Guide to using the linux lsof command

lsof Introduction

lsof is short for list open files, and as the name suggests, its purpose is mainly to list open files on the system. At first glance, it seems to be a very simple command with few scenarios, but it is just another version of ls. But because of the unix philosophy of everything is a file, basically all objects on a *nix system can be considered as objects, and with the various arguments provided by this command, it is actually very powerful and can easily get a lot of very useful information, some of which would be very troublesome with other tools.

lsof can tell what files users and processes have manipulated, and it can also see how the network is being used on the system, as well as information about devices. It also has a lot of parameters, and manoage shows the following usage, and this article will cover the more common usage.

1
2

lsof  [ -?abChKlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-e s ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ +|-L [l] ] [ +|-m m ] [
       +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z] ] [ -- ] [names]

Running lsof directly, without any arguments, will list all open files on the system, one line per file.

➜  ~ sudo lsof | head
COMMAND     PID   TID             USER   FD      TYPE             DEVICE    SIZE/OFF       NODE NAME
systemd       1                   root  cwd       DIR               8,18        4096          2 /
systemd       1                   root  rtd       DIR               8,18        4096          2 /
systemd       1                   root  txt       REG               8,18     1577232    5247327 /lib/systemd/systemd
systemd       1                   root  mem       REG               8,18       18976    5247628 /lib/x86_64-linux-gnu/libuuid.so.1.3.0
systemd       1                   root  mem       REG               8,18      262408    5247436 /lib/x86_64-linux-gnu/libblkid.so.1.1.0
systemd       1                   root  mem       REG               8,18       14608    5250746 /lib/x86_64-linux-gnu/libdl-2.23.so

Each column of the above input contains: command name, process id, user name, FD, file type, device where the file is located, file size or offset of the device where it is located, node/inode number, and file name. Let’s introduce a few less understandable items. FD (file descriptor) indicates the file descriptor or the description of the file, including

cwd: current working directory
mem: memory mapped file
mmap: memory mapped device
txt: application text (code and data)
……

TYPE indicates the type of file, e.g.

IPv4: IPv4 socket
IPv6: IPv6 socket
inet: Internet Domain socket
unix: unix domain socket
BLK: device file
CHR: character file
DIR: folder
FIFO: FIFO file
LINK: symbolic link file
REG: General file
……

More options can be found in lsof manpage.

NOTE : Please use sudo or root user to run lsof in order to see all open files.

File and process information

List all files opened by a process

`1`	`sudo lsof -p 1190`

List the files opened by a user

`1`	`sudo lsof -u cizixs`

It can also be reversed to list all files that are not opened by a particular user by prefixing the user name with the ^ symbol.

`1`	`sudo lsof -u ^cizixs`

List which processes a file is opened by (use)

`1`	`sudo lsof /path/to/file`

List all processes that access a directory

`1`	`sudo lsof +d /path/to/dir/`

This command does not recursively access subdirectories, if you want to do that, you can use +D :

`1`	`sudo ls +D /var/log/apache/`

List information about the files used by a command

`1`	`sudo lsof -c nginx`

The -c argument is followed by the beginning string of the command, not necessarily the name of a specific program, for example sudo lsof -c n is also legal and will list all files opened by programs whose names start with n.

This command is not as straightforward as -p to check a process, but it is useful for scenarios where you can’t find the process number directly, or if the program contains multiple processes.

Network information

Another of the more common functions of lsof is to view network information. Although there is a dedicated tool netstat, lsof is sometimes more convenient, for example to view the usage of a certain port.

List all network connection information

`1`	`sudo lsof -i`

Show only TCP or UDP connections

By following the protocol type (TCP or UDP) directly after -i, only the connection information for that network protocol will be displayed.

`1`	`sudo lsof -i TCP`

Check the network connectivity of a port

This command is very commonly used, and is usually very handy when you want to run a service and find a network conflict, or when you need to know which process is using a port.

`1`	`sudo lsof -i :80`

Check the network connection to a host

`1`	`sudo lsof -i @172.16.1.14`

Ports and hosts can also be used together to indicate the network conditions connected to a particular port of a host.

`1`	`sudo lsof -i @172.16.1.14:22`

List the ports that the current machine is listening on

`1`	`sudo lsof -i -s TCP:LISTEN`

The -s p:s parameter is followed by two fields: protocol and status, separated by a colon. For example, here TCP:LISTEN indicates the TCP protocol that is listening, and similarly, you can view the TCP network that is connected.

`1`	`sudo lsof -i -s TCP:ESTABLISHED`

Combination Usage

The filter parameters of lsof can be combined, but the default is OR logic, which means that the sum of all filter conditions will be listed. You can use the -a argument to tell lsof to list results that satisfy all conditions at once, such as listing all network connections listened to by a process.

`1`	`sudo lsof -a -p 12345 -i -s TCP:LISTEN`

Table of Contents