lsof, which means "list open files", is a command-line utility that shows information on currently opened files and the processes they are associated with in Linux and other Unix-based operating systems.
A file in this context could be your regular file, a directory, a block-special file, a library, a character-special file, an executing text reference, a stream, or a network file.
With lsof, you can easily identify processes listening on specific ports, files locked by a process, files opened by certain users, and so on.
In this article, we will explore common lsof commands which you can use to manage open files and processes.
Command Syntax
Most lsof commands typically take the following form:
lsof [options] [value]
lsof supports various options, which modify its behavior and the resulting output produced, including -i, -U, -a, -c, and much more.
Additionally, while it is possible to run lsof without elevated privileges, using sudo is recommended to avoid encountering "permission denied" errors with some commands.
1. List All Opened Files
Invoking the lsof command without specifying an option will show a list of all files opened by active processes. However, the output produced may be tedious to read and difficult to navigate.
By piping the output to the "less" pager, as shown below, you can browse through it easily.
sudo lsof | less COMMAND PID TID TASKCMD USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 8,3 4096 2 / systemd 1 root rtd DIR 8,3 4096 2 / systemd 1 root txt REG 8,3 1849992 3282324 /usr/lib/systemd/systemd systemd 1 root mem REG 8,3 4447536 3276990 /usr/lib/x86_64-linux-gnu/libcrypto.so.3 systemd 1 root mem REG 8,3 613064 3282481 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4
The output generated shows the following information:
- COMMAND: This column indicates the name of the UNIX command associated with the process, limited to the first 9 characters.
- PID: This represents the process identification number.
- TID: This shows the task identification number. A blank TID value indicates that the entry is a process rather than a task.
- TASKCMD: This refers to the task command name. It is usually the same as the COMMAND name unless altered.
- USER: This shows the name or ID of the user that owns the process, which is the root user in this case.
- FD: This column represents the file descriptor number of the file.
- TYPE: This refers to the node type associated with the file.
- DEVICE: This shows the device's numbers for a regular, block special, character special, directory, or network file system (NFS) file. Alternative values include "memory" for a memory file system or a reference address.
- SIZE/OFF: This column represents the file size or the file's offset in bytes.
- NODE: This indicates either a local file's node number, an NFS file inode number, or the internet protocol type.
- NAME: This represents the file's path or remote address or mount point of the file system.
2. List Files From a Specific File System
lsof allows you to filter currently opened files and processes to view only those within a specific file system. To accomplish this, you need to specify the file system with the command as demonstrated below:
sudo lsof /mnt/diskOne COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 13237 foo cwd DIR 8,17 4096 2 /mnt/diskOne nano 17643 foo cwd DIR 8,17 4096 2 /mnt/diskOne
In the output above, lsof shows the files and processes currently opened in the /mnt/diskOne file system.
3. Show Processes Accessing a File
The lsof command can be used to easily identify processes accessing a particular file. For example, to view processes accessing '/var/log/syslog', run:
sudo lsof /var/log/syslog COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 861 syslog 7w REG 8,3 3 30596 524414 /var/log/syslog
4. List Files Opened By a User
The "-u" option allows you to get a list of the files a specific user is accessing. It accepts an argument of the user's name or ID. For example, the following command will retrieve files opened by the root user.
sudo lsof -u root COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 8,3 4096 2 / systemd 1 root rtd DIR 8,3 4096 2 / systemd 1 root txt REG 8,3 1849992 3282324 /usr/lib/systemd/systemd systemd 1 root mem REG 8,3 613064 3282481 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4 systemd 1 root mem REG 8,3 4447536 3276990 /usr/lib/x86_64-linux-gnu/libcrypto.so.3 systemd 1 root mem REG 8,3 149760 3283479 /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.32.1
Additionally, the "-u" option allows you to specify more than one user by separating individual user names with a comma, as demonstrated below:
sudo lsof -u root,foo COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME gdm-sessi 11607 root 12w FIFO 0,25 0t0 2112 /run/systemd/sessions/5.ref systemd 11619 foo cwd DIR 8,3 4096 2 / systemd 11619 foo rtd DIR 8,3 4096 2 / systemd 11619 foo txt REG 8,3 1849992 3282324 /usr/lib/systemd/systemd
Moreover, you can list files opened by all users on the system except for a specific user by preceding the user's name passed to the "-u" option with a caret (^) symbol.
sudo lsof -u ^root
5. List Files Opened By a Process
Sometimes, you might want to see files opened by a specific process, especially when investigating malicious processes. This can be done using the "-c" option. It lets you retrieve files opened by certain processes by matching the specified value to a command associated with the process.
