LinuxCommandLibrary

lsof

List open files and the associated processes

TLDR

Find the processes that have a given file open

$ lsof [path/to/file]
copy

Find the process that opened a local internet port
$ lsof -i :[port]
copy

Only output the process ID (PID)
$ lsof -t [path/to/file]
copy

List files opened by the given user
$ lsof -u [username]
copy

List files opened by the given command or process
$ lsof -c [process_or_command_name]
copy

List files opened by a specific process, given its PID
$ lsof -p [PID]
copy

List open files in a directory
$ lsof +D [path/to/directory]
copy

Find the process that is listening on a local IPv6 TCP port and don't convert network or port numbers
$ lsof -i6TCP:[port] -sTCP:LISTEN -n -P
copy

SYNOPSIS

lsof [options] [names]

Common Invocation Examples:
- lsof - List all open files.
- lsof -i - List all network connections.
- lsof -p PID - List files opened by a specific process ID.
- lsof /path/to/file - List processes opening a specific file.

PARAMETERS

-a
    Causes list selections to be ANDed. By default, selections are ORed.

-c COMMAND
    Selects the listing of files for processes executing the COMMAND.

-d FD
    Selects the listing of files for the specified file descriptor(s) (e.g., 0,1,2,txt,cwd,mem,rtd).

-i [addresses]
    Selects the listing of files for Internet protocol (IP) addresses. Can specify IP address, hostname, or port (e.g., :80, @192.168.1.1, TCP:22).

-n
    Prevents the conversion of network numbers to host names for network files. Speeds up output.

-P
    Prevents the conversion of network port numbers to port names for network files. Speeds up output.

-p PID
    Selects the listing of files for the specified process ID(s).

-r [N]
    Repeats lsof command every N seconds. Default is 15 seconds.

-t
    Produces terse output, suitable for piping to other commands. Only PIDs are displayed.

-u USER
    Selects the listing of files for the specified user(s) (name or UID).

+D DIRECTORY
    Searches for all open instances of files or directories within the specified DIRECTORY and its subdirectories.

+L
    Lists the file link count (i.e., the number of hard links to a file).

-F fmt
    Specifies the output format fields. Useful for scripting and custom parsing.

DESCRIPTION

lsof (short for list open files) is a powerful command-line utility used to display information about files opened by processes on a Unix-like system. It can identify which files are currently being used by which processes, including regular files, directories, block special files, character special files, shared libraries, named pipes, Internet sockets, and UNIX domain sockets.

This command is invaluable for system administrators, developers, and security analysts for various tasks: troubleshooting "file in use" errors, identifying processes accessing specific resources (e.g., a mounted disk, a network port), debugging application behavior, or investigating potential security breaches. lsof provides a detailed snapshot of file and network activity, making it a critical tool for system introspection and resource management.

CAVEATS

lsof often requires root privileges to access comprehensive information about all processes and their open files, especially those belonging to other users or kernel-level resources. Running it as a non-root user may result in incomplete or restricted output.

The output can be very verbose, requiring careful filtering (often with grep) to find specific information. On systems with a large number of open files, lsof can take a significant amount of time to execute and consume considerable system resources during its run.

<I>UNDERSTANDING LSOF OUTPUT COLUMNS</I>

lsof output is typically structured into several columns, each providing specific details:
COMMAND: The name of the command associated with the process.
PID: The process ID.
TID: The thread ID (if lsof supports and -t is used).
USER: The user ID or login name of the process owner.
FD: The file descriptor number of the file (e.g., cwd for current working directory, txt for program text, mem for memory-mapped file, 0, 1, 2 for stdin, stdout, stderr, or a numeric descriptor).
TYPE: The type of the node associated with the file (e.g., REG for regular file, DIR for directory, CHR for character special file, FIFO for FIFO pipe, SOCK for socket, IPv4 for IPv4 socket).
DEVICE: The device numbers where the file resides.
SIZE/OFF: The size of the file or the offset used by the process.
NODE: The inode number of the local file or the protocol/address of a network file.
NAME: The name of the mount point and file system, or the file name itself, or a network connection.

<I>COMMON USAGE SCENARIOS</I>

lsof's versatility allows for many practical applications:
- Finding processes using a specific file or directory: lsof /var/log/syslog or lsof +D /mnt/data
- Identifying processes listening on a specific port: lsof -i :8080 or lsof -i TCP:443
- Listing all network connections by a user: lsof -u root -i
- Killing processes holding a file open: kill -9 $(lsof -t /path/to/file)
- Finding deleted but still open files: lsof | grep deleted (Useful for troubleshooting disk space issues where files are deleted but their space isn't freed because a process still holds them open).

HISTORY

lsof was originally developed by Victor A. Abell. Its development began in the late 1980s and has since become a standard and indispensable utility across various Unix-like operating systems, including Linux, macOS, FreeBSD, and Solaris. It filled a critical gap in system introspection by providing a unified way to list all open file descriptors and the corresponding files, significantly aiding in debugging, resource management, and security analysis.

SEE ALSO

fuser(1), netstat(8), ss(8), ps(1), strace(1)

Copied to clipboard