lsof is a command line utility for all Unix and Linux like operating systems to check “list of open files” The name “lsof” is itself derived from this functionality. lsof command is mainly used to retrieve information about files that are opened by various processes. Open files in a system can be of different type like disk files, network sockets, named pipes and devices. This distinctive feature enables one to debug and understand Linux Operating System in a better way.
When we do the minimal installation of CentOS / RHEL / Ubuntu/ OpenSUSE, lsof is not the part of default installation, so use the following command to install lsof command or utility
For CentOS / RHEL System,
~] # yum install lsof -y
Debian Based Systems (Ubuntu / Linux Mint)
~] # apt install lsof -y
For OpenSUSE System,
~] # zypper install lsof
The command “lsof” comes equipped with many options and switches. It will be very interesting to explore some of these important ones. In this article we will discuss 18 useful lsof command examples for Linux geeks.
Example:1) List all open files of your system (lsof)
Running lsof command without any options will list all open files of your system that belongs to all active process.
Just typing “lsof” command without any options at command line gives the following output,
Note:- Since lsof output gives lot of information to STDOUT, it will be better to use pipe “|” operation to see this output page by page.
[[email protected] ~]# lsof | more
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,0 4096 128 /
systemd 1 root rtd DIR 253,0 4096 128 /
systemd 1 root txt REG 253,0 1489960 50674818 /usr/lib/systemd/systemd
systemd 1 root mem REG 253,0 20032 33628284 /usr/lib64/libuuid.so.1.3.0
systemd 1 root mem REG 253,0 252704 33745961 /usr/lib64/libblkid.so.1.1.0
The above command output if you examine carefully provides lot of information with many parameters. For example, process “systemd” (which is a daemon process) has Process Id (PID) of “1”, User is “root“, File Descriptor (FD) as “cwd” and etc. The FD comes-up with many values, as one is aware that File Descriptor is generated for any open files automatically in Linux Systems. Below are some of the well-known “FD” values used for lsof commands,
Note: In some cases, the “mem” is followed by number and various characters like “r”, “u”, “w” etc. These characters are “r” for read, “w” for write, “u” for read and write.
Finally, the “TYPE” in the command output indicates type of the file. The following are the standard types of files in Linux systems.
The other fields that are displayed along with this are as follows,
As you are aware the “/proc” will be existing only during the life time of the Linux OS, this directory contains lot of important process related information. Executing “lsof” on /proc will throw interesting output for us to explore,
[[email protected] ~]# lsof /proc
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 9r REG 0,3 0 6690 /proc/1/mountinfo
systemd 1 root 11r REG 0,3 0 4026532018 /proc/swaps
systemd-j 462 root 10r REG 0,3 0 6936 /proc/sys/kernel/hostname
lsof 5186 root 3r DIR 0,3 0 1 /proc
lsof 5186 root 6r DIR 0,3 0 28890 /proc/5186/fd
[[email protected] ~]#
As mentioned earlier, “lsof” of “lsof” itself is captured here and all the details are displayed. Other than “lsof” there are other processes like systemd and rsyslogd which are daemons used for swap, mounting etc purposes.
Similarly, we can list open files of another file system like /var/log,
[[email protected] ~]# lsof /var/log/
lsof command become very handy in a situation where df and du command shows different disk usage of same file system, using lsof command we can find files which were removed while they were opened and used by some process,
[[email protected] ~]# lsof /var/log | grep -i "deleted"
Above command will give you the pid of files which were deleted but they are still exist in the system in deleted state. So, to release the space from file system we can safely kill the process by its pid.
Example:3) List of open file for “lsof” command
“lsof” on itself throws an error message,
[[email protected] ~]# lsof lsof
lsof: status error on lsof: No such file or directory
lsof 4.87
Example:4) List of open files for users (lsof -u <user_name>)
“lsof” can be used for all the users who have logged into the Linux System. In this case “lsof” will display all the opened files for the respective user.
List all open files for root user
[[email protected] ~]# lsof -u root | more
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,0 4096 128 /
systemd 1 root rtd DIR 253,0 4096 128 /
systemd 1 root txt REG 253,0 1620416 51034677 /usr/lib/systemd/systemd
systemd 1 root mem REG 253,0 20032 33628284 /usr/lib64/libuuid.so.1.3.0
systemd 1 root mem REG 253,0 252704 33745961 /usr/lib64/libblkid.so.1.1.0
systemd 1 root mem REG 253,0 90632 33628275 /usr/lib64/libz.so.1.2.7
systemd 1 root mem REG 253,0 153192 33618596 /usr/lib64/liblzma.so.5.0.99
systemd 1 root mem REG 253,0 19888 33656455 /usr/lib64/libattr.so.1.1.0
…………………………………………………………
List of open files for non-root users, let’s see all open files for linuxtechi user,
[[email protected] ~]# lsof -u linuxtechi | more
Or
[[email protected] ~]# lsof -l -u linuxtechi | more
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 2657 linuxtechi cwd DIR 253,0 4096 128 /
sshd 2657 linuxtechi rtd DIR 253,0 4096 128 /
