Lsof command stands for 'List Open Files'. It is extremely useful to find out the details about files that have been opened and their respective processes. With the help of this command, you can monitor your system for what is actually going on, and also find out the details about files that are open in some particular partitions.
In this tutorial, I am listing the common usage of lsof command with examples.
1) List processes opened by specific File
In order to list processes that were opened by some specific file, simply run lsof command followed by file path. i.e. to see processes opened by /var/log/messages file, simply run:
# lsof /var/log/messages
Sample output:
# lsof /var/log/messages COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 1395 root 3w REG 202,0 59932 17322 /var/log/messages
2) List processes using a mount point/partition
When trying to unmount some partition, you might have seen “Device or Resource Busy” error, it happens because that particular partition or mount point is still being used by some other processes. We need to use lsof to find out those processes and kill them before successfully unmounting the partition. In order to see which processes are using some particular partition, use lsof command followed by partition name as follows:
# lsof /run
Sample output:
# lsof /run COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd-j 1065 root mem REG 0,17 6488064 1362725 /run/log/journal/72863e389b584a4dab36fae7f3bffda2/system.journal systemd-j 1065 root mem REG 0,17 8 810 /run/systemd/journal/kernel-seqnum systemd-j 1065 root 12u REG 0,17 6488064 1362725 /run/log/journal/72863e389b584a4dab36fae7f3bffda2/system.journal systemd-u 1078 root 6u REG 0,17 8 3703 /run/udev/queue.bin NetworkMa 1388 root 20w FIFO 0,17 0t0 3912 /run/systemd/inhibit/1.ref rsyslogd 1395 root mem REG 0,17 6488064 1362725 /run/log/journal/72863e389b584a4dab36fae7f3bffda2/system.journal
3) List files opened by some specific users
In order to see the list of files opened by some particular user, use “-u” option along with lsof commad.
# lsof –u username # lsof -u root COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 202,0 4096 2 / systemd 1 root rtd DIR 202,0 4096 2 / systemd 1 root txt REG 202,0 1214424 9632 /usr/lib/systemd/systemd systemd 1 root mem REG 202,0 58288 17357 /usr/lib64/libnss_files-2.17.so systemd 1 root mem REG 202,0 90632 9967 /usr/lib64/libz.so.1.2.7 systemd 1 root mem REG 202,0 19888 9738 /usr/lib64/libattr.so.1.1.0 systemd 1 root mem REG 202,0 113320 17354 /usr/lib64/libnsl-2.17.so systemd 1 root mem REG 202,0 153184 9838 /usr/lib64/liblzma.so.5.0.99 systemd 1 root mem REG 202,0 398264 9898 /usr/lib64/libpcre.so.1.2.0 systemd 1 root mem REG 202,0 19512 17350 /usr/lib64/libdl-2.17.so systemd 1 root mem REG 202,0 2107600 9733 /usr/lib64/libc-2.17.so systemd 1 root mem REG 202,0 141616 9877 /usr/lib64/libpthread-2.17.so systemd 1 root mem REG 202,0 88720 17522 /usr/lib64/libgcc_s-4.8.2-20140120.so.1 systemd 1 root mem REG 202,0 304536 9762 /usr/lib64/libdbus-1.so.3.7.4 systemd 1 root mem REG 202,0 44048 17367 /usr/lib64/librt-2.17.so
4) Find out processes using some particular port
Many times we find that some services cannot bind to a port since the port is already being used by other processes. In such cases, it is necessary to find that process using the port and kill it. Here is one example which may help:
# lsof -i :25
5) List Network connections
You can use lsof to list network connections. Use 'option 'i' along with lsof to see these details.
# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME avahi-dae 1383 avahi 12u IPv4 3397 0t0 UDP *:mdns avahi-dae 1383 avahi 13u IPv4 3398 0t0 UDP *:53376 chronyd 1393 chrony 1u IPv4 2712 0t0 UDP *:ntp chronyd 1393 chrony 2u IPv6 2713 0t0 UDP *:ntp chronyd 1393 chrony 3u IPv4 2714 0t0 UDP localhost:323 chronyd 1393 chrony 5u IPv6 2715 0t0 UDP localhost:323 dhclient 1497 root 6u IPv4 4179 0t0 UDP *:bootpc dhclient 1497 root 20u IPv4 4151 0t0 UDP *:24561 dhclient 1497 root 21u IPv6 4152 0t0 UDP *:20528 sshd 1707 root 3u IPv4 4897 0t0 TCP *:ssh (LISTEN) sshd 1707 root 4u IPv6 4908 0t0 TCP *:ssh (LISTEN) sshd 25453 root 3u IPv4 1601772 0t0 TCP li978-9.members.linode.com:ssh->182.188.228.74:casp (ESTABLISHED)
6) Find out files opened by some particular daemon
To display all the files opened by a specific daemon, use option 'c' with lsof followed by daemon name.
