The lsof command displays a list of all currently open files, this information is helpful especially to discover, processes currently running, services being used, ports being used, users currently on the system and much more. In this article we discuss it and commonly used commands with lsof.
Table of contents.
In Linux everything is a file, the lsof command is used to display a list of all currently open files.
It is common to use this command to find out information about processes which opened the files.
An open file could be a regular file, a directory, a library, a special file, a character special file, a block device, a stream, even a network file or an executing text reference.
The syntax is as follows,
lsof [options] [names]
To list all open files, we write,
lsof | less
to view output in line by line.
Various lsof columns from the output include,
- COMMAND which specifies the command associated with the process.
- PID is the process ID.
- TID represents the task ID.
- USER represents the user associated with the process.
- FD represents the file descriptor.
- TYPE is the type of file, e.g regular, memory-mapped etc.
- DEVICE represents the device number.
- SIZE/OFF is the size of the file of its offset in bytes.
- NODE is the node number of a local file.
- NAME represents the name of the file's mount point and file system and internet address.
To list opened files which belong to a specific user's processes, we write,
lsof -u john
The command will display all files opened by processes which belong to john.
We can also list files by multiple users as follows,
lsof -u john -u doe
where john and doe are two different users.
We can also display network files based in their internet address for example, to display files involving Ipv4 processes, we write,
lsof -i 4
The above command lists files involved with processes using Ipv4 such as a browser using a TCP connection.
For Ipv6 we use 6,
lsof -i 6
Generally to list all internet and network files we use the -i option as follows,
To find files associated with a certain port, we write,
lsof -i :443
We can also specify multiple ports,
lsof -i :443,80
We can also use the port's protocol name for example to display files network files involving processes that are using https protocol such as a browser, we write,
lsof -i :https
To list files based on a tcp or udp connection, we write,
lsof -i udp
for files associated with udp processes.
lsof -i tcp
We can also list files involved with processes that operate on a specified port range,
lsof -i :1-443
The command lists all files associated with processes on ports from 1 - 443.
To list files by the name of the application they are involved with we write,
lsof -c firefox
The above command lists all files involving firefox application.
We can also get all network activity by a specific user by viewing the files opened by the processes owned by that user as follows,
lsof -ai -u john
Where john is a user on the system.
It is common to use other text filtering commands such as grep to filter lsof output e.g
lsof -i | grep "3000"
The command displays all files involved with the number 3000, which could be a port assuming we want to launch a process but the port is busy with another process. Since this command returns the PID, we can use it to kill a process.
To list files specific to a process, we use the process ID (PID) as follows,
lsof -p 1349
The command displays all processes associated with the PID 1349
We can also use the ^ character as a negation, e.g to display all files except those with the specified PID, we write,
lsof -p ^1349
The command now displays all processes other than those with the PID 1349.
lsof -u ^john
to list all files except those associated with a user john.
We can also list the process IDs(PIDs) of processes associated with an open file as follows,
lsof -t /usr/lib/firefox-esr/browser/omni.ja
The PPID is the parent process ID, every child process in Linux will have a parent process, to list the Parent process ID of a process associated with a file, we write,
lsof -R -i udp
Now apart from the child process ID(PID) we will also have the parent that started udp process.
We can also get a PPID by using a process' PID by writing,
lsof -p 1205 -R
Where 1205 is the process ID.
To display all files in a directory /usr/lib/firefox-esr/browser/, we write,
lsof +d /usr/lib/firefox-esr/browser/
And to list all open files in a directory together will all subdirectories we write,
lsof +D /usr/lib/firefox-esr/browser/
The command lists all open files in the directory /usr/lib/firefox-esr/browser/ including all subdirectories.
Memory-mapped files contain the contents of a file in virtual memory, to list all memory-mapped files, we write,
lsof -d mem
A Network file system is a file system mechanism allowing the storage and retrieval of data from multiple files and directories across a shared network. To view all NFS files, we write,
Everything in Linux is a file including pipes, sockets, devices etc.
lsof (list of open file) lists all currently open files. It lists all types of files, regular, directories, block special files, shared libraries, character special files, internet sockets, regular pipes, named pipes etc.
We can combine it with other text filtering commands such as grep or sed to display the desired output.
lsof can also be used for troubleshooting networks and network security.
- Execute the commands lsof --help or man lsof for its manual page.
- grep command