18 Quick lsof Command Examples for Linux Geeks

Welcome Linux geeks, in this guide we will learn lsof command with 18 different practical examples.

lsof command is used to list open files in Linux like operating systems. The name “lsof” is itself derived from this functionality.

Where to use lsof?

lsof command is mainly used to retrieve information about files that are opened by various processes. Open files in a system can be disk files, network sockets, named pipes and devices. This distinctive feature of lsof command, enables one to debug and understand Linux operating System in a better way.

How to Install lsof?

Whenever we do the minimal installation of  RHEL /CentOS / AlmaLinux / Ubuntu/ OpenSUSE, lsof is not the part of default installation, so use the following command to install lsof command.

For RHEL / CentOS / AlmaLinux / Fedora,

$ sudo yum install lsof -y
or
$ sudo dnf install lsof -y

Debian Based Systems (Ubuntu / Linux Mint),

$ sudo apt install lsof -y

For OpenSUSE System,

$ sudo zypper install lsof

The command “lsof” comes equipped with many options and switches. It will be very interesting to explore some of these important ones. Let’s deep dive into the examples of lsof comamnd.

1) List All Open Files

Running lsof command without any options will list all open files of your system that belongs to all active process.

Just typing ‘lsof’ command without any options at command line gives the following output,

Note:- Since lsof output gives lot of information to STDOUT, it will be better to use pipe “|” operation to see this output page by page.

# lsof | more

lsof-Command-with-pagewise

The above command output if you examine carefully provides lot of information with many parameters. For example, process “systemd” (which is a daemon process) has Process Id (PID) of “1”, User is “root”, File Descriptor (FD) as “cwd” and etc.

The FD comes-up with many values, as one is aware that File Descriptor is generated for any open files automatically in Linux Systems. Below are some of the well-known “FD” values used for lsof commands,

Process-parameter-lsof-command

Note: In some cases, the “mem” is followed by number and various characters like “r”, “u”, “w” etc. These characters are “r” for read, “w” for write, “u” for read and write.

Finally, the “TYPE” in the command output indicates type of the file.  The following are the standard types of files in Linux systems.

File-type-linux-lsof-command

The other fields that are displayed along with this are as follows,

  • DEVICE –> Device id
  • SIZE/OFF –> Actual size of this process (taken during run time)
  • NODE –> Typically inode number of the directory or parent directory
  • NAME –> Path or link

2) List Open Files of Particular File System

As you are aware the “/proc” will be existing only during the life time of the Linux OS, this directory contains lot of important process related information. Executing “lsof” on /proc will throw interesting output for us to explor,

# lsof /proc

lsof-slash-proc-file-system

As mentioned earlier, “lsof” of “lsof” itself is captured here and all the details are displayed. Other than “lsof” there are other processes like systemd and rsyslogd which are daemons used for swap, mounting etc purposes.

Similarly, we can list open files of another file system like /var/log,

# lsof /var/log/

lsof command become very handy in a situation where df and du command shows different disk usage of same file system, using lsof command we can find files which were removed while they were opened and used by some process,

# lsof /var/log | grep -i "deleted"

Above command will give you the pid of files which were deleted but they are still exist in the system in deleted state. So, to release the space from file system we can safely kill those processes by its pid.

3) List of Open File For lsof Command

“lsof” on itself throws an error message,

# lsof lsof
lsof: status error on lsof: No such file or directory
lsof 4.87

4) List Open Files Of Users

“lsof” can be used for all the users who have logged into the Linux System. In this case “lsof” will display all the opened files for the respective user.

List all open files for root user

# lsof -u root | more

List-of-open-files-root-user

List of open files for non-root users, let’s see all open files for linuxtechi user,

# lsof -u linuxtechi  | more
Or
# lsof -l -u linuxtechi | more

list-openfiles-user-linux

To List all open files except root user, use ^(caret symbol) in front of root user ( lsof -u ^root),

# lsof -u ^root | more

list-openfiles-other-than-root-user

5) List all Open Internet and UNIX Domain Files

Use “-i -U” option in lsof command to list all open internet and UNIX domain files on your system, example is shown below,

# lsof -i -U

list-open-file-unix-type

6) List All Open IPv4 Network Files

Use “-i -4” option in lsof command to list all open network files for IPv4,

# lsof -i 4

View-IPv4-Network-files-lsof

To list all open IPv4 network files used by a specific process whose process id “any_number”, examples is shown below

Let’s assume we want to list all IPv4 network files for rpcbind process

Syntax :

# lsof -i 4 -a -p {process_pid}

# lsof -i 4 -a  -p 1633
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1633  rpc    4u  IPv4  16576      0t0  TCP *:sunrpc (LISTEN)
rpcbind 1633  rpc    5u  IPv4  16577      0t0  UDP *:sunrpc
rpcbind 1633  rpc   10u  IPv4  16649      0t0  UDP *:960
#

7) List all Open Network Files for IPv6

Assuming ipv6 domain is supported, then open network files can be listed using ‘-i 6’ option.