sshd 2657 linuxtechi txt REG 253,0 815520 34698340 /usr/sbin/sshd
sshd 2657 linuxtechi DEL REG 0,4 23850 /dev/zero
sshd 2657 linuxtechi mem REG 253,0 15472 33831639 /usr/lib64/security/pam_lastlog.so
sshd 2657 linuxtechi mem REG 253,0 68192 33628305 /usr/lib64/libbz2.so.1.0.6
sshd 2657 linuxtechi mem REG 253,0 153192 33618596 /usr/lib64/liblzma.so.5.0.99
sshd 2657 linuxtechi mem REG 253,0 91496 33628319 /usr/lib64/libelf-0.163.so
sftp-serv 2661 linuxtechi mem REG 253,0 14608 33618582 /usr/lib64/libutil-2.17.so
sftp-serv 2661 linuxtechi mem REG 253,0 61856 33863972 /usr/lib64/liblber-2.4.so.2.10.3
sftp-serv 2661 linuxtechi mem REG 253,0 344224 33863974 /usr/lib64/libldap-2.4.so.2.10.3
sftp-serv 2661 linuxtechi mem REG 253,0 19512 33618298 /usr/lib64/libdl-2.17.so
sftp-serv 2661 linuxtechi mem REG 253,0 2516624 33657314 /usr/lib64/libcrypto.so.1.0.2k
sftp-serv 2661 linuxtechi mem REG 253,0 164432 33618285 /usr/lib64/ld-2.17.so
sftp-serv 2661 linuxtechi 0r FIFO 0,8 0t0 24046 pipe
sftp-serv 2661 linuxtechi 1w FIFO 0,8 0t0 24047 pipe
sftp-serv 2661 linuxtechi 2w FIFO 0,8 0t0 24048 pipe
bash 2670 linuxtechi cwd DIR 253,0 79 17157147 /home/linuxtechi
………………………………………………………………………
To List all open files except root user, use ^(caret symbol) in front of root user ( lsof -u ^root),
[[email protected] ~]# lsof -u ^root | more
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dbus-daem 1662 dbus cwd DIR 253,0 4096 128 /
dbus-daem 1662 dbus rtd DIR 253,0 4096 128 /
dbus-daem 1662 dbus txt REG 253,0 441176 17133533 /usr/bin/dbus-daemon
dbus-daem 1662 dbus mem REG 253,0 57824 33618566 /usr/lib64/libnss_files-2.17.so
dbus-daem 1662 dbus mem REG 253,0 19512 33618298 /usr/lib64/libdl-2.17.so
dbus-daem 1662 dbus mem REG 253,0 398272 33628261 /usr/lib64/libpcre.so.1.2.0
dbus-daem 1662 dbus mem REG 253,0 2107816 33618292 /usr/lib64/libc-2.17.so
……………………………………………………………………………………………………………
Example:5) List all open Internet and UNIX domain files (lsof -i -U)
Use “-i -U” option in lsof command to list all open internet and UNIX domain files on your system, example is shown below
[[email protected] ~]# lsof -i -U
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 12u unix 0xffff8800b8baab40 0t0 11075 /run/systemd/cgroups-agent
systemd 1 root 13u unix 0xffff8800b8bab2c0 0t0 11077 /run/systemd/private
systemd 1 root 42u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 43u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 3u unix 0xffff8800bab8cf00 0t0 16574 /var/run/rpcbind.sock
rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 5u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 6u IPv6 16578 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 7u IPv6 16579 0t0 UDP *:sunrpc
rpcbind 1633 rpc 10u IPv4 16649 0t0 UDP *:960
sshd 2532 root 3u IPv4 21120 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65110 (ESTABLISHED)
sshd 2532 root 4u unix 0xffff8800bbef3a40 0t0 21260 socket
sshd 2532 root 8u unix 0xffff8800b8afd680 0t0 21298 /tmp/ssh-QHz9BdtRvt/agent.2532
sshd 2536 root 3u IPv4 21191 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65112 (ESTABLISHED)
sshd 2536 root 4u unix 0xffff8800b8afd2c0 0t0 21363 socket
………………………………………………………………………………………………………………
Example:6) List all open IPv4 network files (lsof -i 4)
Use “-i -4” option in lsof command to list all open network files for IPv4,
[[email protected] ~]# lsof -i 4
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 42u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 43u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
sshd 2258 root 3u IPv4 19493 0t0 TCP *:ssh (LISTEN)
master 2360 root 13u IPv4 20087 0t0 TCP localhost:smtp (LISTEN)
dhclient 2494 root 6u IPv4 20983 0t0 UDP *:bootpc
dhclient 2494 root 20u IPv4 20951 0t0 UDP *:24884
dhclient 2514 root 6u IPv4 20866 0t0 UDP *:bootpc
sshd 2532 root 3u IPv4 21120 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65110 (ESTABLISHED)
sshd 2536 root 3u IPv4 21191 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65112 (ESTABLISHED)
sshd 2621 root 3u IPv4 23506 0t0 TCP 192.168.1.6:ssh->192.168.1.9:65422 (ESTABLISHED)
sshd 2655 root 3u IPv4 23863 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49992 (ESTABLISHED)
sshd 2657 linuxtechi 3u IPv4 23795 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49990 (ESTABLISHED)
sshd 2660 linuxtechi 3u IPv4 23863 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49992 (ESTABLISHED)
[[email protected] ~]#
To list all open IPv4 network files used by a specific process whose process id “any_number”, examples is shown below
Let’s assume we want to list all IPv4 network files for rpcbind process
Syntax : # lsof i 4 -a -p {process_pid}
[[email protected] ~]# lsof -i 4 -a -p 1633
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 5u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 10u IPv4 16649 0t0 UDP *:960
[[email protected] ~]#
Example:7) List all open network files for IPv6 (lsof -i 6)
Assuming ipv6 domain is supported, the output of lsof will be something like below,
[[email protected] ~]# lsof -i 6
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 44u IPv6 16578 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 46u IPv6 16579 0t0 UDP *:sunrpc
rpcbind 1633 rpc 6u IPv6 16578 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 7u IPv6 16579 0t0 UDP *:sunrpc
rpcbind 1633 rpc 11u IPv6 16650 0t0 UDP *:960
sshd 2258 root 4u IPv6 19504 0t0 TCP *:ssh (LISTEN)
master 2360 root 14u IPv6 20088 0t0 TCP localhost:smtp (LISTEN)
