr/lib64/libnss_files-2.17.so
systemd 1 root mem REG 202,0 90632 9967 /usr/lib64/libz.so.1.2.7
systemd 1 root mem REG 202,0 19888 9738 /usr/lib64/libattr.so.1.1.0
systemd 1 root mem REG 202,0 113320 17354 /usr/lib64/libnsl-2.17.so
systemd 1 root mem REG 202,0 153184 9838 /usr/lib64/liblzma.so.5.0.99
systemd 1 root mem REG 202,0 398264 9898 /usr/lib64/libpcre.so.1.2.0
systemd 1 root mem REG 202,0 19512 17350 /usr/lib64/libdl-2.17.so
systemd 1 root mem REG 202,0 2107600 9733 /usr/lib64/libc-2.17.so
systemd 1 root mem REG 202,0 141616 9877 /usr/lib64/libpthread-2.17.so
systemd 1 root mem REG 202,0 88720 17522 /usr/lib64/libgcc_s-4.8.2-20140120.so.1
systemd 1 root mem REG 202,0 304536 9762 /usr/lib64/libdbus-1.so.3.7.4
systemd 1 root mem REG 202,0 44048 17367 /usr/lib64/librt-2.17.so4) Find out processes using some particular port
Many times we find that some services cannot bind to a port since the port is already being used by other processes. In such cases, it is necessary to find that process using the port and kill it. Here is one example which may help:
# lsof -i :255) List Network connections
You can use lsof to list network connections. Use 'option 'i' along with lsof to see these details.
# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1383 avahi 12u IPv4 3397 0t0 UDP *:mdns
avahi-dae 1383 avahi 13u IPv4 3398 0t0 UDP *:53376
chronyd 1393 chrony 1u IPv4 2712 0t0 UDP *:ntp
chronyd 1393 chrony 2u IPv6 2713 0t0 UDP *:ntp
chronyd 1393 chrony 3u IPv4 2714 0t0 UDP localhost:323
chronyd 1393 chrony 5u IPv6 2715 0t0 UDP localhost:323
dhclient 1497 root 6u IPv4 4179 0t0 UDP *:bootpc
dhclient 1497 root 20u IPv4 4151 0t0 UDP *:24561
dhclient 1497 root 21u IPv6 4152 0t0 UDP *:20528
sshd 1707 root 3u IPv4 4897 0t0 TCP *:ssh (LISTEN)
sshd 1707 root 4u IPv6 4908 0t0 TCP *:ssh (LISTEN)
sshd 25453 root 3u IPv4 1601772 0t0 TCP li978-9.members.linode.com:ssh->182.188.228.74:casp (ESTABLISHED)6) Find out files opened by some particular daemon
To display all the files opened by a specific daemon, use option 'c' with lsof followed by daemon name.
# lsof –c mysql
mysqld 991 admin cwd DIR 8,3 240 148743 /home/admin/novell/idm/mysql/data
mysqld 991 admin rtd DIR 8,3 536 2 /
mysqld 991 admin txt REG 8,3 5464060 148691 /home/admin/novel/bin/mysqld
mysqld 991 admin 0r CHR 1,3 41715 /dev/null
mysqld 991 admin 1w REG 8,3 1250 149954 /home/admin/novell/mysql/mysql.log
mysqld 991 admin 2w REG 8,3 1250 149954 /home/admin/novell/mysql/mysql.log
mysqld 991 admin 3u IPv4 86990 TCP7) List all open files by process ID
You can use option 'p' along with lsof command to find out the list of files opened by any particular process.
