18 Quick ‘lsof’ command examples for Linux Geeks
lsof is a command line utility for all Unix and Linux like operating systems to check “list of open files” The name “lsof” is itself derived from this functionality. lsof command is mainly used to retrieve information about files that are opened by various processes. Open files in a system can be of different type like disk files, network sockets, named pipes and devices. This distinctive feature enables one to debug and understand Linux Operating System in a better way.
When we do the minimal installation of CentOS / RHEL / Ubuntu/ OpenSUSE, lsof is not the part of default installation, so use the following command to install lsof command or utility
For CentOS / RHEL System,
~] # yum install lsof -y
Debian Based Systems (Ubuntu / Linux Mint)
~] # apt install lsof -y
For OpenSUSE System,
~] # zypper install lsof
The command “lsof” comes equipped with many options and switches. It will be very interesting to explore some of these important ones. In this article we will discuss 18 useful lsof command examples for Linux geeks.
Example:1) List all open files of your system (lsof)
Running lsof command without any options will list all open files of your system that belongs to all active process.
Just typing “lsof” command without any options at command line gives the following output,
Note:- Since lsof output gives lot of information to STDOUT, it will be better to use pipe “|” operation to see this output page by page.
[[email protected] ~]# lsof | more COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 253,0 4096 128 / systemd 1 root rtd DIR 253,0 4096 128 / systemd 1 root txt REG 253,0 1489960 50674818 /usr/lib/systemd/systemd systemd 1 root mem REG 253,0 20032 33628284 /usr/lib64/libuuid.so.1.3.0 systemd 1 root mem REG 253,0 252704 33745961 /usr/lib64/libblkid.so.1.1.0
The above command output if you examine carefully provides lot of information with many parameters. For example, process “systemd” (which is a daemon process) has Process Id (PID) of “1”, User is “root“, File Descriptor (FD) as “cwd” and etc. The FD comes-up with many values, as one is aware that File Descriptor is generated for any open files automatically in Linux Systems. Below are some of the well-known “FD” values used for lsof commands,
Note: In some cases, the “mem” is followed by number and various characters like “r”, “u”, “w” etc. These characters are “r” for read, “w” for write, “u” for read and write.
Finally, the “TYPE” in the command output indicates type of the file. The following are the standard types of files in Linux systems.
The other fields that are displayed along with this are as follows,
- DEVICE –> Device id
- SIZE/OFF –> Actual size of this process (taken during run time)
- NODE –> Typically inode number of the directory or parent directory
- NAME –> Path or link
Example:2) List open files of specific file system (/proc)
As you are aware the “/proc” will be existing only during the life time of the Linux OS, this directory contains lot of important process related information. Executing “lsof” on /proc will throw interesting output for us to explore,
[[email protected] ~]# lsof /proc COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 9r REG 0,3 0 6690 /proc/1/mountinfo systemd 1 root 11r REG 0,3 0 4026532018 /proc/swaps systemd-j 462 root 10r REG 0,3 0 6936 /proc/sys/kernel/hostname lsof 5186 root 3r DIR 0,3 0 1 /proc lsof 5186 root 6r DIR 0,3 0 28890 /proc/5186/fd [[email protected] ~]#
As mentioned earlier, “lsof” of “lsof” itself is captured here and all the details are displayed. Other than “lsof” there are other processes like systemd and rsyslogd which are daemons used for swap, mounting etc purposes.
Similarly, we can list open files of another file system like /var/log,
[[email protected] ~]# lsof /var/log/
lsof command become very handy in a situation where df and du command shows different disk usage of same file system, using lsof command we can find files which were removed while they were opened and used by some process,
[[email protected] ~]# lsof /var/log | grep -i "deleted"
Above command will give you the pid of files which were deleted but they are still exist in the system in deleted state. So, to release the space from file system we can safely kill the process by its pid.
Example:3) List of open file for “lsof” command
“lsof” on itself throws an error message,
[[email protected] ~]# lsof lsof lsof: status error on lsof: No such file or directory lsof 4.87
Example:4) List of open files for users (lsof -u <user_name>)
“lsof” can be used for all the users who have logged into the Linux System. In this case “lsof” will display all the opened files for the respective user.