dhclient 2494 root 21u IPv6 20952 0t0 UDP *:16498
dhclient 2514 root 21u IPv6 20823 0t0 UDP *:34955
httpd 2594 root 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2595 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2596 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2597 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2598 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2599 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
[[email protected] ~]#
Example:8) List all TCP & UDP process running on specific port (lsof -i TCP/UDP
ort)
Let’s assume we want to list all the TCP process running on 80 port, use the below command
[[email protected] ~]# lsof -i TCP:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 2594 root 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2595 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2596 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2597 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2598 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2599 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
[[email protected] ~]#
To list all open files on TCP port from port range (1 to 1048), use the following command
[[email protected] ~]# lsof -i TCP:1-1048
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 41u IPv4 16863 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 44u IPv6 16865 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1663 rpc 4u IPv4 16863 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1663 rpc 6u IPv6 16865 0t0 TCP *:sunrpc (LISTEN)
sshd 2294 root 3u IPv4 19949 0t0 TCP *:ssh (LISTEN)
sshd 2294 root 4u IPv6 19965 0t0 TCP *:ssh (LISTEN)
master 2433 root 13u IPv4 21026 0t0 TCP localhost:smtp (LISTEN)
master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN)
sshd 2600 root 3u IPv4 21737 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED)
sshd 2659 root 3u IPv4 22056 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED)
sshd 2663 root 3u IPv4 22123 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52489 (ESTABLISHED)
httpd 2837 root 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2838 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2839 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2840 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2841 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2842 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
sshd 2891 root 3u IPv4 26896 0t0 TCP 192.168.1.3:ssh->192.168.1.9:53541 (ESTABLISHED)
sshd 2895 linuxtechi 3u IPv4 26896 0t0 TCP 192.168.1.3:ssh->192.168.1.9:53541 (ESTABLISHED)
[[email protected] ~]#
To List all UDP process running on a specific port use the beneath command
[[email protected] ~]# lsof -i UDP:16498
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 2494 root 21u IPv6 20952 0t0 UDP *:16498
[[email protected] ~]#
Note: To list all open UDP process on your linux system then use the command “lsof -i UDP”
Example:9) List all open files for specific device (lsof <device_name>)
The following command can be used to list all open files on /dev/vda1.
Note: In this case the device type is virtual, in general this can be of type /dev/hd<number>/ sd{number}
[email protected] ~]# lsof /dev/vda1 | more
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,1 4096 2 /
systemd 1 root rtd DIR 253,1 4096 2 /
systemd 1 root txt REG 253,1 1577264 262271 /lib/systemd/systemd
systemd 1 root mem REG 253,1 18976 262252 /lib/x86_64-linux-gnu/libuuid.so.1.3.0
systemd 1 root mem REG 253,1 262408 262245 /lib/x86_64-linux-gnu/libblkid.so.1.1.0
systemd 1 root mem REG 253,1 14608 266364 /lib/x86_64-linux-gnu/libdl-2.23.so
systemd 1 root mem REG 253,1 456632 262207 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
systemd 1 root mem REG 253,1 1868984 266362 /lib/x86_64-linux-gnu/libc-2.23.so
systemd 1 root mem REG 253,1 138696 266361 /lib/x86_64-linux-gnu/libpthread-2.23.so
systemd 1 root mem REG 253,1 286824 261756 /lib/x86_64-linux-gnu/libmount.so.1.1.0
Example:10) List processes with open files on NFS file system
There are some situations where you have mounted nfs file system on your linux box but nfs server is inaccessible and want to list all process with open files on that nfs file system,
[[email protected] ~]# lsof -b <nfs-share-mount-point>
Example:11) List terminal related open files (lsof /dev/tty{number})
The following command is used for all open files on /dev/tty1.
Note: In this case the terminal type is “tty1”. Any other terminal type also can be used like /dev/tty<number>
[[email protected] ~]# lsof /dev/tty1
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 2442 root 0u CHR 4,1 0t0 4689 /dev/tty1
bash 2442 root 1u CHR 4,1 0t0 4689 /dev/tty1
bash 2442 root 2u CHR 4,1 0t0 4689 /dev/tty1
bash 2442 root 255u CHR 4,1 0t0 4689 /dev/tty1
[[email protected] ~]#
Example:12) List PID, Command Name, File descriptor, Device Number & File inode Number (lsof -FpcfDi)
One of the interesting options in “lsof” to obtain PID(P) and command name(c) field output for each process, file descriptor (f), file device number(D), and file inode number(i) for each file of each process, example is shown below
[[email protected] ~]# lsof -FpcfDi | more
p1
csystemd
fcwd
D0xfd00
i128
frtd
D0xfd00
i128
ftxt
D0xfd00
i51034677
fmem
D0xfd00
i33628284
………………
Note: Long list of output is displayed, but this is cut short to save space.
