When it comes to analyzing and troubleshooting processes in Linux, the “lsof” command is a versatile and essential tool in every sysadmin’s toolkit. Short for “list open files,” lsof provides detailed information about files opened by processes, network connections, and much more.
In this blog post, we will explore 18 useful lsof command examples to gain valuable insights into system activities and solve common issues.
Where to use lsof?
lsof command is mainly used to retrieve information about files that are opened by various processes. Open files in a system can be disk files, network sockets, named pipes and devices. This distinctive feature of lsof command, enables one to debug and understand Linux operating System in a better way.
How to Install lsof?
Whenever we do the minimal installation of RHEL /CentOS / AlmaLinux / Ubuntu/ OpenSUSE, lsof is not the part of default installation, so use the following command to install lsof command.
For RHEL / CentOS / AlmaLinux / Fedora,
$ sudo yum install lsof -y or $ sudo dnf install lsof -y
Debian Based Systems (Ubuntu / Linux Mint),
$ sudo apt install lsof -y
For OpenSUSE System,
$ sudo zypper install lsof
The command “lsof” comes equipped with many options and switches. It will be very interesting to explore some of these important ones. Let’s deep dive into the examples of lsof comamnd.
1) List All Open Files
Running lsof command without any options will list all open files of your system that belongs to all active process.
Just typing ‘lsof’ command without any options at command line gives the following output,
Note:- Since lsof output gives lot of information to STDOUT, it will be better to use pipe “|” operation to see this output page by page.
# lsof | more
The above command output if you examine carefully provides lot of information with many parameters. For example, process “systemd” (which is a daemon process) has Process Id (PID) of “1”, User is “root”, File Descriptor (FD) as “cwd” and etc.
The FD comes-up with many values, as one is aware that File Descriptor is generated for any open files automatically in Linux Systems. Below are some of the well-known “FD” values used for lsof commands,
Note: In some cases, the “mem” is followed by number and various characters like “r”, “u”, “w” etc. These characters are “r” for read, “w” for write, “u” for read and write.
Finally, the “TYPE” in the command output indicates type of the file. The following are the standard types of files in Linux systems.
The other fields that are displayed along with this are as follows,
- DEVICE –> Device id
- SIZE/OFF –> Actual size of this process (taken during run time)
- NODE –> Typically inode number of the directory or parent directory
- NAME –> Path or link
2) List Open Files of Particular File System
As you are aware the “/proc” will be existing only during the life time of the Linux OS, this directory contains lot of important process related information. Executing “lsof” on /proc will throw interesting output for us to explor,
# lsof /proc
As mentioned earlier, “lsof” of “lsof” itself is captured here and all the details are displayed. Other than “lsof” there are other processes like systemd and rsyslogd which are daemons used for swap, mounting etc purposes.
Similarly, we can list open files of another file system like /var/log,
# lsof /var/log/
Identify Processes Holding Deleted Files
lsof command become very handy in a situation where df and du command shows different disk usage of same file system, using lsof command we can find processes still holding deleted files in memory
# lsof /var/log | grep -i "deleted"
This displays files marked as “deleted” but still in use. So, to release the space from file system we can safely kill those processes by its pid.
3) List Open Files by File System Type
To display open files based on their file system type, employ:
# lsof -F <fs_type>
Replace <fs_type> with the desired file system type, such as “nfs” or “tmpfs.”
4) List Open Files by a Specific User
To see all files currently opened by a specific user, use the following command:
# lsof -u <username>
Replace <username> with the actual username.
List all open files for root user
# lsof -u root | more
List of open files for non-root users, let’s see all open files for linuxtechi user,
# lsof -u linuxtechi | more Or # lsof -l -u linuxtechi | more
To List all open files except root user, use ^(caret symbol) in front of root user ( lsof -u ^root),
# lsof -u ^root | more
5) List all Open Internet and UNIX Domain Files
Use “-i -U” option in lsof command to list all open internet and UNIX domain files on your system, example is shown below,
# lsof -i -U
6) List All Open IPv4 Network Files
Use “-i -4” option in lsof command to list all open network connections for IPv4,
# lsof -i 4
To list all open IPv4 network files used by a specific process whose process id “any_number”, examples is shown below
Let’s assume we want to list all IPv4 network files for rpcbind process
Syntax :
# lsof -i 4 -a -p {process_pid}
# lsof -i 4 -a -p 1633 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN) rpcbind 1633 rpc 5u IPv4 16577 0t0 UDP *:sunrpc rpcbind 1633 rpc 10u IPv4 16649 0t0 UDP *:960 #
7) List all Open Network Files for IPv6
Assuming ipv6 domain is supported, then open network files can be listed using ‘-i 6’ option.