# lsof -i 6

IPV6-Network-Open-Files-lsof

8) List all TCP & UDP Process Running on Specific Port

To list all tcp and udp process running on particular port, use the following syntax,

# lsof -i TCP/UDP:port

Let’s assume we want to list all the TCP process running on 80 port, use the below command

# lsof -i TCP:80
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   2594   root    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2595 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2596 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2597 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2598 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2599 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
[[email protected] ~]#

To list all open files on TCP port from port range (1 to 1048), use the following command

# lsof -i TCP:1-1048

View-Open-Files-TCP-Port-Range

To List all UDP process running on a specific port use the beneath command

# lsof -i UDP:16498
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhclient 2494 root   21u  IPv6  20952      0t0  UDP *:16498
#

Note: To list all open UDP process on your linux system then use the command “lsof -i UDP”

9) View All Open Files for Specific Device

The following command can be used to list all open files on device

# lsof <device-name>

Note: In this case the device type is virtual, in general this can be of type /dev/hd<number>/ sd{number}

# lsof /dev/sda2

lsof-device-linux

10) View Processes with Open Files on NFS File System

There are some situations where you have mounted nfs file system on your linux box but nfs server is inaccessible and want to list all process with open files on that nfs file system,

# lsof -b <nfs-share-mount-point>

11) Display Terminal Related Open Files

The following command is used for all open files on terminal

# lsof /dev/tty{number}

# lsof /dev/tty1
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
bash    2442 root    0u   CHR    4,1      0t0 4689 /dev/tty1
bash    2442 root    1u   CHR    4,1      0t0 4689 /dev/tty1
bash    2442 root    2u   CHR    4,1      0t0 4689 /dev/tty1
bash    2442 root  255u   CHR    4,1      0t0 4689 /dev/tty1
#

12) List all Open files Associated to Application Name

Let’s assume we want to list all open files which are associated httpd,

# lsof -c httpd

Open-Files-of-Httpd-Process

13) List All Network Connections (lsof -i)

Use “-i” option in lsof command to list all network related process or commands, example is shown below,

# lsof -i

List-All-Network-Connections-lsof

14) View IPv4 /IPv6 Socket Files

To find the IPv4 socket file use the below command, replace IP address with your system IP

# lsof [email protected]

IPv4-Socket-Connections-lsof

To find an IP version 6 socket file by an associated numeric colon-form address that has a run of zeroes in it – e.g., the loop-back address(127.0.0.1), use below command and options:

# lsof [email protected][::1]
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
master  2433 root   14u  IPv6  21027      0t0  TCP localhost:smtp (LISTEN)
#

15) List All Processes that Belong to a Process ID (lsof -p <pid>)

Let’s assume we want to list all process or commands that belongs to a specific process id, Example is shown below

# lsof -p 1598

List-Processes-for-PID-lsof

16) Kill All User’s Processes

lsof command become very handy where we want to kill all the process that belongs to a specific user, below example will kill all process that belongs to linuxtechi user,

# kill -9 `lsof -t -u linuxtechi`

17) View All Open Files Under Particular Directory

To View all open files under particular directory, use following lsof command

# lsof +D <directory-path>

Let’s assume we want list all open files under /var/log directory, run

# lsof +D /var/log/

View-Open-Files-Under-Directory-lsof

Note: In above command if we use +D option then lsof will list all open files of a directory recursively and if you don’t want to list open files of directory recursively then use “+d” option

18) lsof to Check Who Opened Log File (to find PID)

The following command option is used to find who opened the /var/log/httpd/access.log file and what is the PID of that process. And then with “ps -ef” command we can find exact user

# lsof -t /var/log/httpd/access_log
3109
3110
3111
3112
3113
3114
#

# ps -ef | grep -E "3109|3110|3111|3112|3113|3114" | grep -v grep
or
# ps -fp "$(lsof -t /var/log/httpd/access_log | xargs echo)"
root      3109     1  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3110  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3111  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3112  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3113  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3114  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
#

Many options of the lsof command can be combined for multiple purposes as below are some combination of flags “-c”, “-u” and “-I”. For more details refer the manual page.

Also Read : 11 Xargs Command Examples in Linux

The below command combination will give output every 1 second about “linuxtechi” home directory what all the files opened repeatedly.

# lsof -u linuxtechi -c init -a -r1
=======
COMMAND   PID       USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
inita.sh 2971 linuxtechi  cwd    DIR    8,1     4096  393218 /home/linuxtechi
inita.sh 2971 linuxtechi  rtd    DIR    8,1     4096       2 /
inita.sh 2971 linuxtechi  txt    REG    8,1    83344  524367 /bin/dash
inita.sh 2971 linuxtechi  mem    REG    8,1  1434567 1443695 ~/libc-2.13.so
……………………………………………………………………………

Conclusion:

As mentioned in the introduction section “lsof” is very powerful and useful command in Linux based distributions. This command and options listed can be used for various purposes like debugging, troubleshooting and triaging Linux processes. Mentioned options and combinations if tried, will help one to establish thorough understanding of “lsof” command. Other commands like lstat, stat and ls also can be explored in combination of “lsof” command.

Also Read : How to Enable Timestamp in Linux History Command Output

3 thoughts on “18 Quick lsof Command Examples for Linux Geeks”

  1. Example 3 isn’t throwing an error because you’re calling it on itself, it’s throwing an error because you’re calling it on a non-existent file. Type any garbage file name there and you’ll get the same result.

    lsof /usr/bin/lsof works just fine.

    Reply
  2. Nice article.

    Although example #18 could be better written with the PIDs passed through a sub-command:

    # ps -fp “$(lsof -t /var/log/httpd/access_log | xargs echo)”

    instead of having to grep all pids, and then yet another one to exclude the first grep

    Reply

Leave a Comment