18 Quick lsof Command Examples for Linux Geeks

When it comes to analyzing and troubleshooting processes in Linux, the “lsof” command is a versatile and essential tool in every sysadmin’s toolkit. Short for “list open files,” lsof provides detailed information about files opened by processes, network connections, and much more.

In this blog post, we will explore 18 useful lsof command examples to gain valuable insights into system activities and solve common issues.

Where to use lsof?

lsof command is mainly used to retrieve information about files that are opened by various processes. Open files in a system can be disk files, network sockets, named pipes and devices. This distinctive feature of lsof command, enables one to debug and understand Linux operating System in a better way.

How to Install lsof?

Whenever we do the minimal installation of  RHEL /CentOS / AlmaLinux / Ubuntu/ OpenSUSE, lsof is not the part of default installation, so use the following command to install lsof command.

For RHEL / CentOS / AlmaLinux / Fedora,

$ sudo yum install lsof -y
or
$ sudo dnf install lsof -y

Debian Based Systems (Ubuntu / Linux Mint),

$ sudo apt install lsof -y

For OpenSUSE System,

$ sudo zypper install lsof

The command “lsof” comes equipped with many options and switches. It will be very interesting to explore some of these important ones. Let’s deep dive into the examples of lsof comamnd.

1) List All Open Files

Running lsof command without any options will list all open files of your system that belongs to all active process.

Just typing ‘lsof’ command without any options at command line gives the following output,

Note:- Since lsof output gives lot of information to STDOUT, it will be better to use pipe “|” operation to see this output page by page.

# lsof | more

lsof-Command-with-pagewise

The above command output if you examine carefully provides lot of information with many parameters. For example, process “systemd” (which is a daemon process) has Process Id (PID) of “1”, User is “root”, File Descriptor (FD) as “cwd” and etc.

The FD comes-up with many values, as one is aware that File Descriptor is generated for any open files automatically in Linux Systems. Below are some of the well-known “FD” values used for lsof commands,

Process-parameter-lsof-command

Note: In some cases, the “mem” is followed by number and various characters like “r”, “u”, “w” etc. These characters are “r” for read, “w” for write, “u” for read and write.

Finally, the “TYPE” in the command output indicates type of the file.  The following are the standard types of files in Linux systems.

File-type-linux-lsof-command

The other fields that are displayed along with this are as follows,

  • DEVICE –> Device id
  • SIZE/OFF –> Actual size of this process (taken during run time)
  • NODE –> Typically inode number of the directory or parent directory
  • NAME –> Path or link

2) List Open Files of Particular File System

As you are aware the “/proc” will be existing only during the life time of the Linux OS, this directory contains lot of important process related information. Executing “lsof” on /proc will throw interesting output for us to explor,

# lsof /proc

lsof-slash-proc-file-system

As mentioned earlier, “lsof” of “lsof” itself is captured here and all the details are displayed. Other than “lsof” there are other processes like systemd and rsyslogd which are daemons used for swap, mounting etc purposes.

Similarly, we can list open files of another file system like /var/log,

# lsof /var/log/

Identify Processes Holding Deleted Files

lsof command become very handy in a situation where df and du command shows different disk usage of same file system, using lsof command we can find processes still holding deleted files in memory

# lsof /var/log | grep -i "deleted"

This displays files marked as “deleted” but still in use. So, to release the space from file system we can safely kill those processes by its pid.

3) List Open Files by File System Type

To display open files based on their file system type, employ:

# lsof -F <fs_type>

Replace <fs_type> with the desired file system type, such as “nfs” or “tmpfs.”

4) List Open Files by a Specific User

To see all files currently opened by a specific user, use the following command:

# lsof -u <username>

Replace <username> with the actual username.

List all open files for root user

# lsof -u root | more

List-of-open-files-root-user

List of open files for non-root users, let’s see all open files for linuxtechi user,

# lsof -u linuxtechi  | more
Or
# lsof -l -u linuxtechi | more

list-openfiles-user-linux

To List all open files except root user, use ^(caret symbol) in front of root user ( lsof -u ^root),

# lsof -u ^root | more

list-openfiles-other-than-root-user

5) List all Open Internet and UNIX Domain Files

Use “-i -U” option in lsof command to list all open internet and UNIX domain files on your system, example is shown below,

# lsof -i -U

list-open-file-unix-type

6) List All Open IPv4 Network Files

Use “-i -4” option in lsof command to list all open network connections for IPv4,

# lsof -i 4

View-IPv4-Network-files-lsof

To list all open IPv4 network files used by a specific process whose process id “any_number”, examples is shown below

Let’s assume we want to list all IPv4 network files for rpcbind process

Syntax :

# lsof -i 4 -a -p {process_pid}

# lsof -i 4 -a  -p 1633
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1633  rpc    4u  IPv4  16576      0t0  TCP *:sunrpc (LISTEN)
rpcbind 1633  rpc    5u  IPv4  16577      0t0  UDP *:sunrpc
rpcbind 1633  rpc   10u  IPv4  16649      0t0  UDP *:960
#

7) List all Open Network Files for IPv6

Assuming ipv6 domain is supported, then open network files can be listed using ‘-i 6’ option.