Example:13) List all the network connections (lsof -i)
Use “-i” option in lsof command to list all network related process or commands, example is shown below,
[[email protected] ~]# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 41u IPv4 16863 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 43u IPv4 16864 0t0 UDP *:sunrpc
rpcbind 1663 rpc 4u IPv4 16863 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1663 rpc 5u IPv4 16864 0t0 UDP *:sunrpc
rpcbind 1663 rpc 11u IPv6 17051 0t0 UDP *:988
sshd 2294 root 3u IPv4 19949 0t0 TCP *:ssh (LISTEN)
sshd 2294 root 4u IPv6 19965 0t0 TCP *:ssh (LISTEN)
rpc.statd 2300 rpcuser 10u IPv6 19974 0t0 UDP *:48486
rpc.statd 2300 rpcuser 11u IPv6 20045 0t0 TCP *:39334 (LISTEN)
rpc.mount 2311 root 7u IPv4 19897 0t0 UDP *:mountd
rpc.mount 2311 root 8u IPv4 19911 0t0 TCP *:mountd (LISTEN)
master 2433 root 13u IPv4 21026 0t0 TCP localhost:smtp (LISTEN)
master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN)
dhclient 2563 root 6u IPv4 21589 0t0 UDP *:bootpc
dhclient 2583 root 21u IPv6 21365 0t0 UDP *:10368
sshd 2600 root 3u IPv4 21737 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED)
sshd 2659 root 3u IPv4 22056 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED)
[[email protected] ~]#
Example:14) Find IPv4 /IPv6 Socket file
To find the IPv4 socket file use the below command, replace IP address with your system IP
[[email protected] ~]# lsof [email protected]
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 2600 root 3u IPv4 21737 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED)
sshd 2659 root 3u IPv4 22056 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED)
sshd 2663 root 3u IPv4 22123 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52489 (ESTABLISHED)
sshd 2724 root 3u IPv4 25004 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52848 (ESTABLISHED)
sshd 2728 linuxtechi 3u IPv4 25004 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52848 (ESTABLISHED)
[[email protected] ~]#
To find an IP version 6 socket file by an associated numeric colon-form address that has a run of zeroes in it – e.g., the loop-back address(127.0.0.1) use below command and options:
[[email protected] ~]# lsof [email protected][::1]
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN)
[[email protected] ~]#
Example:15) List all Process or Commands that belongs to a Process ID (lsof -p <pid>)
Let’s assume we want to list all process or commands that belongs to a specific process id, Example is shown below
[[email protected] ~]# lsof -p 2842 | more
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 2842 apache cwd DIR 253,0 4096 128 /
httpd 2842 apache rtd DIR 253,0 4096 128 /
httpd 2842 apache txt REG 253,0 523680 34641136 /usr/sbin/httpd
httpd 2842 apache mem REG 253,0 110808 33618576 /usr/lib64/libresolv-2.17.so
httpd 2842 apache mem REG 253,0 27512 33618564 /usr/lib64/libnss_dns-2.17.so
httpd 2842 apache mem REG 253,0 57824 33618566 /usr/lib64/libnss_files-2.17.so
httpd 2842 apache mem REG 253,0 27808 17080385 /usr/lib64/httpd/modules/mod_cgi.so
httpd 2842 apache mem REG 253,0 68192 33628305 /usr/lib64/libbz2.so.1.0.6
………………………………………………
Example:16) Kill all process that belongs to a specific user
lsof command become very handy where we want to kill all the process that belongs to a specific user, below example will kill all process that belongs to linuxtechi user
[[email protected] ~]# kill -9 `lsof -t -u linuxtechi`
[[email protected] ~]#
Example:17) List all open files under a specific directory (lsod +D <directory-path>)
Let’s assume we want list all open files under /var/log directory, then use the following lsof command,
[[email protected] ~]# lsof +D /var/log/
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
auditd 1635 root 4w REG 253,0 1177238 51031316 /var/log/audit/audit.log
wpa_suppl 1840 root 3w REG 253,0 240 392280 /var/log/wpa_supplicant.log
tuned 2295 root 3w REG 253,0 6000 17713597 /var/log/tuned/tuned.log
rsyslogd 2296 root 6w REG 253,0 7118 392279 /var/log/cron
rsyslogd 2296 root 7w REG 253,0 449328 338975 /var/log/messages
rsyslogd 2296 root 8w REG 253,0 26038 338976 /var/log/secure
rsyslogd 2296 root 9w REG 253,0 1576 338977 /var/log/maillog
rsyslogd 2296 root 10w REG 253,0 9458 138 /var/log/boot.log
httpd 2837 root 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2837 root 7w REG 253,0 0 34824416 /var/log/httpd/access_log
httpd 2838 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2838 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log
httpd 2839 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2839 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log
httpd 2840 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2840 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log
httpd 2841 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2841 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log
httpd 2842 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2842 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log
[[email protected] ~]#
Note: In above command if we use +D option then lsof will list all open files of a directory recursively and if you don’t want to list open files of directory recursively then use “+d” option
Example:18) “lsof” to check who opened the log file (to find PID)
The following command option is used to find who opened the /var/log/httpd/access.log file and what is the PID of that process. And then with “ps -ef” command we can find exact user
[[email protected] ~]# lsof -t /var/log/httpd/access_log
3109
3110
3111
3112
3113
3114
[[email protected] ~]#
[[email protected] ~]# ps -ef | grep -E "3109|3110|3111|3112|3113|3114" | grep -v grep
or
[[email protected] ~]# ps -fp "$(lsof -t /var/log/httpd/access_log | xargs echo)"
root 3109 1 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 3110 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 3111 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 3112 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 3113 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 3114 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
[[email protected] ~]#
Many options of the “lsof” command can be combined for multiple purposes as below are some combination of flags “-c”, “-u” and “-I”. For more details refer the manual page.
Also Read : 11 Xargs Command Examples in Linux
The below command combination will give output every 1 second about “linuxtechi” home directory what all the files opened repeatedly.
[email protected] ~}# lsof -u linuxtechi -c init -a -r1
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
inita.sh 2971 linuxtechi cwd DIR 8,1 4096 393218 /home/linuxtechi
inita.sh 2971 linuxtechi rtd DIR 8,1 4096 2 /
inita.sh 2971 linuxtechi txt REG 8,1 83344 524367 /bin/dash
inita.sh 2971 linuxtechi mem REG 8,1 1434567 1443695 /lib/i386-linux-gnu/libc-2.13.so
……………………………………………………………………………
Conclusion:
As mentioned in the introduction section “lsof” is very powerful and useful command in Linux based distributions. This command and options listed can be used for various purposes like debugging, troubleshooting and triaging Linux processes. Mentioned options and combinations if tried, will help one to establish thorough understanding of “lsof” command. Other commands like lstat, stat and ls also can be explored in combination of “lsof” command.