List all open files for root user
[[email protected] ~]# lsof -u root | more COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 253,0 4096 128 / systemd 1 root rtd DIR 253,0 4096 128 / systemd 1 root txt REG 253,0 1620416 51034677 /usr/lib/systemd/systemd systemd 1 root mem REG 253,0 20032 33628284 /usr/lib64/libuuid.so.1.3.0 systemd 1 root mem REG 253,0 252704 33745961 /usr/lib64/libblkid.so.1.1.0 systemd 1 root mem REG 253,0 90632 33628275 /usr/lib64/libz.so.1.2.7 systemd 1 root mem REG 253,0 153192 33618596 /usr/lib64/liblzma.so.5.0.99 systemd 1 root mem REG 253,0 19888 33656455 /usr/lib64/libattr.so.1.1.0 …………………………………………………………
List of open files for non-root users, let’s see all open files for linuxtechi user,
[[email protected] ~]# lsof -u linuxtechi | more Or [[email protected] ~]# lsof -l -u linuxtechi | more
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 2657 linuxtechi cwd DIR 253,0 4096 128 / sshd 2657 linuxtechi rtd DIR 253,0 4096 128 / sshd 2657 linuxtechi txt REG 253,0 815520 34698340 /usr/sbin/sshd sshd 2657 linuxtechi DEL REG 0,4 23850 /dev/zero sshd 2657 linuxtechi mem REG 253,0 15472 33831639 /usr/lib64/security/pam_lastlog.so sshd 2657 linuxtechi mem REG 253,0 68192 33628305 /usr/lib64/libbz2.so.1.0.6 sshd 2657 linuxtechi mem REG 253,0 153192 33618596 /usr/lib64/liblzma.so.5.0.99 sshd 2657 linuxtechi mem REG 253,0 91496 33628319 /usr/lib64/libelf-0.163.so sftp-serv 2661 linuxtechi mem REG 253,0 14608 33618582 /usr/lib64/libutil-2.17.so sftp-serv 2661 linuxtechi mem REG 253,0 61856 33863972 /usr/lib64/liblber-2.4.so.2.10.3 sftp-serv 2661 linuxtechi mem REG 253,0 344224 33863974 /usr/lib64/libldap-2.4.so.2.10.3 sftp-serv 2661 linuxtechi mem REG 253,0 19512 33618298 /usr/lib64/libdl-2.17.so sftp-serv 2661 linuxtechi mem REG 253,0 2516624 33657314 /usr/lib64/libcrypto.so.1.0.2k sftp-serv 2661 linuxtechi mem REG 253,0 164432 33618285 /usr/lib64/ld-2.17.so sftp-serv 2661 linuxtechi 0r FIFO 0,8 0t0 24046 pipe sftp-serv 2661 linuxtechi 1w FIFO 0,8 0t0 24047 pipe sftp-serv 2661 linuxtechi 2w FIFO 0,8 0t0 24048 pipe bash 2670 linuxtechi cwd DIR 253,0 79 17157147 /home/linuxtechi ………………………………………………………………………
To List all open files except root user, use ^(caret symbol) in front of root user ( lsof -u ^root),
[[email protected] ~]# lsof -u ^root | more COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME dbus-daem 1662 dbus cwd DIR 253,0 4096 128 / dbus-daem 1662 dbus rtd DIR 253,0 4096 128 / dbus-daem 1662 dbus txt REG 253,0 441176 17133533 /usr/bin/dbus-daemon dbus-daem 1662 dbus mem REG 253,0 57824 33618566 /usr/lib64/libnss_files-2.17.so dbus-daem 1662 dbus mem REG 253,0 19512 33618298 /usr/lib64/libdl-2.17.so dbus-daem 1662 dbus mem REG 253,0 398272 33628261 /usr/lib64/libpcre.so.1.2.0 dbus-daem 1662 dbus mem REG 253,0 2107816 33618292 /usr/lib64/libc-2.17.so ……………………………………………………………………………………………………………
Example:5) List all open Internet and UNIX domain files (lsof -i -U)
Use “-i -U” option in lsof command to list all open internet and UNIX domain files on your system, example is shown below
[[email protected] ~]# lsof -i -U COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 12u unix 0xffff8800b8baab40 0t0 11075 /run/systemd/cgroups-agent systemd 1 root 13u unix 0xffff8800b8bab2c0 0t0 11077 /run/systemd/private systemd 1 root 42u IPv4 16576 0t0 TCP *:sunrpc (LISTEN) systemd 1 root 43u IPv4 16577 0t0 UDP *:sunrpc rpcbind 1633 rpc 3u unix 0xffff8800bab8cf00 0t0 16574 /var/run/rpcbind.sock rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN) rpcbind 1633 rpc 5u IPv4 16577 0t0 UDP *:sunrpc rpcbind 1633 rpc 6u IPv6 16578 0t0 TCP *:sunrpc (LISTEN) rpcbind 1633 rpc 7u IPv6 16579 0t0 UDP *:sunrpc rpcbind 1633 rpc 10u IPv4 16649 0t0 UDP *:960 sshd 2532 root 3u IPv4 21120 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65110 (ESTABLISHED) sshd 2532 root 4u unix 0xffff8800bbef3a40 0t0 21260 socket sshd 2532 root 8u unix 0xffff8800b8afd680 0t0 21298 /tmp/ssh-QHz9BdtRvt/agent.2532 sshd 2536 root 3u IPv4 21191 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65112 (ESTABLISHED) sshd 2536 root 4u unix 0xffff8800b8afd2c0 0t0 21363 socket ………………………………………………………………………………………………………………
