In this article, we have explored the lsof command in Linux systems in depth. It is used to find files that are opened or linked with running processes.
Table of contents:
- Introduction to lsof command
- Installation of lsof
- Applications / Use of lsof
Introduction to lsof command
lsof command, an acronymized form of "list open files", is a terminal-based command that allows the user to retrieve information regarding all open/in-use files and their associated users/processes.
The following categories display as column headers when
lsof is executed. They will be elaborated upon in later sections.
Installation of lsof
Note: Although the command is supported by default in most Linux distributions you may find that your system does not support it.
For Debian and Ubuntu-based systems:
$ sudo apt-get install lsof
For Redhat-derived systems:
$ sudo yum install lsof
- You should need to enter your password for this installation to proceed. In some cases, your password will not show when entered, this is completely normal.
For reference the remaining examples will be executed in Ubuntu.
Application / Use of lsof
lsof command provides a long list of all the open files accessed by their respective processes. The command has many uses; prominently,
lsof can be used to identify files that should not be in use but are.
For practical purposes it makes sense to appropriately filter files with modifiers, as
lsof output will be too long.
Additionally, if "permission denied" appears on any of the files when executing
sudo lsof to execute the command with root (admin) privileges.
Note: Files can be normal files, as well as directories, sockets, and more in Linux.
lsof [ -?abChlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-e s ] [ +|-E ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ -K k ] [ +|-L [l] ] [ +|-m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z] ] [ -- ] [names]
This syntax, output of
lsof ?, displays the possible commands that can be combined with
lsof. For the purpose of simplicity, we will only cover a couple of these commands, but feel free to test out some of these commands on your own.
NODE NAME, are the column headers from left to right. Lines were picked to form this output — this is only a small snapshot.
bash 1336 liubsi 255u CHR 136,0 0t0 3 /dev/pts/0 sudo 1555 root mem REG 8,5 18720 673569 /usr/lib/x86_64-linux-gnu/security/pam_env.so sudo 1555 root mem REG 8,5 191472 268991 /usr/lib/x86_64-linux-gnu/ld-2.31.so sudo 1555 root 0u CHR 136,0 0t0 3 /dev/pts/0 sudo 1555 root 1u CHR 136,0 0t0 3 /dev/pts/0 sudo 1555 root 2u CHR 136,0 0t0 3 /dev/pts/0 sudo 1555 root 3u netlink 0t0 41141 AUDIT sudo 1555 root 4u unix 0xffff9f27259e8000 0t0 41145 type=DGRAM sudo 1555 root 6r FIFO 0,12 0t0 41148 pipe sudo 1555 root 7w FIFO 0,12 0t0 41148 pipe lsof 1556 root cwd DIR 8,5 4096 933156 /home/liubsi lsof 1556 root rtd DIR 8,5 4096 2 / lsof 1556 root txt REG 8,5 175744 262830 /usr/bin/lsof lsof 1556 root mem REG 8,5 16287648 268467 /usr/lib/locale/locale-archive lsof 1556 root mem REG 8,5 157224 270212 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so lsof 1556 root mem REG 8,5 18816 269398 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
COMMANDrefers to the process which currently has the file open (e.g. If you have Google Chrome open you may see
chromeunder the first section)
PIDstands for Process ID, a unique number your OS uses to track processes
USERdisplays the user who is running the process (e.g. "yourself" — in my case liubsi, root, etc.)
FDstands for file descriptor which can take on various values. For example:
cwd- current working directory
txt- text file
rtd- root directory
jtd- jail directory
mem- memory-mapped file
- A number - this number refers to the actual file descriptor (unique integer identifier)
- Adjacent character -
urefer to read, write, and read and write respectively
- Adjacent character -
- Note: These are only some of the most common descriptors, there are many more
TYPErefers to the type of file
REG- regular file
CHR- character special file (a file that provides access to an input/output device)
FIFO- file that reads data first-in-first-out (also known as a named pipe, it allows applications on a device to pass data between each other)
UNIX- Unix domain socket
- Note: These are only some of the most common types, there are many more
DEVICE- contains the device number, memory, address, and more depending on the file
SIZE/OFF- simply lists the size of the file or file offset in bytes if available
NODErefers to the node number, inode, internet protocol type (TCP), and more.
NAMErefers to the file's location and mount point, but can reference other values as well
Some Useful Commands
In no particular order of usefulness, here are some useful and commonly-used commands incorporating
$ lsof +d s
- This command searches for all directories and files that are currently open with s acting as the root directory. Importantly, this command does not descend beyond the root directory to search.
$ lsof -i
- This option selects all of files currently being used by network and Internet processes.
$ lsof -cc
- This command shows the processes that start with the letter c. The letter c can be substituted for any other letter.
$ lsof -c chrome
- This command shows the processes that are being used by chrome. However, chrome can be substituted by any other process (e.g. firefox) to show that process' files.
$ lsof -v
- Gives the version information for
$ lsof -p s
- Gives the file as identified by the PID (process ID)
Note: For negation the ^ modifier can be used.
$ lsof -p ^25 excludes the file with a PID of 25.
For a more detailed description of
man 8 lsof in the terminal and use
h to navigate.
What does lsof stand for?
With this article at OpenGenus, you must have the complete idea of using lsof command in Linux.