18 Quick ‘lsof’ command examples for Linux Geeks

lsof is a command line utility for all Unix and Linux like operating systems to check “list of open files” The name “lsof” is itself derived from this functionality. lsof command is mainly used to retrieve information about files that are opened by various processes. Open files in a system can be of different type like disk files, network sockets, named pipes and devices. This distinctive feature enables one to debug and understand Linux Operating System in a better way.

lsof-command-examples-linux-geeks

When we do the minimal installation of CentOS / RHEL / UbuntuOpenSUSE, lsof is not the part of default installation, so use the following command to install lsof command or utility

For CentOS / RHEL System,

~] # yum install lsof -y

Debian Based Systems (Ubuntu / Linux Mint)

~] # apt install lsof -y

For OpenSUSE System,

~] # zypper install lsof

The command “lsof” comes equipped with many options and switches. It will be very interesting to explore some of these important ones. In this article we will discuss 18 useful lsof command examples for Linux geeks.

Example:1) List all open files of your system (lsof)

Running lsof command without any options will list all open files of your system that belongs to all active process.

Just typing “lsof” command without any options at command line gives the following output,

Note:- Since lsof output gives lot of information to STDOUT, it will be better to use pipe “|” operation to see this output page by page.

[root@linuxtechi ~]# lsof | more
COMMAND    PID  TID    USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME
systemd      1         root  cwd       DIR              253,0      4096        128 /
systemd      1         root  rtd       DIR              253,0      4096        128 /
systemd      1         root  txt       REG              253,0   1489960   50674818 /usr/lib/systemd/systemd
systemd      1         root  mem       REG              253,0     20032   33628284 /usr/lib64/libuuid.so.1.3.0
systemd      1         root  mem       REG              253,0    252704   33745961 /usr/lib64/libblkid.so.1.1.0

The above command output if you examine carefully provides lot of information with many parameters. For example, process “systemd” (which is a daemon process) has Process Id (PID) of “1”, User is “root“, File Descriptor (FD) as “cwd” and etc. The FD comes-up with many values, as one is aware that File Descriptor is generated for any open files automatically in Linux Systems. Below are some of the well-known “FD” values used for lsof commands,

Process-parameter-lsof-command

Note: In some cases, the “mem” is followed by number and various characters like “r”, “u”, “w” etc. These characters are “r” for read, “w” for write, “u” for read and write.

Finally, the “TYPE” in the command output indicates type of the file.  The following are the standard types of files in Linux systems.

File-type-linux-lsof-command

The other fields that are displayed along with this are as follows,

  • DEVICE –> Device id
  • SIZE/OFF –> Actual size of this process (taken during run time)
  • NODE –> Typically inode number of the directory or parent directory
  • NAME –> Path or link

Example:2) List open files of specific file system (/proc)

As you are aware the “/proc” will be existing only during the life time of the Linux OS, this directory contains lot of important process related information. Executing “lsof” on /proc will throw interesting output for us to explore,

[root@linuxtechi ~]# lsof /proc
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF       NODE NAME
systemd      1 root    9r   REG    0,3        0       6690 /proc/1/mountinfo
systemd      1 root   11r   REG    0,3        0 4026532018 /proc/swaps
systemd-j  462 root   10r   REG    0,3        0       6936 /proc/sys/kernel/hostname
lsof      5186 root    3r   DIR    0,3        0          1 /proc
lsof      5186 root    6r   DIR    0,3        0      28890 /proc/5186/fd
[root@linuxtechi ~]#

As mentioned earlier, “lsof” of “lsof” itself is captured here and all the details are displayed. Other than “lsof” there are other processes like systemd and rsyslogd which are daemons used for swap, mounting etc purposes.

Similarly, we can list open files of another file system like /var/log,

[root@linuxtechi ~]# lsof /var/log/

lsof command become very handy in a situation where df and du command shows different disk usage of same file system, using lsof command we can find files which were removed while they were opened and used by some process,

[root@linuxtechi ~]# lsof /var/log | grep -i "deleted"

Above command will give you the pid of files which were deleted but they are still exist in the system in deleted state. So, to release the space from file system we can safely kill the process by its pid.

Example:3) List of open file for “lsof” command

“lsof” on itself throws an error message,

[root@linuxtechi ~]# lsof lsof
lsof: status error on lsof: No such file or directory
lsof 4.87

Example:4) List of open files for users (lsof -u <user_name>)

“lsof” can be used for all the users who have logged into the Linux System. In this case “lsof” will display all the opened files for the respective user.