# lsof -i 6

IPV6-Network-Open-Files-lsof

8) Find Processes Running on a Specific Port:

To list all tcp and udp process running on a specific port, use the following syntax,

# lsof -i TCP/UDP:port

Let’s assume we want to list all the TCP process running on 80 port, use the below command

# lsof -i TCP:80
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   2594   root    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2595 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2596 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2597 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2598 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2599 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
[root@linuxtechi ~]#

To list all open files on TCP port from port range (1 to 1048), use the following command

# lsof -i TCP:1-1048

View-Open-Files-TCP-Port-Range

To List all UDP process running on a specific port use the beneath command

# lsof -i UDP:16498
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhclient 2494 root   21u  IPv6  20952      0t0  UDP *:16498
#

Note: To list all open UDP process on your linux system then use the command “lsof -i UDP”

9) View All Open Files for Specific Device

The following command can be used to list all open files on device

# lsof <device-name>

Note: In this case the device type is virtual, in general this can be of type /dev/hd<number>/ sd{number}

# lsof /dev/sda2

lsof-device-linux

10) List Open Files by File Descriptor

To obtain a list of open files by their file descriptors, use the command.

# lsof -d <file_descriptor>

Replace <file_descriptor> with the desired file descriptor number.

11) Display Terminal Related Open Files

The following command is used for all open files on terminal

# lsof /dev/tty{number}

# lsof /dev/tty1
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
bash    2442 root    0u   CHR    4,1      0t0 4689 /dev/tty1
bash    2442 root    1u   CHR    4,1      0t0 4689 /dev/tty1
bash    2442 root    2u   CHR    4,1      0t0 4689 /dev/tty1
bash    2442 root  255u   CHR    4,1      0t0 4689 /dev/tty1
#

To view files opened by a specific type, such as regular files or directories, use the following syntax:

# lsof -b <file_type>

Replace <file_type> with the desired file type (e.g., REG, DIR).

12) Show Open Files Associated to Specific Program

To find all files opened by a particular program, use the command:

# lsof -c <program_name>

Replace <program_name> with the name of the program.

Let’s assume we want to list all open files which are associated httpd,

# lsof -c httpd

Open-Files-of-Httpd-Process

To show files opened by a specific IP address, run:

# lsof -i @<ip_address>

Replace <ip_address> with the desired IP address.

13) List All Network Connections (lsof -i)

Use “-i” option in lsof command to list all network related process or commands, example is shown below,

# lsof -i

List-All-Network-Connections-lsof

14) View IPv4 /IPv6 Socket Files

To find the IPv4 socket file use the below command, replace IP address with your system IP

# lsof [email protected]

IPv4-Socket-Connections-lsof

To find an IP version 6 socket file by an associated numeric colon-form address that has a run of zeroes in it – e.g., the loop-back address(127.0.0.1), use below command and options:

# lsof -i@[::1]
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
master  2433 root   14u  IPv6  21027      0t0  TCP localhost:smtp (LISTEN)
#

15) List All Processes that Belong to a Process ID

Using command ‘lsof -p <pid>’, we can show all the process that belong to pid.

Let’s assume we want to list all process or commands that belongs to a specific process id (1598), Example is shown below

# lsof -p 1598

List-Processes-for-PID-lsof

16) Kill All User’s Processes

lsof command become very handy where we want to kill all the process that belongs to a specific user, below example will kill all process that belongs to linuxtechi user,

# kill -9 `lsof -t -u linuxtechi`

17) Show Open Files for a Directory

To see all files opened under a specific directory, use the following command:

# lsof +D <directory-path>

Let’s assume we want list all open files under /var/log directory, run

# lsof +D /var/log/

View-Open-Files-Under-Directory-lsof

Note: In above command if we use +D option then lsof will list all open files of a directory recursively and if you don’t want to list open files of directory recursively then use “+d” option

18) lsof to Check Who Opened Log File (to find PID)

The following command option is used to find who opened the /var/log/httpd/access.log file and what is the PID of that process. And then with “ps -ef” command we can find exact user

# lsof -t /var/log/httpd/access_log
3109
3110
3111
3112
3113
3114
#

# ps -ef | grep -E "3109|3110|3111|3112|3113|3114" | grep -v grep
or
# ps -fp "$(lsof -t /var/log/httpd/access_log | xargs echo)"
root      3109     1  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3110  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3111  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3112  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3113  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3114  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
#

Many options of the lsof command can be combined for multiple purposes as below are some combination of flags “-c”, “-u” and “-I”. For more details refer the manual page.

The below command combination will give output every 1 second about “linuxtechi” home directory what all the files opened repeatedly.

# lsof -u linuxtechi -c init -a -r1
=======
COMMAND   PID       USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
inita.sh 2971 linuxtechi  cwd    DIR    8,1     4096  393218 /home/linuxtechi
inita.sh 2971 linuxtechi  rtd    DIR    8,1     4096       2 /
inita.sh 2971 linuxtechi  txt    REG    8,1    83344  524367 /bin/dash
inita.sh 2971 linuxtechi  mem    REG    8,1  1434567 1443695 ~/libc-2.13.so
……………………………………………………………………………

Conclusion:

The lsof command is a powerful utility that allows you to gain deep insights into file and network-related activities in a Linux system. By using the 18 unique examples outlined in this blog post, you can effectively monitor processes, identify resource bottlenecks, and troubleshoot issues related to open files and network connections. Mastering lsof will undoubtedly enhance your system administration skills and make you a more efficient Linux professional.

Also Read : How to Enable Timestamp in Linux History Command Output

3 thoughts on “18 Quick lsof Command Examples for Linux Geeks”

  1. Example 3 isn’t throwing an error because you’re calling it on itself, it’s throwing an error because you’re calling it on a non-existent file. Type any garbage file name there and you’ll get the same result.

    lsof /usr/bin/lsof works just fine.

  2. Nice article.

    Although example #18 could be better written with the PIDs passed through a sub-command:

    # ps -fp “$(lsof -t /var/log/httpd/access_log | xargs echo)”

    instead of having to grep all pids, and then yet another one to exclude the first grep

Leave a Comment

Your email address will not be published. Required fields are marked *