# lsof -p PIDReplace PID with the process ID.
# lsof -p 484
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
fsnotify_ 484 root cwd DIR 202,0 4096 2 /
fsnotify_ 484 root rtd DIR 202,0 4096 2 /
fsnotify_ 484 root txt unknown /proc/484/exe8) Kill processes for some particular user
You can kill all processes belonging to some particular user by using the following command, replace USERNAME with your actual username:
# kill -9 `lsof -t -u USERNAME9) Find out Ports and Services Mapping
You can find out ports and their affiliated services mapping on a Linux system using lsof command. The following command will show you the mapping details for the various running services and their associated ports on IPV4 network interface:
# lsof -Pnl +M -i4# lsof -Pnl +M -i4
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1383 70 12u IPv4 3397 0t0 UDP *:5353
avahi-dae 1383 70 13u IPv4 3398 0t0 UDP *:53376
chronyd 1393 998 1u IPv4 2712 0t0 UDP *:123
chronyd 1393 998 3u IPv4 2714 0t0 UDP 127.0.0.1:323
dhclient 1497 0 6u IPv4 4179 0t0 UDP *:68
dhclient 1497 0 20u IPv4 4151 0t0 UDP *:24561
sshd 1707 0 3u IPv4 4897 0t0 TCP *:22 (LISTEN)
sshd 25453 0 3u IPv4 1601772 0t0 TCP 45.33.24.9:22->182.188.228.74:1130 (ESTABLISHED)
sshd 25549 0 3u IPv4 1602514 0t0 TCP 45.33.24.9:22->115.230.126.149:60138 (ESTABLISHED)
sshd 25550 74 3u IPv4 1602514 0t0 TCP 45.33.24.9:22->115.230.126.149:60138 (ESTABLISHED)The following command will show you mapping information for IPV6 network interface:
# lsof -Pnl +M -i6[root@localhost ~]# lsof -Pnl +M -i6
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 1393 998 2u IPv6 2713 0t0 UDP *:123
chronyd 1393 998 5u IPv6 2715 0t0 UDP [::1]:323
dhclient 1497 0 21u IPv6 4152 0t0 UDP *:20528
sshd 1707 0 4u IPv6 4908 0t0 TCP *:22 (LISTEN)
[root@localhost ~]# lsof -Pnl +M -i410) Find program running by unknown port
In order to check whether there are any suspicious ports on your system just run the netstat command.
# netstat –an
udp 0 0 0.0.0.0:32853 0.0.0.0:*
udp 0 0 0.0.0.0:56655 0.0.0.0:*
udp 0 0 0.0.0.0:5500 0.0.0.0:*
udp 0 0 0.0.0.0:78 0.0.0.0:*From the above result, you can see that port 5500 is unknown. So, you can locate the program using the port with the following command:
# lsof -i udp:550011) View all TCP or UDP connections
Use the following command to view both TCP and UDP connections on your Linux system:
# lsof -i tcp; lsof -i udp;# lsof -i tcp; lsof -i udp;
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1707 root 3u IPv4 4897 0t0 TCP *:ssh (LISTEN)
sshd 1707 root 4u IPv6 4908 0t0 TCP *:ssh (LISTEN)
sshd 25453 root 3u IPv4 1601772 0t0 TCP li978-9.members.linode.com:ssh->182.188.228.74:casp (ESTABLISHED)
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 1383 avahi 12u IPv4 3397 0t0 UDP *:mdns
avahi-dae 1383 avahi 13u IPv4 3398 0t0 UDP *:53376
chronyd 1393 chrony 1u IPv4 2712 0t0 UDP *:ntp
chronyd 1393 chrony 2u IPv6 2713 0t0 UDP *:ntp
chronyd 1393 chrony 3u IPv4 2714 0t0 UDP localhost:323
chronyd 1393 chrony 5u IPv6 2715 0t0 UDP localhost:323
dhclient 1497 root 6u IPv4 4179 0t0 UDP *:bootpc
dhclient 1497 root 20u IPv4 4151 0t0 UDP *:24561
dhclient 1497 root 21u IPv6 4152 0t0 UDP *:2052812) Run lsof in repeat mode
We can run lsof in repeat mode too, which means it will display results once and then take break for few seconds and then it will display updated results again on the mentioned intervals. It is very useful for troubleshooting Linux system performance issues.
Run lsof command followed by "-r" option and the delay interval in seconds. Find below one example
Keep an eye on a users activity every 3 seconds
# lsof -r 3 -u usernameConclusion
In this tutorial we learned how to use lsof command in linux with examples. If you have any questions or thoughts on this tutorial please use the below comment section.