List all open files for root user

[root@linuxtechi ~]# lsof -u root | more
COMMAND    PID USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME
systemd      1 root  cwd       DIR              253,0      4096        128 /
systemd      1 root  rtd       DIR              253,0      4096        128 /
systemd      1 root  txt       REG              253,0   1620416   51034677 /usr/lib/systemd/systemd
systemd      1 root  mem       REG              253,0     20032   33628284 /usr/lib64/libuuid.so.1.3.0
systemd      1 root  mem       REG              253,0    252704   33745961 /usr/lib64/libblkid.so.1.1.0
systemd      1 root  mem       REG              253,0     90632   33628275 /usr/lib64/libz.so.1.2.7
systemd      1 root  mem       REG              253,0    153192   33618596 /usr/lib64/liblzma.so.5.0.99
systemd      1 root  mem       REG              253,0     19888   33656455 /usr/lib64/libattr.so.1.1.0
…………………………………………………………

List of open files for non-root users, let’s see all open files for linuxtechi user,

[root@linuxtechi ~]# lsof -u linuxtechi  | more
Or
[root@linuxtechi ~]# lsof -l -u linuxtechi | more
COMMAND    PID       USER   FD   TYPE             DEVICE  SIZE/OFF     NODE NAME
sshd      2657 linuxtechi  cwd    DIR              253,0      4096      128 /
sshd      2657 linuxtechi  rtd    DIR              253,0      4096      128 /
sshd      2657 linuxtechi  txt    REG              253,0    815520 34698340 /usr/sbin/sshd
sshd      2657 linuxtechi  DEL    REG                0,4              23850 /dev/zero
sshd      2657 linuxtechi  mem    REG              253,0     15472 33831639 /usr/lib64/security/pam_lastlog.so
sshd      2657 linuxtechi  mem    REG              253,0     68192 33628305 /usr/lib64/libbz2.so.1.0.6
sshd      2657 linuxtechi  mem    REG              253,0    153192 33618596 /usr/lib64/liblzma.so.5.0.99
sshd      2657 linuxtechi  mem    REG              253,0     91496 33628319 /usr/lib64/libelf-0.163.so
sftp-serv 2661 linuxtechi  mem    REG              253,0     14608 33618582 /usr/lib64/libutil-2.17.so
sftp-serv 2661 linuxtechi  mem    REG              253,0     61856 33863972 /usr/lib64/liblber-2.4.so.2.10.3
sftp-serv 2661 linuxtechi  mem    REG              253,0    344224 33863974 /usr/lib64/libldap-2.4.so.2.10.3
sftp-serv 2661 linuxtechi  mem    REG              253,0     19512 33618298 /usr/lib64/libdl-2.17.so
sftp-serv 2661 linuxtechi  mem    REG              253,0   2516624 33657314 /usr/lib64/libcrypto.so.1.0.2k
sftp-serv 2661 linuxtechi  mem    REG              253,0    164432 33618285 /usr/lib64/ld-2.17.so
sftp-serv 2661 linuxtechi    0r  FIFO                0,8       0t0    24046 pipe
sftp-serv 2661 linuxtechi    1w  FIFO                0,8       0t0    24047 pipe
sftp-serv 2661 linuxtechi    2w  FIFO                0,8       0t0    24048 pipe
bash      2670 linuxtechi  cwd    DIR              253,0        79 17157147 /home/linuxtechi
………………………………………………………………………

To List all open files except root user, use ^(caret symbol) in front of root user ( lsof -u ^root),

[root@linuxtechi ~]# lsof -u ^root | more
COMMAND    PID  TID       USER   FD      TYPE             DEVICE  SIZE/OFF     NODE NAME
dbus-daem 1662            dbus  cwd       DIR              253,0      4096      128 /
dbus-daem 1662            dbus  rtd       DIR              253,0      4096      128 /
dbus-daem 1662            dbus  txt       REG              253,0    441176 17133533 /usr/bin/dbus-daemon
dbus-daem 1662            dbus  mem       REG              253,0     57824 33618566 /usr/lib64/libnss_files-2.17.so
dbus-daem 1662            dbus  mem       REG              253,0     19512 33618298 /usr/lib64/libdl-2.17.so
dbus-daem 1662            dbus  mem       REG              253,0    398272 33628261 /usr/lib64/libpcre.so.1.2.0
dbus-daem 1662            dbus  mem       REG              253,0   2107816 33618292 /usr/lib64/libc-2.17.so
……………………………………………………………………………………………………………

Example:5) List all open Internet and UNIX domain files (lsof -i -U)

Use “-i -U” option in lsof command to list all open internet and UNIX domain files on your system, example is shown below