Example:6) List all open IPv4 network files (lsof -i 4)
Use “-i -4” option in lsof command to list all open network files for IPv4,
[[email protected] ~]# lsof -i 4 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 42u IPv4 16576 0t0 TCP *:sunrpc (LISTEN) systemd 1 root 43u IPv4 16577 0t0 UDP *:sunrpc rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN) sshd 2258 root 3u IPv4 19493 0t0 TCP *:ssh (LISTEN) master 2360 root 13u IPv4 20087 0t0 TCP localhost:smtp (LISTEN) dhclient 2494 root 6u IPv4 20983 0t0 UDP *:bootpc dhclient 2494 root 20u IPv4 20951 0t0 UDP *:24884 dhclient 2514 root 6u IPv4 20866 0t0 UDP *:bootpc sshd 2532 root 3u IPv4 21120 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65110 (ESTABLISHED) sshd 2536 root 3u IPv4 21191 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65112 (ESTABLISHED) sshd 2621 root 3u IPv4 23506 0t0 TCP 192.168.1.6:ssh->192.168.1.9:65422 (ESTABLISHED) sshd 2655 root 3u IPv4 23863 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49992 (ESTABLISHED) sshd 2657 linuxtechi 3u IPv4 23795 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49990 (ESTABLISHED) sshd 2660 linuxtechi 3u IPv4 23863 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49992 (ESTABLISHED) [[email protected] ~]#
To list all open IPv4 network files used by a specific process whose process id “any_number”, examples is shown below
Let’s assume we want to list all IPv4 network files for rpcbind process
Syntax : # lsof i 4 -a -p {process_pid}
[[email protected] ~]# lsof -i 4 -a -p 1633 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN) rpcbind 1633 rpc 5u IPv4 16577 0t0 UDP *:sunrpc rpcbind 1633 rpc 10u IPv4 16649 0t0 UDP *:960 [[email protected] ~]#
Example:7) List all open network files for IPv6 (lsof -i 6)
Assuming ipv6 domain is supported, the output of lsof will be something like below,
[[email protected] ~]# lsof -i 6 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 44u IPv6 16578 0t0 TCP *:sunrpc (LISTEN) systemd 1 root 46u IPv6 16579 0t0 UDP *:sunrpc rpcbind 1633 rpc 6u IPv6 16578 0t0 TCP *:sunrpc (LISTEN) rpcbind 1633 rpc 7u IPv6 16579 0t0 UDP *:sunrpc rpcbind 1633 rpc 11u IPv6 16650 0t0 UDP *:960 sshd 2258 root 4u IPv6 19504 0t0 TCP *:ssh (LISTEN) master 2360 root 14u IPv6 20088 0t0 TCP localhost:smtp (LISTEN) dhclient 2494 root 21u IPv6 20952 0t0 UDP *:16498 dhclient 2514 root 21u IPv6 20823 0t0 UDP *:34955 httpd 2594 root 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2595 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2596 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2597 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2598 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2599 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) [[email protected] ~]#
Example:8) List all TCP & UDP process running on specific port (lsof -i TCP/UDP:port)
Let’s assume we want to list all the TCP process running on 80 port, use the below command