For example, the following command produces a list of files associated with the systemd process.
sudo lsof -c systemd COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 8,3 4096 2 / systemd 1 root rtd DIR 8,3 4096 2 / systemd 1 root txt REG 8,3 1849992 3282324 /usr/lib/systemd/systemd systemd 1 root mem REG 8,3 613064 3282481 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.4 systemd 1 root mem REG 8,3 4447536 3276990 /usr/lib/x86_64-linux-gnu/libcrypto.so.3
Additionally, you can omit a specific process from the output produced by preceding the desired process' name with a caret symbol, as shown below:
sudo lsof -c ^systemd
Alternatively, the PID can be used by supplying it as a value to the "-p" option, as demonstrated below:
sudo lsof -p 1 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 8,3 4096 2 / systemd 1 root rtd DIR 8,3 4096 2 / systemd 1 root txt REG 8,3 1849992 3282324 /usr/lib/systemd/systemd
In the example above, 1 is the PID for the systemd process. Therefore, the output produced shows files associated with systemd.
6. List Files Opened Under a Specific Directory
The "+d" and "+D" option allows lsof to search for files currently open within a specific directory. However, the "+d" option performs only a top-level search, while "+D", on the other hand, performs a more in-depth search that includes sub-directories.
To list files currently opened in a directory, including any sub-directories, provide the directory's path to the "+D" option, as shown below:
sudo lsof +D /var/log COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME vmtoolsd 800 root 3w REG 8,3 2379 524310 /var/log/vmware-vmsvc-root.log rsyslogd 861 syslog 7w REG 8,3 350805 524414 /var/log/syslog rsyslogd 861 syslog 8w REG 8,3 88895 524500 /var/log/kern.log rsyslogd 861 syslog 9w REG 8,3 24270 524503 /var/log/auth.log cupsd 19408 root 11u REG 8,3 335 524343 /var/log/cups/access_log
7. List Network Connections
lsof also provides information on processes accessing network connections. Consequently, the "-i" option is used to get a list of connections opened by processes. The "-i" option also lets you filter connections based on various parameters, including IP address protocol, network protocol, ports, and IP address.
Invoking lsof with the "-i" option without specifying additional arguments will produce a list of all processes associated with network connections, as shown below.
sudo lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd-r 830 systemd-resolve 13u IPv4 21747 0t0 UDP localhost:domain systemd-r 830 systemd-resolve 14u IPv4 21748 0t0 TCP localhost:domain (LISTEN) avahi-dae 849 avahi 12u IPv4 21759 0t0 UDP *:mdns avahi-dae 849 avahi 13u IPv6 21760 0t0 UDP *:mdns avahi-dae 849 avahi 14u IPv4 21761 0t0 UDP *:42137 avahi-dae 849 avahi 15u IPv6 21762 0t0 UDP *:35993
However, you can narrow down the output produced to either IPv4 or IPv6 connections using the "-i4" or "-i6" options, respectively. For example, the following command will get processes associated with only IPv6 connections:
sudo lsof -i6 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME avahi-dae 849 avahi 13u IPv6 21760 0t0 UDP *:mdns avahi-dae 849 avahi 15u IPv6 21762 0t0 UDP *:35993 cupsd 942 root 6u IPv6 22449 0t0 TCP ip6-localhost:ipp (LISTEN)
Additionally, the "-i" option allows you to specify the desired protocol value, such as TCP and UDP, to filter according to the network protocol.
sudo lsof TCP COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd 13904 root 6u IPv6 131063 0t0 TCP ip6-localhost:ipp (LISTEN) cupsd 13904 root 7u IPv4 131064 0t0 TCP localhost:ipp (LISTEN)
You can also find processes utilizing certain ports, which is particularly useful for identifying processes that may be blocking an application from binding to a specific port. For instance, the following command retrieves a list of processes using port 631.
sudo lsof -i :631 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd 13904 root 6u IPv6 131063 0t0 TCP ip6-localhost:ipp (LISTEN) cupsd 13904 root 7u IPv4 131064 0t0 TCP localhost:ipp (LISTEN) cups-brow 13907 root 7u IPv4 132314 0t0 UDP *:631
Alternatively, you can specify a port range instead of a specific port number, as demonstrated below:
sudo lsof -i :1-3000
The command above will get a list of processes utilizing ports between 1 and 3000.
8. List Locked Deleted Files
At times when a file is deleted, there may be some processes holding onto the deleted file, preventing the file system from freeing up the disk space previously occupied by the file. By using the "+L1" option with the lsof command, you can view a list of opened unlinked (deleted) files and the processes associated with such files.