Also Read : How to Enable Timestamp in Linux History Command Output
st
SOLARWINDS || HANOIYEU
When we do the minimal installation of CentOS / RHEL / Ubuntu/ OpenSUSE, lsof is not the part of default installation, so use the following command to install lsof command or utility
For CentOS / RHEL System,
~] # yum install lsof -y
Debian Based Systems (Ubuntu / Linux Mint)
~] # apt install lsof -y
For OpenSUSE System,
~] # zypper install lsof
The command “lsof” comes equipped with many options and switches. It will be very interesting to explore some of these important ones. In this article we will discuss 18 useful lsof command examples for Linux geeks.
Example:1) List all open files of your system (lsof)
Running lsof command without any options will list all open files of your system that belongs to all active process.
Just typing “lsof” command without any options at command line gives the following output,
Note:- Since lsof output gives lot of information to STDOUT, it will be better to use pipe “|” operation to see this output page by page.
[[email protected] ~]# lsof | more
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,0 4096 128 /
systemd 1 root rtd DIR 253,0 4096 128 /
systemd 1 root txt REG 253,0 1489960 50674818 /usr/lib/systemd/systemd
systemd 1 root mem REG 253,0 20032 33628284 /usr/lib64/libuuid.so.1.3.0
systemd 1 root mem REG 253,0 252704 33745961 /usr/lib64/libblkid.so.1.1.0
The above command output if you examine carefully provides lot of information with many parameters. For example, process “systemd” (which is a daemon process) has Process Id (PID) of “1”, User is “root“, File Descriptor (FD) as “cwd” and etc. The FD comes-up with many values, as one is aware that File Descriptor is generated for any open files automatically in Linux Systems. Below are some of the well-known “FD” values used for lsof commands,
Note: In some cases, the “mem” is followed by number and various characters like “r”, “u”, “w” etc. These characters are “r” for read, “w” for write, “u” for read and write.
Finally, the “TYPE” in the command output indicates type of the file. The following are the standard types of files in Linux systems.
The other fields that are displayed along with this are as follows,
- DEVICE –> Device id
- SIZE/OFF –> Actual size of this process (taken during run time)
- NODE –> Typically inode number of the directory or parent directory
- NAME –> Path or link
As you are aware the “/proc” will be existing only during the life time of the Linux OS, this directory contains lot of important process related information. Executing “lsof” on /proc will throw interesting output for us to explore,
[[email protected] ~]# lsof /proc
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 9r REG 0,3 0 6690 /proc/1/mountinfo
systemd 1 root 11r REG 0,3 0 4026532018 /proc/swaps
systemd-j 462 root 10r REG 0,3 0 6936 /proc/sys/kernel/hostname
lsof 5186 root 3r DIR 0,3 0 1 /proc
lsof 5186 root 6r DIR 0,3 0 28890 /proc/5186/fd
[[email protected] ~]#
As mentioned earlier, “lsof” of “lsof” itself is captured here and all the details are displayed. Other than “lsof” there are other processes like systemd and rsyslogd which are daemons used for swap, mounting etc purposes.
Similarly, we can list open files of another file system like /var/log,
[[email protected] ~]# lsof /var/log/
lsof command become very handy in a situation where df and du command shows different disk usage of same file system, using lsof command we can find files which were removed while they were opened and used by some process,
[[email protected] ~]# lsof /var/log | grep -i "deleted"
Above command will give you the pid of files which were deleted but they are still exist in the system in deleted state. So, to release the space from file system we can safely kill the process by its pid.
Example:3) List of open file for “lsof” command
“lsof” on itself throws an error message,
[[email protected] ~]# lsof lsof
lsof: status error on lsof: No such file or directory
lsof 4.87
Example:4) List of open files for users (lsof -u <user_name>)
“lsof” can be used for all the users who have logged into the Linux System. In this case “lsof” will display all the opened files for the respective user.
List all open files for root user
[[email protected] ~]# lsof -u root | more
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,0 4096 128 /
systemd 1 root rtd DIR 253,0 4096 128 /
systemd 1 root txt REG 253,0 1620416 51034677 /usr/lib/systemd/systemd
systemd 1 root mem REG 253,0 20032 33628284 /usr/lib64/libuuid.so.1.3.0
systemd 1 root mem REG 253,0 252704 33745961 /usr/lib64/libblkid.so.1.1.0
systemd 1 root mem REG 253,0 90632 33628275 /usr/lib64/libz.so.1.2.7
systemd 1 root mem REG 253,0 153192 33618596 /usr/lib64/liblzma.so.5.0.99
systemd 1 root mem REG 253,0 19888 33656455 /usr/lib64/libattr.so.1.1.0
…………………………………………………………
List of open files for non-root users, let’s see all open files for linuxtechi user,
[[email protected] ~]# lsof -u linuxtechi | more
Or
[[email protected] ~]# lsof -l -u linuxtechi | more
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 2657 linuxtechi cwd DIR 253,0 4096 128 /
sshd 2657 linuxtechi rtd DIR 253,0 4096 128 /
sshd 2657 linuxtechi txt REG 253,0 815520 34698340 /usr/sbin/sshd
sshd 2657 linuxtechi DEL REG 0,4 23850 /dev/zero
sshd 2657 linuxtechi mem REG 253,0 15472 33831639 /usr/lib64/security/pam_lastlog.so