[[email protected] ~]# lsof -i TCP:80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 2594 root 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2595 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2596 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2597 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2598 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) httpd 2599 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN) [[email protected] ~]#
To list all open files on TCP port from port range (1 to 1048), use the following command
[[email protected] ~]# lsof -i TCP:1-1048 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 41u IPv4 16863 0t0 TCP *:sunrpc (LISTEN) systemd 1 root 44u IPv6 16865 0t0 TCP *:sunrpc (LISTEN) rpcbind 1663 rpc 4u IPv4 16863 0t0 TCP *:sunrpc (LISTEN) rpcbind 1663 rpc 6u IPv6 16865 0t0 TCP *:sunrpc (LISTEN) sshd 2294 root 3u IPv4 19949 0t0 TCP *:ssh (LISTEN) sshd 2294 root 4u IPv6 19965 0t0 TCP *:ssh (LISTEN) master 2433 root 13u IPv4 21026 0t0 TCP localhost:smtp (LISTEN) master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN) sshd 2600 root 3u IPv4 21737 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED) sshd 2659 root 3u IPv4 22056 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED) sshd 2663 root 3u IPv4 22123 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52489 (ESTABLISHED) httpd 2837 root 4u IPv6 26112 0t0 TCP *:http (LISTEN) httpd 2838 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN) httpd 2839 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN) httpd 2840 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN) httpd 2841 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN) httpd 2842 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN) sshd 2891 root 3u IPv4 26896 0t0 TCP 192.168.1.3:ssh->192.168.1.9:53541 (ESTABLISHED) sshd 2895 linuxtechi 3u IPv4 26896 0t0 TCP 192.168.1.3:ssh->192.168.1.9:53541 (ESTABLISHED) [[email protected] ~]#
To List all UDP process running on a specific port use the beneath command
[[email protected] ~]# lsof -i UDP:16498 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dhclient 2494 root 21u IPv6 20952 0t0 UDP *:16498 [[email protected] ~]#
Note: To list all open UDP process on your linux system then use the command “lsof -i UDP”
Example:9) List all open files for specific device (lsof <device_name>)
The following command can be used to list all open files on /dev/vda1.
Note: In this case the device type is virtual, in general this can be of type /dev/hd<number>/ sd{number}
[email protected] ~]# lsof /dev/vda1 | more COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 253,1 4096 2 / systemd 1 root rtd DIR 253,1 4096 2 / systemd 1 root txt REG 253,1 1577264 262271 /lib/systemd/systemd systemd 1 root mem REG 253,1 18976 262252 /lib/x86_64-linux-gnu/libuuid.so.1.3.0 systemd 1 root mem REG 253,1 262408 262245 /lib/x86_64-linux-gnu/libblkid.so.1.1.0 systemd 1 root mem REG 253,1 14608 266364 /lib/x86_64-linux-gnu/libdl-2.23.so systemd 1 root mem REG 253,1 456632 262207 /lib/x86_64-linux-gnu/libpcre.so.3.13.2 systemd 1 root mem REG 253,1 1868984 266362 /lib/x86_64-linux-gnu/libc-2.23.so systemd 1 root mem REG 253,1 138696 266361 /lib/x86_64-linux-gnu/libpthread-2.23.so systemd 1 root mem REG 253,1 286824 261756 /lib/x86_64-linux-gnu/libmount.so.1.1.0
Example:10) List processes with open files on NFS file system
There are some situations where you have mounted nfs file system on your linux box but nfs server is inaccessible and want to list all process with open files on that nfs file system,
[[email protected] ~]# lsof -b <nfs-share-mount-point>
Example:11) List terminal related open files (lsof /dev/tty{number})
The following command is used for all open files on /dev/tty1.