For example, the following command shows a list of processes holding onto deleted files in the '/var/log' directory.
sudo lsof +L1 /var/log COMMAND PID USER FD TYPE DEVICE SIZE/OFF NLINK NODE NAME pipewire 2018 foo 24u REG 0,1 2312 0 1033 /memfd:pipewire-memfd (deleted) pipewire 2018 foo 27u REG 0,1 2312 0 1034 /memfd:pipewire-memfd (deleted) pulseaudi 2020 foo 6u REG 0,1 67108864 0 2053 /memfd:pulseaudio (deleted)
9. List Unix Domain Socket Files
A Unix domain socket or a Unix socket is an inter-process communication method which allows communication between processes running on the same machine. They are represented as special files within the file system, similar to regular files. Furthermore, they are commonly found in the '/var/run' and '/tmp' directories.
The "-U" option allows you to view a list of socket files, as demonstrated below:
sudo lsof -U COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 19u unix 0xffff99f946fec800 0t0 18741 /run/systemd/private type=STREAM systemd 1 root 20u unix 0xffff99f946fee000 0t0 18743 /run/systemd/userdb/io.systemd.DynamicUser type=STREAM systemd 1 root 21u unix 0xffff99f946feec00 0t0 18744 /run/systemd/io.system.ManagedOOM type=STREAM
10. Combine Multiple Options
The lsof command allows you to combine multiple options to further filter the result produced. The "-a" option is used to perform the logical AND operation on multiple selections. However, it's important to note that when used, the "-a" option applies to all options in the command. It can't be used on selected pairs of options.
For example, the following command gets the list of opened network connections associated with the PID 849.
sudo lsof -i -a -p 849 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME avahi-dae 849 avahi 12u IPv4 21759 0t0 UDP *:mdns avahi-dae 849 avahi 13u IPv6 21760 0t0 UDP *:mdns avahi-dae 849 avahi 14u IPv4 21761 0t0 UDP *:42137 avahi-dae 849 avahi 15u IPv6 21762 0t0 UDP *:35993
11. Terminate User's Processes
The "kill" command can be combined with lsof to terminate processes belonging to a specific user more efficiently. This involves filtering opened processes to those associated with the desired user, retrieving the corresponding PIDs, and subsequently passing them as input to the "kill" command.
For instance, to terminate all processes associated with the user, foo, run:
kill -9 ‘lsof -t -u foo’
Conclusion
The lsof command is a valuable tool for easily investigating files accessed by processes on Linux. With lsof, you can examine files associated with different processes, uncover deleted files still in use, inspect network connections initiated by various processes, and identify processes using certain ports.
By using the lsof command, system administrators and analysts can monitor resource usage, easily track down suspicious processes, and gain insight into how the operating system interacts with files.
The `lsof` command in Linux is used to list open files and network sockets associated with running processes. It’s a powerful tool that provides insights into which files and sockets processes have opened, which can be useful for troubleshooting, monitoring, and analyzing system behavior. Here are some scenarios in which you might want to use the `lsof` command along with examples:
1. **Troubleshooting Processes:**
You can use `lsof` to identify which processes have certain files open, which can be helpful when diagnosing issues like “file in use” errors.
Example: To find processes that have a specific file named “example.txt” open:
“`bash
lsof /path/to/example.txt
“`
2. **Monitoring Network Connections:**
`lsof` can help you monitor network connections and find out which processes are using certain network sockets.
Example: To list all network sockets in use:
“`bash
lsof -i
“`
3. **Checking for Deleted Files:**
Sometimes, even if a file is deleted, processes might still have it open. `lsof` can reveal such “deleted but still open” files.
Example: To find deleted files that are still open:
“`bash
lsof +L1
“`
4. **Identifying Processes Holding a File:**
If you’re trying to determine which processes are preventing you from unmounting a filesystem or ejecting a removable device, `lsof` can help.
Example: To find processes using files on a specific filesystem:
“`bash
lsof /mnt/myfilesystem
“`
5. **Monitoring Users’ Activity:**
Administrators can use `lsof` to monitor users’ activity by checking which files or sockets processes are accessing.
Example: To list all files opened by a specific user (replace “username” with the actual username):
“`bash
lsof -u username
“`
6. **Finding Processes Using a Port:**
You can use `lsof` to identify which processes are using a specific port, which is helpful when debugging network-related issues.
Example: To find processes using port 8080:
“`bash
lsof -i :8080
“`
7. **Checking Shared Libraries:**
`lsof` can help you identify which processes have certain shared libraries loaded.
Example: To find processes using a specific shared library (replace “libname.so” with the library name):
“`bash
lsof /path/to/libname.so
“`
Remember that using the `lsof` command often requires superuser (root) privileges to access information about all processes. Always exercise caution and ensure you have the necessary permissions before running `lsof`.