sshd 2657 linuxtechi mem REG 253,0 68192 33628305 /usr/lib64/libbz2.so.1.0.6
sshd 2657 linuxtechi mem REG 253,0 153192 33618596 /usr/lib64/liblzma.so.5.0.99
sshd 2657 linuxtechi mem REG 253,0 91496 33628319 /usr/lib64/libelf-0.163.so
sftp-serv 2661 linuxtechi mem REG 253,0 14608 33618582 /usr/lib64/libutil-2.17.so
sftp-serv 2661 linuxtechi mem REG 253,0 61856 33863972 /usr/lib64/liblber-2.4.so.2.10.3
sftp-serv 2661 linuxtechi mem REG 253,0 344224 33863974 /usr/lib64/libldap-2.4.so.2.10.3
sftp-serv 2661 linuxtechi mem REG 253,0 19512 33618298 /usr/lib64/libdl-2.17.so
sftp-serv 2661 linuxtechi mem REG 253,0 2516624 33657314 /usr/lib64/libcrypto.so.1.0.2k
sftp-serv 2661 linuxtechi mem REG 253,0 164432 33618285 /usr/lib64/ld-2.17.so
sftp-serv 2661 linuxtechi 0r FIFO 0,8 0t0 24046 pipe
sftp-serv 2661 linuxtechi 1w FIFO 0,8 0t0 24047 pipe
sftp-serv 2661 linuxtechi 2w FIFO 0,8 0t0 24048 pipe
bash 2670 linuxtechi cwd DIR 253,0 79 17157147 /home/linuxtechi
………………………………………………………………………
To List all open files except root user, use ^(caret symbol) in front of root user ( lsof -u ^root),
[[email protected] ~]# lsof -u ^root | more
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dbus-daem 1662 dbus cwd DIR 253,0 4096 128 /
dbus-daem 1662 dbus rtd DIR 253,0 4096 128 /
dbus-daem 1662 dbus txt REG 253,0 441176 17133533 /usr/bin/dbus-daemon
dbus-daem 1662 dbus mem REG 253,0 57824 33618566 /usr/lib64/libnss_files-2.17.so
dbus-daem 1662 dbus mem REG 253,0 19512 33618298 /usr/lib64/libdl-2.17.so
dbus-daem 1662 dbus mem REG 253,0 398272 33628261 /usr/lib64/libpcre.so.1.2.0
dbus-daem 1662 dbus mem REG 253,0 2107816 33618292 /usr/lib64/libc-2.17.so
……………………………………………………………………………………………………………
Example:5) List all open Internet and UNIX domain files (lsof -i -U)
Use “-i -U” option in lsof command to list all open internet and UNIX domain files on your system, example is shown below
[[email protected] ~]# lsof -i -U
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 12u unix 0xffff8800b8baab40 0t0 11075 /run/systemd/cgroups-agent
systemd 1 root 13u unix 0xffff8800b8bab2c0 0t0 11077 /run/systemd/private
systemd 1 root 42u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 43u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 3u unix 0xffff8800bab8cf00 0t0 16574 /var/run/rpcbind.sock
rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 5u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 6u IPv6 16578 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 7u IPv6 16579 0t0 UDP *:sunrpc
rpcbind 1633 rpc 10u IPv4 16649 0t0 UDP *:960
sshd 2532 root 3u IPv4 21120 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65110 (ESTABLISHED)
sshd 2532 root 4u unix 0xffff8800bbef3a40 0t0 21260 socket
sshd 2532 root 8u unix 0xffff8800b8afd680 0t0 21298 /tmp/ssh-QHz9BdtRvt/agent.2532
sshd 2536 root 3u IPv4 21191 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65112 (ESTABLISHED)
sshd 2536 root 4u unix 0xffff8800b8afd2c0 0t0 21363 socket
………………………………………………………………………………………………………………
Example:6) List all open IPv4 network files (lsof -i 4)
Use “-i -4” option in lsof command to list all open network files for IPv4,
[[email protected] ~]# lsof -i 4
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 42u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 43u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
sshd 2258 root 3u IPv4 19493 0t0 TCP *:ssh (LISTEN)
master 2360 root 13u IPv4 20087 0t0 TCP localhost:smtp (LISTEN)
dhclient 2494 root 6u IPv4 20983 0t0 UDP *:bootpc
dhclient 2494 root 20u IPv4 20951 0t0 UDP *:24884
dhclient 2514 root 6u IPv4 20866 0t0 UDP *:bootpc
sshd 2532 root 3u IPv4 21120 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65110 (ESTABLISHED)
sshd 2536 root 3u IPv4 21191 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65112 (ESTABLISHED)
sshd 2621 root 3u IPv4 23506 0t0 TCP 192.168.1.6:ssh->192.168.1.9:65422 (ESTABLISHED)
sshd 2655 root 3u IPv4 23863 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49992 (ESTABLISHED)
sshd 2657 linuxtechi 3u IPv4 23795 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49990 (ESTABLISHED)
sshd 2660 linuxtechi 3u IPv4 23863 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49992 (ESTABLISHED)
[[email protected] ~]#
To list all open IPv4 network files used by a specific process whose process id “any_number”, examples is shown below
Let’s assume we want to list all IPv4 network files for rpcbind process
Syntax : # lsof i 4 -a -p {process_pid}
[[email protected] ~]# lsof -i 4 -a -p 1633
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 5u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 10u IPv4 16649 0t0 UDP *:960
[[email protected] ~]#
Example:7) List all open network files for IPv6 (lsof -i 6)
Assuming ipv6 domain is supported, the output of lsof will be something like below,
[[email protected] ~]# lsof -i 6
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 44u IPv6 16578 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 46u IPv6 16579 0t0 UDP *:sunrpc
rpcbind 1633 rpc 6u IPv6 16578 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 7u IPv6 16579 0t0 UDP *:sunrpc
rpcbind 1633 rpc 11u IPv6 16650 0t0 UDP *:960
sshd 2258 root 4u IPv6 19504 0t0 TCP *:ssh (LISTEN)
master 2360 root 14u IPv6 20088 0t0 TCP localhost:smtp (LISTEN)
dhclient 2494 root 21u IPv6 20952 0t0 UDP *:16498
