Abstract: It is a command-line utility used to list information about files opened by various processes. In Linux, everything is a file (pipes, sockets, directories, devices, etc.). Therefore, by using lsof, you can obtain information about any open file.
lsof stands for ‘list open files’.
If you think of the lsof command as ‘ls + of’, it is easy to remember, where ls stands for list and of stands for open files.
It is a command-line utility used to list information about files opened by various processes. In Linux, everything is a file (pipes, sockets, directories, devices, etc.). Therefore, by using lsof, you can obtain information about any open file.
1. Introduction to lsof
Simply typing lsof will provide a list of all open files belonging to all active processes.
# lsof
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd DIR 8,1 4096 2/
init 1 root txt REG 8,1 124704 917562/sbin/init
init 1 root 0u CHR 1,3 0t0 4369/dev/null
init 1 root 1u CHR 1,3 0t0 4369/dev/null
init 1 root 2u CHR 1,3 0t0 4369/dev/null
init 1 root 3r FIFO 0,8 0t0 6323 pipe
...By default, one file is displayed per line. Most columns are self-explanatory. We will explain the details of a few mysterious columns (FD and TYPE).
FD – stands for file descriptor. Some values of FD are:
-
cwd – current working directory
-
txt – text file
-
mem – memory-mapped file
-
mmap – memory-mapped device
-
NUMBER – represents the actual file descriptor. The character after the number, e.g., ‘1u’, indicates the mode in which the file is opened. r for read, w for write, u for read and write.
TYPE – specifies the type of file. Some values of TYPE are:
-
REG – regular file
-
DIR – directory
-
FIFO – first in first out
-
CHR – character special file
2. List Processes Opening a Specific File
By providing the filename as a parameter, you can list only the processes that have opened that specific file.
# lsof /var/log/syslog
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog3. List Open Files Under a Directory
You can use the ‘+D’ option to list processes that have opened files under a specified directory. +D will also recursively include subdirectories. If you do not want lsof to recurse, use the ‘+d’ option.
# lsof +D /var/log/
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODENAME
rsyslogd 488 syslog 1w REG 8,1 1151268940/var/log/syslog
rsyslogd 488 syslog 2w REG 8,1 2405269616/var/log/auth.log
console-k 144 root 9w REG 8,1 10871269369/var/log/ConsoleKit/history4. List Open Files by Process Name
You can use the ‘-c’ option to list files opened by processes whose names start with a string. -c followed by the process name will list files opened by processes starting with that name. You can provide multiple -c switches on a single command line.
# lsof -c ssh -c init
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODENAME
init 1 root txt REG 8,1 124704917562/sbin/init
init 1 root mem REG 8,114341801442625/lib/i386-linux-gnu/libc-2.13.so
init 1 root mem REG 8,1 306841442694/lib/i386-linux-gnu/librt-2.13.so
...
ssh-agent 1528 lakshmanan 1u CHR 1,3 0t0 4369/dev/null
ssh-agent 1528 lakshmanan 2u CHR 1,3 0t0 4369/dev/null
ssh-agent 1528 lakshmanan 3u unix 0xdf70e240 0t0 10464/tmp/ssh-sUymKXxw1495/agent.14955. List Processes Using a Mount Point
Sometimes when we try to unmount a directory, the system prompts with a ‘device or resource busy’ error. So we need to find all processes using the mount point and kill those processes to unmount the directory. By using lsof, we can find these processes.
# lsof /homeThe following will also work.
# lsof +D /home/6. List Open Files by a Specific User
To find the list of files opened by a specific user, use the ‘-u’ option.
# lsof -u lakshmanan
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update-no 1892 lakshmanan 20r FIFO 0,8 0t0 14536 pipe
update-no 1892 lakshmanan 21w FIFO 0,8 0t0 14536 pipe
bash 1995 lakshmanan cwd DIR 8,1 4096 393218 /home/lakshmananSometimes you may want to list all users’ open files, expecting 1 or 2. In this case, you can use ‘^’ to exclude a specific user, as shown below:
# lsof -u ^lakshmanan
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rtkit-dae 1380 rtkit 7u 0000 0,9 0 4360 anon_inode
udisks-da 1584 root cwd DIR 8,1 4096 2 /The above command lists all files opened by all users except for the user ‘lakshmanan’.
7. List All Open Files by a Specific Process
You can use the ‘-p’ option to list all files opened by a specific process. Sometimes it is helpful to get more information about a specific process.
# lsof -p 1753
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1753 lakshmanan cwd DIR 8,1 4096 393571 /home/lakshmanan/test.txt
bash 1753 lakshmanan rtd DIR 8,1 4096 2 /
bash 1753 lakshmanan 255u CHR 136,0 0t0 3 /dev/pts/0
...8. Kill All Processes Belonging to a Specific User
When you want to kill all processes that have opened files by a specific user, you can use the ‘-t’ option to list only the process IDs of the processes and pass them to kill, as shown below:
# kill -9 `lsof -t -u lakshmanan`The above command will kill all processes belonging to the user ‘lakshmanan’ that have opened files.