# lsof –c mysql mysqld 991 admin cwd DIR 8,3 240 148743 /home/admin/novell/idm/mysql/data mysqld 991 admin rtd DIR 8,3 536 2 / mysqld 991 admin txt REG 8,3 5464060 148691 /home/admin/novel/bin/mysqld mysqld 991 admin 0r CHR 1,3 41715 /dev/null mysqld 991 admin 1w REG 8,3 1250 149954 /home/admin/novell/mysql/mysql.log mysqld 991 admin 2w REG 8,3 1250 149954 /home/admin/novell/mysql/mysql.log mysqld 991 admin 3u IPv4 86990 TCP
7) List all open files by process ID
You can use option 'p' along with lsof command to find out the list of files opened by any particular process.
# lsof -p PID
Replace PID with the process ID.
# lsof -p 484 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME fsnotify_ 484 root cwd DIR 202,0 4096 2 / fsnotify_ 484 root rtd DIR 202,0 4096 2 / fsnotify_ 484 root txt unknown /proc/484/exe
8) Kill processes for some particular user
You can kill all processes belonging to some particular user by using the following command, replace USERNAME with your actual username:
# kill -9 `lsof -t -u USERNAME
9) Find out Ports and Services Mapping
You can find out ports and their affiliated services mapping on a Linux system using lsof command. The following command will show you the mapping details for the various running services and their associated ports on IPV4 network interface:
# lsof -Pnl +M -i4
# lsof -Pnl +M -i4 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME avahi-dae 1383 70 12u IPv4 3397 0t0 UDP *:5353 avahi-dae 1383 70 13u IPv4 3398 0t0 UDP *:53376 chronyd 1393 998 1u IPv4 2712 0t0 UDP *:123 chronyd 1393 998 3u IPv4 2714 0t0 UDP 127.0.0.1:323 dhclient 1497 0 6u IPv4 4179 0t0 UDP *:68 dhclient 1497 0 20u IPv4 4151 0t0 UDP *:24561 sshd 1707 0 3u IPv4 4897 0t0 TCP *:22 (LISTEN) sshd 25453 0 3u IPv4 1601772 0t0 TCP 45.33.24.9:22->182.188.228.74:1130 (ESTABLISHED) sshd 25549 0 3u IPv4 1602514 0t0 TCP 45.33.24.9:22->115.230.126.149:60138 (ESTABLISHED) sshd 25550 74 3u IPv4 1602514 0t0 TCP 45.33.24.9:22->115.230.126.149:60138 (ESTABLISHED)
The following command will show you mapping information for IPV6 network interface:
# lsof -Pnl +M -i6
[root@localhost ~]# lsof -Pnl +M -i6 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chronyd 1393 998 2u IPv6 2713 0t0 UDP *:123 chronyd 1393 998 5u IPv6 2715 0t0 UDP [::1]:323 dhclient 1497 0 21u IPv6 4152 0t0 UDP *:20528 sshd 1707 0 4u IPv6 4908 0t0 TCP *:22 (LISTEN) [root@localhost ~]# lsof -Pnl +M -i4
10) Find program running by unknown port
In order to check whether there are any suspicious ports on your system just run the netstat command.
# netstat –an udp 0 0 0.0.0.0:32853 0.0.0.0:* udp 0 0 0.0.0.0:56655 0.0.0.0:* udp 0 0 0.0.0.0:5500 0.0.0.0:* udp 0 0 0.0.0.0:78 0.0.0.0:*
From the above result, you can see that port 5500 is unknown. So, you can locate the program using the port with the following command:
# lsof -i udp:5500
11) View all TCP or UDP connections
Use the following command to view both TCP and UDP connections on your Linux system:
# lsof -i tcp; lsof -i udp;
# lsof -i tcp; lsof -i udp; COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1707 root 3u IPv4 4897 0t0 TCP *:ssh (LISTEN) sshd 1707 root 4u IPv6 4908 0t0 TCP *:ssh (LISTEN) sshd 25453 root 3u IPv4 1601772 0t0 TCP li978-9.members.linode.com:ssh->182.188.228.74:casp (ESTABLISHED) COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME avahi-dae 1383 avahi 12u IPv4 3397 0t0 UDP *:mdns avahi-dae 1383 avahi 13u IPv4 3398 0t0 UDP *:53376 chronyd 1393 chrony 1u IPv4 2712 0t0 UDP *:ntp chronyd 1393 chrony 2u IPv6 2713 0t0 UDP *:ntp chronyd 1393 chrony 3u IPv4 2714 0t0 UDP localhost:323 chronyd 1393 chrony 5u IPv6 2715 0t0 UDP localhost:323 dhclient 1497 root 6u IPv4 4179 0t0 UDP *:bootpc dhclient 1497 root 20u IPv4 4151 0t0 UDP *:24561 dhclient 1497 root 21u IPv6 4152 0t0 UDP *:20528
12) Run lsof in repeat mode
We can run lsof in repeat mode too, which means it will display results once and then take break for few seconds and then it will display updated results again on the mentioned intervals. It is very useful for troubleshooting Linux system performance issues.
Run lsof command followed by "-r" option and the delay interval in seconds. Find below one example
Keep an eye on a users activity every 3 seconds
# lsof -r 3 -u username
Conclusion
In this tutorial we learned how to use lsof command in linux with examples. If you have any questions or thoughts on this tutorial please use the below comment section.