dhclient 2514 root 21u IPv6 20823 0t0 UDP *:34955
httpd 2594 root 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2595 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2596 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2597 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2598 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2599 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
[[email protected] ~]#
Example:8) List all TCP & UDP process running on specific port (lsof -i TCP/UDP
ort)Let’s assume we want to list all the TCP process running on 80 port, use the below command
[[email protected] ~]# lsof -i TCP:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 2594 root 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2595 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2596 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2597 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2598 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2599 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
[[email protected] ~]#
To list all open files on TCP port from port range (1 to 1048), use the following command
[[email protected] ~]# lsof -i TCP:1-1048
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 41u IPv4 16863 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 44u IPv6 16865 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1663 rpc 4u IPv4 16863 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1663 rpc 6u IPv6 16865 0t0 TCP *:sunrpc (LISTEN)
sshd 2294 root 3u IPv4 19949 0t0 TCP *:ssh (LISTEN)
sshd 2294 root 4u IPv6 19965 0t0 TCP *:ssh (LISTEN)
master 2433 root 13u IPv4 21026 0t0 TCP localhost:smtp (LISTEN)
master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN)
sshd 2600 root 3u IPv4 21737 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED)
sshd 2659 root 3u IPv4 22056 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED)
sshd 2663 root 3u IPv4 22123 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52489 (ESTABLISHED)
httpd 2837 root 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2838 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2839 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2840 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2841 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2842 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
sshd 2891 root 3u IPv4 26896 0t0 TCP 192.168.1.3:ssh->192.168.1.9:53541 (ESTABLISHED)
sshd 2895 linuxtechi 3u IPv4 26896 0t0 TCP 192.168.1.3:ssh->192.168.1.9:53541 (ESTABLISHED)
[[email protected] ~]#
To List all UDP process running on a specific port use the beneath command
[[email protected] ~]# lsof -i UDP:16498
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 2494 root 21u IPv6 20952 0t0 UDP *:16498
[[email protected] ~]#
Note: To list all open UDP process on your linux system then use the command “lsof -i UDP”
Example:9) List all open files for specific device (lsof <device_name>)
The following command can be used to list all open files on /dev/vda1.
Note: In this case the device type is virtual, in general this can be of type /dev/hd<number>/ sd{number}
[email protected] ~]# lsof /dev/vda1 | more
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,1 4096 2 /
systemd 1 root rtd DIR 253,1 4096 2 /
systemd 1 root txt REG 253,1 1577264 262271 /lib/systemd/systemd
systemd 1 root mem REG 253,1 18976 262252 /lib/x86_64-linux-gnu/libuuid.so.1.3.0
systemd 1 root mem REG 253,1 262408 262245 /lib/x86_64-linux-gnu/libblkid.so.1.1.0
systemd 1 root mem REG 253,1 14608 266364 /lib/x86_64-linux-gnu/libdl-2.23.so
systemd 1 root mem REG 253,1 456632 262207 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
systemd 1 root mem REG 253,1 1868984 266362 /lib/x86_64-linux-gnu/libc-2.23.so
systemd 1 root mem REG 253,1 138696 266361 /lib/x86_64-linux-gnu/libpthread-2.23.so
systemd 1 root mem REG 253,1 286824 261756 /lib/x86_64-linux-gnu/libmount.so.1.1.0
Example:10) List processes with open files on NFS file system
There are some situations where you have mounted nfs file system on your linux box but nfs server is inaccessible and want to list all process with open files on that nfs file system,
[[email protected] ~]# lsof -b <nfs-share-mount-point>
Example:11) List terminal related open files (lsof /dev/tty{number})
The following command is used for all open files on /dev/tty1.
Note: In this case the terminal type is “tty1”. Any other terminal type also can be used like /dev/tty<number>
[[email protected] ~]# lsof /dev/tty1
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 2442 root 0u CHR 4,1 0t0 4689 /dev/tty1
bash 2442 root 1u CHR 4,1 0t0 4689 /dev/tty1
bash 2442 root 2u CHR 4,1 0t0 4689 /dev/tty1
bash 2442 root 255u CHR 4,1 0t0 4689 /dev/tty1
[[email protected] ~]#
Example:12) List PID, Command Name, File descriptor, Device Number & File inode Number (lsof -FpcfDi)
One of the interesting options in “lsof” to obtain PID(P) and command name(c) field output for each process, file descriptor (f), file device number(D), and file inode number(i) for each file of each process, example is shown below
[[email protected] ~]# lsof -FpcfDi | more
p1
csystemd
fcwd
D0xfd00
i128
frtd
D0xfd00
i128
ftxt
D0xfd00
i51034677
fmem
D0xfd00
i33628284
………………
Note: Long list of output is displayed, but this is cut short to save space.