# lsof -i 6
8) Find Processes Running on a Specific Port:
To list all tcp and udp process running on a specific port, use the following syntax,
# lsof -i TCP/UDP:port
Let’s assume we want to list all the TCP process running on 80 port, use the below command
# lsof -i TCP:80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 2594 root 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2595 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2596 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2597 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2598 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2599 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) [root@linuxtechi ~]#
To list all open files on TCP port from port range (1 to 1048), use the following command
# lsof -i TCP:1-1048
To List all UDP process running on a specific port use the beneath command
# lsof -i UDP:16498 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dhclient 2494 root 21u IPv6 20952 0t0 UDP *:16498 #
Note: To list all open UDP process on your linux system then use the command “lsof -i UDP”
9) View All Open Files for Specific Device
The following command can be used to list all open files on device
# lsof <device-name>
Note: In this case the device type is virtual, in general this can be of type /dev/hd<number>/ sd{number}
# lsof /dev/sda2
10) List Open Files by File Descriptor
To obtain a list of open files by their file descriptors, use the command.
# lsof -d <file_descriptor>
Replace <file_descriptor> with the desired file descriptor number.
11) Display Terminal Related Open Files
The following command is used for all open files on terminal
# lsof /dev/tty{number}
# lsof /dev/tty1 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 2442 root 0u CHR 4,1 0t0 4689 /dev/tty1 bash 2442 root 1u CHR 4,1 0t0 4689 /dev/tty1 bash 2442 root 2u CHR 4,1 0t0 4689 /dev/tty1 bash 2442 root 255u CHR 4,1 0t0 4689 /dev/tty1 #
To view files opened by a specific type, such as regular files or directories, use the following syntax:
# lsof -b <file_type>
Replace <file_type> with the desired file type (e.g., REG, DIR).
12) Show Open Files Associated to Specific Program
To find all files opened by a particular program, use the command:
# lsof -c <program_name>
Replace <program_name> with the name of the program.
Let’s assume we want to list all open files which are associated httpd,
# lsof -c httpd
To show files opened by a specific IP address, run:
# lsof -i @<ip_address>
Replace <ip_address> with the desired IP address.
13) List All Network Connections (lsof -i)
Use “-i” option in lsof command to list all network related process or commands, example is shown below,
# lsof -i
14) View IPv4 /IPv6 Socket Files
To find the IPv4 socket file use the below command, replace IP address with your system IP
# lsof [email protected]
To find an IP version 6 socket file by an associated numeric colon-form address that has a run of zeroes in it – e.g., the loop-back address(127.0.0.1), use below command and options:
# lsof -i@[::1] COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN) #
15) List All Processes that Belong to a Process ID
Using command ‘lsof -p <pid>’, we can show all the process that belong to pid.
Let’s assume we want to list all process or commands that belongs to a specific process id (1598), Example is shown below
# lsof -p 1598
16) Kill All User’s Processes
lsof command become very handy where we want to kill all the process that belongs to a specific user, below example will kill all process that belongs to linuxtechi user,
# kill -9 `lsof -t -u linuxtechi`
17) Show Open Files for a Directory
To see all files opened under a specific directory, use the following command:
# lsof +D <directory-path>
Let’s assume we want list all open files under /var/log directory, run
# lsof +D /var/log/
Note: In above command if we use +D option then lsof will list all open files of a directory recursively and if you don’t want to list open files of directory recursively then use “+d” option
18) lsof to Check Who Opened Log File (to find PID)
The following command option is used to find who opened the /var/log/httpd/access.log file and what is the PID of that process. And then with “ps -ef” command we can find exact user
# lsof -t /var/log/httpd/access_log 3109 3110 3111 3112 3113 3114 # # ps -ef | grep -E "3109|3110|3111|3112|3113|3114" | grep -v grep or # ps -fp "$(lsof -t /var/log/httpd/access_log | xargs echo)" root 3109 1 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 3110 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 3111 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 3112 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 3113 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 3114 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND #
Many options of the lsof command can be combined for multiple purposes as below are some combination of flags “-c”, “-u” and “-I”. For more details refer the manual page.
The below command combination will give output every 1 second about “linuxtechi” home directory what all the files opened repeatedly.
# lsof -u linuxtechi -c init -a -r1
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
inita.sh 2971 linuxtechi cwd DIR 8,1 4096 393218 /home/linuxtechi
inita.sh 2971 linuxtechi rtd DIR 8,1 4096 2 /
inita.sh 2971 linuxtechi txt REG 8,1 83344 524367 /bin/dash
inita.sh 2971 linuxtechi mem REG 8,1 1434567 1443695 ~/libc-2.13.so
……………………………………………………………………………
Conclusion:
The lsof command is a powerful utility that allows you to gain deep insights into file and network-related activities in a Linux system. By using the 18 unique examples outlined in this blog post, you can effectively monitor processes, identify resource bottlenecks, and troubleshoot issues related to open files and network connections. Mastering lsof will undoubtedly enhance your system administration skills and make you a more efficient Linux professional.
Also Read : How to Enable Timestamp in Linux History Command Output
Example 3 isn’t throwing an error because you’re calling it on itself, it’s throwing an error because you’re calling it on a non-existent file. Type any garbage file name there and you’ll get the same result.
lsof /usr/bin/lsof works just fine.
Nice article.
Although example #18 could be better written with the PIDs passed through a sub-command:
# ps -fp “$(lsof -t /var/log/httpd/access_log | xargs echo)”
instead of having to grep all pids, and then yet another one to exclude the first grep
Thanks Cyril for feedback and Comments, I have updated Example 18 as per your suggestion.