LinuxCommandLibrary

lsof

List open files and the associated processes

TLDR

Find the processes that have a given file open

$ lsof [path/to/file]
copy

Find the process that opened a local internet port
$ lsof -i :[port]
copy

Only output the process ID (PID)
$ lsof -t [path/to/file]
copy

List files opened by the given user
$ lsof -u [username]
copy

List files opened by the given command or process
$ lsof -c [process_or_command_name]
copy

List files opened by a specific process, given its PID
$ lsof -p [PID]
copy

List open files in a directory
$ lsof +D [path/to/directory]
copy

Find the process that is listening on a local IPv6 TCP port and don't convert network or port numbers
$ lsof -i6TCP:[port] -sTCP:LISTEN -n -P
copy

SYNOPSIS

lsof [options] [file(s)]

PARAMETERS

-a
    Lists files opened by all users.

-c command
    Lists files opened by processes whose command name begins with command.

-d file descriptor(s)
    Lists files using the specified file descriptor(s).

-i[protocol][@hostname|address][:port]
    Lists files using the specified internet address.

-n
    Suppresses the conversion of network numbers to host names.

-p process ID(s)
    Lists files opened by the specified process ID(s).

-u user ID(s)
    Lists files opened by the specified user ID(s).

+D directory
    Search for files in a specific directory and all its subdirectories.

+|-r [t]
    Repeats every t seconds, t defaults to 15. +r repeats until the end -r ends. (use with caution, for debug purposes).

-F format
    Specifies a field selection.

DESCRIPTION

lsof (List Open Files) is a command-line utility in Unix-like operating systems that displays a list of all open files and the processes that opened them.

A file, in this context, can be many things: regular files, directories, network sockets (TCP, UDP), block devices, character devices, executing programs, shared libraries, pipes, named pipes, kernel memory regions and more. lsof is an invaluable tool for system administrators and developers to diagnose issues related to file access and resource usage.

It provides insights into which processes are using specific files or network connections, helping to identify bottlenecks, troubleshoot application behavior, track down rogue processes holding onto resources, or investigate network traffic. It is used for security purposes to understand which program is connected to which network port.

The command's powerful filtering options allow users to narrow down the output based on various criteria like process ID (PID), user, command name, file name, network address, and more.

CAVEATS

Requires root privileges to see all open files for all users. Output can be voluminous, so filtering is crucial. The behavior of some options might vary slightly across different Unix-like systems.

OUTPUT COLUMNS

The output of lsof contains several columns providing information about the open files:
COMMAND: The command associated with the process.
PID: The process ID.
USER: The user ID or name of the process owner.
FD: The file descriptor.
TYPE: The type of the file (e.g., REG for regular file, DIR for directory, IPv4 for IPv4 socket).
DEVICE: The device number.
SIZE/OFF: The file size or offset.
NODE: The inode number.
NAME: The file name or network address.

FILE DESCRIPTOR TYPES

FD column indicates the file descriptor, which is the way the system communicates with the file. It can be a number, or a shortcut:
cwd: Current working directory.
txt: Program text (code and data).
mem: Memory-mapped file.
mmap: Memory-mapped device.
#: Numbered file descriptor.
rtd: Root directory

HISTORY

lsof was originally written by Vic Abell at Purdue University. It has been actively maintained and improved over the years, becoming a standard tool for system administration. It has been widely adopted across various Unix-like operating systems, including Linux, FreeBSD, macOS, and others.

SEE ALSO

ps(1), netstat(1), fuser(1), proc(5)

Copied to clipboard