Example:13) List all the network connections (lsof -i)
Use “-i” option in lsof command to list all network related process or commands, example is shown below,
[[email protected] ~]# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 41u IPv4 16863 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 43u IPv4 16864 0t0 UDP *:sunrpc
rpcbind 1663 rpc 4u IPv4 16863 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1663 rpc 5u IPv4 16864 0t0 UDP *:sunrpc
rpcbind 1663 rpc 11u IPv6 17051 0t0 UDP *:988
sshd 2294 root 3u IPv4 19949 0t0 TCP *:ssh (LISTEN)
sshd 2294 root 4u IPv6 19965 0t0 TCP *:ssh (LISTEN)
rpc.statd 2300 rpcuser 10u IPv6 19974 0t0 UDP *:48486
rpc.statd 2300 rpcuser 11u IPv6 20045 0t0 TCP *:39334 (LISTEN)
rpc.mount 2311 root 7u IPv4 19897 0t0 UDP *:mountd
rpc.mount 2311 root 8u IPv4 19911 0t0 TCP *:mountd (LISTEN)
master 2433 root 13u IPv4 21026 0t0 TCP localhost:smtp (LISTEN)
master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN)
dhclient 2563 root 6u IPv4 21589 0t0 UDP *:bootpc
dhclient 2583 root 21u IPv6 21365 0t0 UDP *:10368
sshd 2600 root 3u IPv4 21737 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED)
sshd 2659 root 3u IPv4 22056 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED)
[[email protected] ~]#
Example:14) Find IPv4 /IPv6 Socket file
To find the IPv4 socket file use the below command, replace IP address with your system IP
[[email protected] ~]# lsof [email protected]
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 2600 root 3u IPv4 21737 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED)
sshd 2659 root 3u IPv4 22056 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED)
sshd 2663 root 3u IPv4 22123 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52489 (ESTABLISHED)
sshd 2724 root 3u IPv4 25004 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52848 (ESTABLISHED)
sshd 2728 linuxtechi 3u IPv4 25004 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52848 (ESTABLISHED)
[[email protected] ~]#
To find an IP version 6 socket file by an associated numeric colon-form address that has a run of zeroes in it – e.g., the loop-back address(127.0.0.1) use below command and options:
[[email protected] ~]# lsof [email protected][::1]
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN)
[[email protected] ~]#
Example:15) List all Process or Commands that belongs to a Process ID (lsof -p <pid>)
Let’s assume we want to list all process or commands that belongs to a specific process id, Example is shown below
[[email protected] ~]# lsof -p 2842 | more
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 2842 apache cwd DIR 253,0 4096 128 /
httpd 2842 apache rtd DIR 253,0 4096 128 /
httpd 2842 apache txt REG 253,0 523680 34641136 /usr/sbin/httpd
httpd 2842 apache mem REG 253,0 110808 33618576 /usr/lib64/libresolv-2.17.so
httpd 2842 apache mem REG 253,0 27512 33618564 /usr/lib64/libnss_dns-2.17.so
httpd 2842 apache mem REG 253,0 57824 33618566 /usr/lib64/libnss_files-2.17.so
httpd 2842 apache mem REG 253,0 27808 17080385 /usr/lib64/httpd/modules/mod_cgi.so
httpd 2842 apache mem REG 253,0 68192 33628305 /usr/lib64/libbz2.so.1.0.6
………………………………………………
Example:16) Kill all process that belongs to a specific user
lsof command become very handy where we want to kill all the process that belongs to a specific user, below example will kill all process that belongs to linuxtechi user
[[email protected] ~]# kill -9 `lsof -t -u linuxtechi`
[[email protected] ~]#
Example:17) List all open files under a specific directory (lsod +D <directory-path>)
Let’s assume we want list all open files under /var/log directory, then use the following lsof command,
[[email protected] ~]# lsof +D /var/log/
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
auditd 1635 root 4w REG 253,0 1177238 51031316 /var/log/audit/audit.log
wpa_suppl 1840 root 3w REG 253,0 240 392280 /var/log/wpa_supplicant.log
tuned 2295 root 3w REG 253,0 6000 17713597 /var/log/tuned/tuned.log
rsyslogd 2296 root 6w REG 253,0 7118 392279 /var/log/cron
rsyslogd 2296 root 7w REG 253,0 449328 338975 /var/log/messages
rsyslogd 2296 root 8w REG 253,0 26038 338976 /var/log/secure
rsyslogd 2296 root 9w REG 253,0 1576 338977 /var/log/maillog
rsyslogd 2296 root 10w REG 253,0 9458 138 /var/log/boot.log
httpd 2837 root 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2837 root 7w REG 253,0 0 34824416 /var/log/httpd/access_log
httpd 2838 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2838 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log
httpd 2839 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2839 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log
httpd 2840 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2840 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log
httpd 2841 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2841 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log
httpd 2842 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log
httpd 2842 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log
[[email protected] ~]#
Note: In above command if we use +D option then lsof will list all open files of a directory recursively and if you don’t want to list open files of directory recursively then use “+d” option
Example:18) “lsof” to check who opened the log file (to find PID)
The following command option is used to find who opened the /var/log/httpd/access.log file and what is the PID of that process. And then with “ps -ef” command we can find exact user
[[email protected] ~]# lsof -t /var/log/httpd/access_log
3109
3110
3111
3112
3113
3114
[[email protected] ~]#
[[email protected] ~]# ps -ef | grep -E "3109|3110|3111|3112|3113|3114" | grep -v grep
or
[[email protected] ~]# ps -fp "$(lsof -t /var/log/httpd/access_log | xargs echo)"
root 3109 1 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 3110 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 3111 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 3112 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 3113 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
apache 3114 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND
[[email protected] ~]#
Many options of the “lsof” command can be combined for multiple purposes as below are some combination of flags “-c”, “-u” and “-I”. For more details refer the manual page.
Also Read : 11 Xargs Command Examples in Linux
The below command combination will give output every 1 second about “linuxtechi” home directory what all the files opened repeatedly.
[email protected] ~}# lsof -u linuxtechi -c init -a -r1
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
inita.sh 2971 linuxtechi cwd DIR 8,1 4096 393218 /home/linuxtechi
inita.sh 2971 linuxtechi rtd DIR 8,1 4096 2 /
inita.sh 2971 linuxtechi txt REG 8,1 83344 524367 /bin/dash
inita.sh 2971 linuxtechi mem REG 8,1 1434567 1443695 /lib/i386-linux-gnu/libc-2.13.so
……………………………………………………………………………
Conclusion:
As mentioned in the introduction section “lsof” is very powerful and useful command in Linux based distributions. This command and options listed can be used for various purposes like debugging, troubleshooting and triaging Linux processes. Mentioned options and combinations if tried, will help one to establish thorough understanding of “lsof” command. Other commands like lstat, stat and ls also can be explored in combination of “lsof” command.
Also Read : How to Enable Timestamp in Linux History Command Output
st
SOLARWINDS || HANOIYEU