Similarly, you can use ‘-t’ in various ways. For example, to list the process IDs of processes that have opened /var/log/syslog, you can do so by:
# lsof -t /var/log/syslog
4899. Combine More Listing Options with OR/AND
By default, when you use multiple listing options in lsof, they will be ORed. For example:
# lsof -u lakshmanan -c init
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd DIR 8,1 4096 2 /
init 1 root txt REG 8,1 124704 917562 /sbin/init
bash 1995 lakshmanan 2u CHR 136,2 0t0 5 /dev/pts/2
bash 1995 lakshmanan 255u CHR 136,2 0t0 5 /dev/pts/2
...The above command uses two listing options, ‘-u’ and ‘-c’. Therefore, the command will list processes belonging to the user ‘lakshmanan’ and processes whose names start with ‘init’.
However, when you want to list a process belonging to the user ‘lakshmanan’ and the process name starts with ‘init’, you can use the ‘-a’ option.
# lsof -u lakshmanan -c init -aThe above command will not output anything because there is no process named ‘init’ belonging to the user ‘lakshmanan’.
10. Execute lsof in Repeated Mode
lsof also supports repeated mode. It will first list files based on the given parameters, delay for a specified number of seconds, and then list files again based on the given parameters. It can be interrupted by a signal.
You can enable repeated mode using ‘-r’ or ‘+r’. If you then use ‘+r’, the repeated mode will end when no open files are found. ‘-r’ will continue to list, delay, and list until interrupted, regardless of whether files are open.
Each loop output will be separated by ‘=======’. You can also specify the time delay as ‘-r’ | ‘+r’.
# lsof -u lakshmanan -c init -a -r5
=======
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODENAME
inita.sh 2971 lakshmanan cwd DIR 8,1 4096393218/home/lakshmanan
inita.sh 2971 lakshmanan rtd DIR 8,1 4096 2/
inita.sh 2971 lakshmanan txt REG 8,1 83848524315/bin/dash
inita.sh 2971 lakshmanan mem REG 8,114341801442625/lib/i386-linux-gnu/libc-2.13.so
inita.sh 2971 lakshmanan mem REG 8,1 1179601442612/lib/i386-linux-gnu/ld-2.13.so
inita.sh 2971 lakshmanan 0u CHR136,4 0t0 7/dev/pts/4
inita.sh 2971 lakshmanan 1u CHR136,4 0t0 7/dev/pts/4
inita.sh 2971 lakshmanan 2u CHR136,4 0t0 7/dev/pts/4
inita.sh 2971 lakshmanan 10r REG 8,1 20393578/home/lakshmanan/inita.sh
=======In the above output, there was no output for the first 5 seconds. After that, a script named ‘inita.sh’ was started, and the output was listed.
Finding Network Connections
Network connections are also files. Therefore, we can use lsof to find information about them.
11. List All Network Connections
You can use the ‘-i’ option to list all open network connections.
# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae 515 avahi 13u IPv4 6848 0t0 UDP *:mdns
avahi-dae 515 avahi 16u IPv6 6851 0t0 UDP *:52060
cupsd 1075 root 5u IPv6 22512 0t0 TCP ip6-localhost:ipp (LISTEN)You can also use ‘-i4’ or ‘-i6’ to list only ‘IPV4’ or ‘IPV6’ respectively.
12. List All Network Files Used by a Specific Process
You can list all network files used by a process as follows:
# lsof -i -a -p 234You can also use the following:
# lsof -i -a -c sshThe above command will list network files opened by processes starting with ssh.
13. List Processes Listening on a Specific Port
You can use ‘-i’ and ‘:’ to list processes listening on a specific port as follows:
# lsof -i :25
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
exim4 2541 Debian-exim 3u IPv4 8677 TCP localhost:smtp (LISTEN)14. List All TCP or UDP Connections
You can list all TCP or UDP connections by specifying the protocol using ‘-i’.
# lsof -i tcp; lsof -i udp;15. List All Network File System (NFS) Files
You can use the ‘-N’ option to list all NFS files. The following lsof command will list all NFS files used by the user ‘lakshmanan’.
# lsof -N -u lakshmanaan -aLink: https://bbs.huaweicloud.com/blogs/364149
(Copyright belongs to the original author, please delete if infringing)
WeChat group
To facilitate better communication regarding operation and maintenance and related technical issues, a WeChat group has been created. Friends who want to join the group can scan the QR code below to add me as a friend (note: join group).
Blog
CSDN Blog: https://blog.csdn.net/qq_25599925
Juejin Blog: https://juejin.cn/user/4262187909781751
Long press to recognize the QR code to visit the blog website and see more high-quality original content.