lsof Introduction

lsof is short for list open files, and as the name suggests, its purpose is mainly to list open files on the system. At first glance, it seems to be a very simple command with few scenarios, but it is just another version of ls. But because of the unix philosophy of everything is a file, basically all objects on a *nix system can be considered as objects, and with the various arguments provided by this command, it is actually very powerful and can easily get a lot of very useful information, some of which would be very troublesome with other tools.

lsof can tell what files users and processes have manipulated, and it can also see how the network is being used on the system, as well as information about devices. It also has a lot of parameters, and manoage shows the following usage, and this article will cover the more common usage.

lsof  [ -?abChKlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-e s ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ +|-L [l] ] [ +|-m m ] [
       +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z] ] [ -- ] [names]

Running lsof directly, without any arguments, will list all open files on the system, one line per file.

➜  ~ sudo lsof | head
COMMAND     PID   TID             USER   FD      TYPE             DEVICE    SIZE/OFF       NODE NAME
systemd       1                   root  cwd       DIR               8,18        4096          2 /
systemd       1                   root  rtd       DIR               8,18        4096          2 /
systemd       1                   root  txt       REG               8,18     1577232    5247327 /lib/systemd/systemd
systemd       1                   root  mem       REG               8,18       18976    5247628 /lib/x86_64-linux-gnu/
systemd       1                   root  mem       REG               8,18      262408    5247436 /lib/x86_64-linux-gnu/
systemd       1                   root  mem       REG               8,18       14608    5250746 /lib/x86_64-linux-gnu/

Each column of the above input contains: command name, process id, user name, FD, file type, device where the file is located, file size or offset of the device where it is located, node/inode number, and file name. Let’s introduce a few less understandable items. FD (file descriptor) indicates the file descriptor or the description of the file, including

  • cwd: current working directory
  • mem: memory mapped file
  • mmap: memory mapped device
  • txt: application text (code and data)
  • ……

TYPE indicates the type of file, e.g.

  • IPv4: IPv4 socket
  • IPv6: IPv6 socket
  • inet: Internet Domain socket
  • unix: unix domain socket
  • BLK: device file
  • CHR: character file
  • DIR: folder
  • FIFO: FIFO file
  • LINK: symbolic link file
  • REG: General file
  • ……

More options can be found in lsof manpage.

NOTE : Please use sudo or root user to run lsof in order to see all open files.

File and process information

List all files opened by a process

sudo lsof -p 1190

List the files opened by a user

sudo lsof -u cizixs

It can also be reversed to list all files that are not opened by a particular user by prefixing the user name with the ^ symbol.

sudo lsof -u ^cizixs

List which processes a file is opened by (use)

sudo lsof /path/to/file

List all processes that access a directory

sudo lsof +d /path/to/dir/

This command does not recursively access subdirectories, if you want to do that, you can use +D :

sudo ls +D /var/log/apache/

List information about the files used by a command

sudo lsof -c nginx

The -c argument is followed by the beginning string of the command, not necessarily the name of a specific program, for example sudo lsof -c n is also legal and will list all files opened by programs whose names start with n.

This command is not as straightforward as -p to check a process, but it is useful for scenarios where you can’t find the process number directly, or if the program contains multiple processes.

Network information

Another of the more common functions of lsof is to view network information. Although there is a dedicated tool netstat, lsof is sometimes more convenient, for example to view the usage of a certain port.

List all network connection information

sudo lsof -i 

Show only TCP or UDP connections

By following the protocol type (TCP or UDP) directly after -i, only the connection information for that network protocol will be displayed.

sudo lsof -i TCP

Check the network connectivity of a port

This command is very commonly used, and is usually very handy when you want to run a service and find a network conflict, or when you need to know which process is using a port.

sudo lsof -i :80

Check the network connection to a host

sudo lsof -i @

Ports and hosts can also be used together to indicate the network conditions connected to a particular port of a host.

sudo lsof -i @

List the ports that the current machine is listening on

sudo lsof -i -s TCP:LISTEN

The -s p:s parameter is followed by two fields: protocol and status, separated by a colon. For example, here TCP:LISTEN indicates the TCP protocol that is listening, and similarly, you can view the TCP network that is connected.

sudo lsof -i -s TCP:ESTABLISHED

Combination Usage

The filter parameters of lsof can be combined, but the default is OR logic, which means that the sum of all filter conditions will be listed. You can use the -a argument to tell lsof to list results that satisfy all conditions at once, such as listing all network connections listened to by a process.

sudo lsof -a -p 12345 -i -s TCP:LISTEN