Note: In this case the terminal type is “tty1”. Any other terminal type also can be used like /dev/tty<number>
[[email protected] ~]# lsof /dev/tty1 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 2442 root 0u CHR 4,1 0t0 4689 /dev/tty1 bash 2442 root 1u CHR 4,1 0t0 4689 /dev/tty1 bash 2442 root 2u CHR 4,1 0t0 4689 /dev/tty1 bash 2442 root 255u CHR 4,1 0t0 4689 /dev/tty1 [[email protected] ~]#
Example:12) List PID, Command Name, File descriptor, Device Number & File inode Number (lsof -FpcfDi)
One of the interesting options in “lsof” to obtain PID(P) and command name(c) field output for each process, file descriptor (f), file device number(D), and file inode number(i) for each file of each process, example is shown below
[[email protected] ~]# lsof -FpcfDi | more p1 csystemd fcwd D0xfd00 i128 frtd D0xfd00 i128 ftxt D0xfd00 i51034677 fmem D0xfd00 i33628284 ………………
Note: Long list of output is displayed, but this is cut short to save space.
Example:13) List all the network connections (lsof -i)
Use “-i” option in lsof command to list all network related process or commands, example is shown below,
[[email protected] ~]# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 41u IPv4 16863 0t0 TCP *:sunrpc (LISTEN) systemd 1 root 43u IPv4 16864 0t0 UDP *:sunrpc rpcbind 1663 rpc 4u IPv4 16863 0t0 TCP *:sunrpc (LISTEN) rpcbind 1663 rpc 5u IPv4 16864 0t0 UDP *:sunrpc rpcbind 1663 rpc 11u IPv6 17051 0t0 UDP *:988 sshd 2294 root 3u IPv4 19949 0t0 TCP *:ssh (LISTEN) sshd 2294 root 4u IPv6 19965 0t0 TCP *:ssh (LISTEN) rpc.statd 2300 rpcuser 10u IPv6 19974 0t0 UDP *:48486 rpc.statd 2300 rpcuser 11u IPv6 20045 0t0 TCP *:39334 (LISTEN) rpc.mount 2311 root 7u IPv4 19897 0t0 UDP *:mountd rpc.mount 2311 root 8u IPv4 19911 0t0 TCP *:mountd (LISTEN) master 2433 root 13u IPv4 21026 0t0 TCP localhost:smtp (LISTEN) master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN) dhclient 2563 root 6u IPv4 21589 0t0 UDP *:bootpc dhclient 2583 root 21u IPv6 21365 0t0 UDP *:10368 sshd 2600 root 3u IPv4 21737 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED) sshd 2659 root 3u IPv4 22056 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED) [[email protected] ~]#
Example:14) Find IPv4 /IPv6 Socket file
To find the IPv4 socket file use the below command, replace IP address with your system IP
[[email protected] ~]# lsof [email protected]1.3 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 2600 root 3u IPv4 21737 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED) sshd 2659 root 3u IPv4 22056 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED) sshd 2663 root 3u IPv4 22123 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52489 (ESTABLISHED) sshd 2724 root 3u IPv4 25004 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52848 (ESTABLISHED) sshd 2728 linuxtechi 3u IPv4 25004 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52848 (ESTABLISHED) [[email protected] ~]#
To find an IP version 6 socket file by an associated numeric colon-form address that has a run of zeroes in it – e.g., the loop-back address(127.0.0.1) use below command and options:
[[email protected] ~]# lsof [email protected][::1] COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN) [[email protected] ~]#
Example:15) List all Process or Commands that belongs to a Process ID (lsof -p <pid>)
Let’s assume we want to list all process or commands that belongs to a specific process id, Example is shown below
[[email protected] ~]# lsof -p 2842 | more COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 2842 apache cwd DIR 253,0 4096 128 / httpd 2842 apache rtd DIR 253,0 4096 128 / httpd 2842 apache txt REG 253,0 523680 34641136 /usr/sbin/httpd httpd 2842 apache mem REG 253,0 110808 33618576 /usr/lib64/libresolv-2.17.so httpd 2842 apache mem REG 253,0 27512 33618564 /usr/lib64/libnss_dns-2.17.so httpd 2842 apache mem REG 253,0 57824 33618566 /usr/lib64/libnss_files-2.17.so httpd 2842 apache mem REG 253,0 27808 17080385 /usr/lib64/httpd/modules/mod_cgi.so httpd 2842 apache mem REG 253,0 68192 33628305 /usr/lib64/libbz2.so.1.0.6 ………………………………………………
Example:16) Kill all process that belongs to a specific user
lsof command become very handy where we want to kill all the process that belongs to a specific user, below example will kill all process that belongs to linuxtechi user
[[email protected] ~]# kill -9 `lsof -t -u linuxtechi` [[email protected] ~]#
Example:17) List all open files under a specific directory (lsod +D <directory-path>)
