lsof command in Linux

In this article, we have explored the lsof command in Linux systems in depth. It is used to find files that are opened or linked with running processes.

Table of contents:

1. Introduction to lsof command
2. Installation of lsof
3. Applications / Use of lsof

Introduction to lsof command

The lsof command, an acronymized form of "list open files", is a terminal-based command that allows the user to retrieve information regarding all open/in-use files and their associated users/processes.

The following categories display as column headers when lsof is executed. They will be elaborated upon in later sections.

COMMAND	PID	USER	FD	TYPE	DEVICE	SIZE/OFF	NODE NAME

Installation of lsof

Note: Although the command is supported by default in most Linux distributions you may find that your system does not support it.

For Debian and Ubuntu-based systems:

$ sudo apt-get install lsof

For Redhat-derived systems:

$ sudo yum install lsof

• You should need to enter your password for this installation to proceed. In some cases, your password will not show when entered, this is completely normal.

For reference the remaining examples will be executed in Ubuntu.

Application / Use of lsof

The lsof command provides a long list of all the open files accessed by their respective processes. The command has many uses; prominently, lsof can be used to identify files that should not be in use but are.

For practical purposes it makes sense to appropriately filter files with modifiers, as lsof output will be too long.

Additionally, if "permission denied" appears on any of the files when executing lsof, type sudo lsof to execute the command with root (admin) privileges.

Note: Files can be normal files, as well as directories, sockets, and more in Linux.

Syntax:

lsof [ -?abChlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ]
       [ +|-D D ] [ +|-e s ] [ +|-E ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g
       [s] ] [ -i [i] ] [ -k k ] [ -K k ] [ +|-L [l] ] [ +|-m m ] [ +|-M
       ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t]
       ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z] ]
       [ -- ] [names]

This syntax, output of lsof ?, displays the possible commands that can be combined with lsof. For the purpose of simplicity, we will only cover a couple of these commands, but feel free to test out some of these commands on your own.

Example Output

COMMAND, PID, USER, FD, TYPE, DEVICE, SIZE/OFF, NODE NAME, are the column headers from left to right. Lines were picked to form this output — this is only a small snapshot.

bash      1336                         liubsi  255u      CHR              136,0      0t0          3 /dev/pts/0
sudo      1555                           root  mem       REG                8,5    18720     673569 /usr/lib/x86_64-linux-gnu/security/pam_env.so
sudo      1555                           root  mem       REG                8,5   191472     268991 /usr/lib/x86_64-linux-gnu/ld-2.31.so
sudo      1555                           root    0u      CHR              136,0      0t0          3 /dev/pts/0
sudo      1555                           root    1u      CHR              136,0      0t0          3 /dev/pts/0
sudo      1555                           root    2u      CHR              136,0      0t0          3 /dev/pts/0
sudo      1555                           root    3u  netlink                         0t0      41141 AUDIT
sudo      1555                           root    4u     unix 0xffff9f27259e8000      0t0      41145 type=DGRAM
sudo      1555                           root    6r     FIFO               0,12      0t0      41148 pipe
sudo      1555                           root    7w     FIFO               0,12      0t0      41148 pipe
lsof      1556                           root  cwd       DIR                8,5     4096     933156 /home/liubsi
lsof      1556                           root  rtd       DIR                8,5     4096          2 /
lsof      1556                           root  txt       REG                8,5   175744     262830 /usr/bin/lsof
lsof      1556                           root  mem       REG                8,5 16287648     268467 /usr/lib/locale/locale-archive
lsof      1556                           root  mem       REG                8,5   157224     270212 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
lsof      1556                           root  mem       REG                8,5    18816     269398 /usr/lib/x86_64-linux-gnu/libdl-2.31.so

File Details

• COMMAND refers to the process which currently has the file open (e.g. If you have Google Chrome open you may see chrome under the first section)
• PID stands for Process ID, a unique number your OS uses to track processes
• USER displays the user who is running the process (e.g. "yourself" — in my case liubsi, root, etc.)
• FD stands for file descriptor which can take on various values. For example:
  • cwd - current working directory
  • txt - text file
  • rtd - root directory
  • jtd - jail directory
  • mem - memory-mapped file
  • A number - this number refers to the actual file descriptor (unique integer identifier)
    • Adjacent character - r, w, u refer to read, write, and read and write respectively
  • Note: These are only some of the most common descriptors, there are many more
• TYPE refers to the type of file
  • DIR - directory
  • REG - regular file
  • CHR - character special file (a file that provides access to an input/output device)
  • FIFO- file that reads data first-in-first-out (also known as a named pipe, it allows applications on a device to pass data between each other)
  • UNIX- Unix domain socket
  • Note: These are only some of the most common types, there are many more
• DEVICE - contains the device number, memory, address, and more depending on the file
• SIZE/OFF - simply lists the size of the file or file offset in bytes if available
• NODE NAME - NODE refers to the node number, inode, internet protocol type (TCP), and more. NAME refers to the file's location and mount point, but can reference other values as well

Some Useful Commands

In no particular order of usefulness, here are some useful and commonly-used commands incorporating lsof .

$ lsof +d s

• This command searches for all directories and files that are currently open with s acting as the root directory. Importantly, this command does not descend beyond the root directory to search.

$ lsof -i

• This option selects all of files currently being used by network and Internet processes.

$ lsof -cc

• This command shows the processes that start with the letter c. The letter c can be substituted for any other letter.

$ lsof -c chrome

• This command shows the processes that are being used by chrome. However, chrome can be substituted by any other process (e.g. firefox) to show that process' files.

$ lsof -v

• Gives the version information for lsof as installed

$ lsof -p s

• Gives the file as identified by the PID (process ID) s.

Note: For negation the ^ modifier can be used. $ lsof -p ^25 excludes the file with a PID of 25.

For a more detailed description of lsof enter man 8 lsof in the terminal and use h to navigate.

Read about more Linux terminal commands

With this article at OpenGenus, you must have the complete idea of using lsof command in Linux.