Let’s assume we want list all open files under /var/log directory, then use the following lsof command,
[[email protected] ~]# lsof +D /var/log/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME auditd 1635 root 4w REG 253,0 1177238 51031316 /var/log/audit/audit.log wpa_suppl 1840 root 3w REG 253,0 240 392280 /var/log/wpa_supplicant.log tuned 2295 root 3w REG 253,0 6000 17713597 /var/log/tuned/tuned.log rsyslogd 2296 root 6w REG 253,0 7118 392279 /var/log/cron rsyslogd 2296 root 7w REG 253,0 449328 338975 /var/log/messages rsyslogd 2296 root 8w REG 253,0 26038 338976 /var/log/secure rsyslogd 2296 root 9w REG 253,0 1576 338977 /var/log/maillog rsyslogd 2296 root 10w REG 253,0 9458 138 /var/log/boot.log httpd 2837 root 2w REG 253,0 2829 34768157 /var/log/httpd/error_log httpd 2837 root 7w REG 253,0 0 34824416 /var/log/httpd/access_log httpd 2838 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log httpd 2838 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log httpd 2839 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log httpd 2839 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log httpd 2840 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log httpd 2840 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log httpd 2841 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log httpd 2841 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log httpd 2842 apache 2w REG 253,0 2829 34768157 /var/log/httpd/error_log httpd 2842 apache 7w REG 253,0 0 34824416 /var/log/httpd/access_log [[email protected] ~]#
Note: In above command if we use +D option then lsof will list all open files of a directory recursively and if you don’t want to list open files of directory recursively then use “+d” option
Example:18) “lsof” to check who opened the log file (to find PID)
The following command option is used to find who opened the /var/log/httpd/access.log file and what is the PID of that process. And then with “ps -ef” command we can find exact user
[[email protected] ~]# lsof -t /var/log/httpd/access_log 3109 3110 3111 3112 3113 3114 [[email protected] ~]# [[email protected] ~]# ps -ef | grep -E "3109|3110|3111|3112|3113|3114" | grep -v grep or [[email protected] ~]# ps -fp "$(lsof -t /var/log/httpd/access_log | xargs echo)" root 3109 1 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 3110 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 3111 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 3112 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 3113 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND apache 3114 3109 0 03:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND [[email protected] ~]#
Many options of the “lsof” command can be combined for multiple purposes as below are some combination of flags “-c”, “-u” and “-I”. For more details refer the manual page.
The below command combination will give output every 1 second about “linuxtechi” home directory what all the files opened repeatedly.
[email protected] ~}# lsof -u linuxtechi -c init -a -r1 ======= COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME inita.sh 2971 linuxtechi cwd DIR 8,1 4096 393218 /home/linuxtechi inita.sh 2971 linuxtechi rtd DIR 8,1 4096 2 / inita.sh 2971 linuxtechi txt REG 8,1 83344 524367 /bin/dash inita.sh 2971 linuxtechi mem REG 8,1 1434567 1443695 /lib/i386-linux-gnu/libc-2.13.so ……………………………………………………………………………
Conclusion:
As mentioned in the introduction section “lsof” is very powerful and useful command in Linux based distributions. This command and options listed can be used for various purposes like debugging, troubleshooting and triaging Linux processes. Mentioned options and combinations if tried, will help one to establish thorough understanding of “lsof” command. Other commands like lstat, stat and ls also can be explored in combination of “lsof” command.
Example 3 isn’t throwing an error because you’re calling it on itself, it’s throwing an error because you’re calling it on a non-existent file. Type any garbage file name there and you’ll get the same result.
lsof /usr/bin/lsof works just fine.
Nice article.
Although example #18 could be better written with the PIDs passed through a sub-command:
# ps -fp “$(lsof -t /var/log/httpd/access_log | xargs echo)”
instead of having to grep all pids, and then yet another one to exclude the first grep
Thanks Cyril for feedback and Comments, I have updated Example 18 as per your suggestion.