[root@linuxtechi ~]# lsof -i -U
COMMAND    PID       USER   FD   TYPE             DEVICE SIZE/OFF  NODE NAME
systemd      1       root   12u  unix 0xffff8800b8baab40      0t0 11075 /run/systemd/cgroups-agent
systemd      1       root   13u  unix 0xffff8800b8bab2c0      0t0 11077 /run/systemd/private
systemd      1       root   42u  IPv4              16576      0t0   TCP *:sunrpc (LISTEN)
systemd      1       root   43u  IPv4              16577      0t0   UDP *:sunrpc
rpcbind   1633        rpc    3u  unix 0xffff8800bab8cf00      0t0 16574 /var/run/rpcbind.sock
rpcbind   1633        rpc    4u  IPv4              16576      0t0   TCP *:sunrpc (LISTEN)
rpcbind   1633        rpc    5u  IPv4              16577      0t0   UDP *:sunrpc
rpcbind   1633        rpc    6u  IPv6              16578      0t0   TCP *:sunrpc (LISTEN)
rpcbind   1633        rpc    7u  IPv6              16579      0t0   UDP *:sunrpc
rpcbind   1633        rpc   10u  IPv4              16649      0t0   UDP *:960
sshd      2532       root    3u  IPv4              21120      0t0   TCP 192.168.1.6:ssh->192.168.1.5:65110 (ESTABLISHED)
sshd      2532       root    4u  unix 0xffff8800bbef3a40      0t0 21260 socket
sshd      2532       root    8u  unix 0xffff8800b8afd680      0t0 21298 /tmp/ssh-QHz9BdtRvt/agent.2532
sshd      2536       root    3u  IPv4              21191      0t0   TCP 192.168.1.6:ssh->192.168.1.5:65112 (ESTABLISHED)
sshd      2536       root    4u  unix 0xffff8800b8afd2c0      0t0 21363 socket
………………………………………………………………………………………………………………

Example:6) List all open IPv4 network files (lsof -i 4)

Use “-i -4” option in lsof command to list all open network files for IPv4,

[root@linuxtechi ~]# lsof -i 4
COMMAND   PID       USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd     1       root   42u  IPv4  16576      0t0  TCP *:sunrpc (LISTEN)
systemd     1       root   43u  IPv4  16577      0t0  UDP *:sunrpc
rpcbind  1633        rpc    4u  IPv4  16576      0t0  TCP *:sunrpc (LISTEN)
sshd     2258       root    3u  IPv4  19493      0t0  TCP *:ssh (LISTEN)
master   2360       root   13u  IPv4  20087      0t0  TCP localhost:smtp (LISTEN)
dhclient 2494       root    6u  IPv4  20983      0t0  UDP *:bootpc
dhclient 2494       root   20u  IPv4  20951      0t0  UDP *:24884
dhclient 2514       root    6u  IPv4  20866      0t0  UDP *:bootpc
sshd     2532       root    3u  IPv4  21120      0t0  TCP 192.168.1.6:ssh->192.168.1.5:65110 (ESTABLISHED)
sshd     2536       root    3u  IPv4  21191      0t0  TCP 192.168.1.6:ssh->192.168.1.5:65112 (ESTABLISHED)
sshd     2621       root    3u  IPv4  23506      0t0  TCP 192.168.1.6:ssh->192.168.1.9:65422 (ESTABLISHED)
sshd     2655       root    3u  IPv4  23863      0t0  TCP 192.168.1.6:ssh->192.168.1.9:49992 (ESTABLISHED)
sshd     2657 linuxtechi    3u  IPv4  23795      0t0  TCP 192.168.1.6:ssh->192.168.1.9:49990 (ESTABLISHED)
sshd     2660 linuxtechi    3u  IPv4  23863      0t0  TCP 192.168.1.6:ssh->192.168.1.9:49992 (ESTABLISHED)
[root@linuxtechi ~]#

To list all open IPv4 network files used by a specific process whose process id “any_number”, examples is shown below

Let’s assume we want to list all IPv4 network files for rpcbind process

Syntax : # lsof i 4 -a -p {process_pid}

[root@linuxtechi ~]# lsof -i 4 -a  -p 1633
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1633  rpc    4u  IPv4  16576      0t0  TCP *:sunrpc (LISTEN)
rpcbind 1633  rpc    5u  IPv4  16577      0t0  UDP *:sunrpc
rpcbind 1633  rpc   10u  IPv4  16649      0t0  UDP *:960
[root@linuxtechi ~]#

Example:7) List all open network files for IPv6 (lsof -i 6)

Assuming ipv6 domain is supported, the output of lsof will be something like below,

[root@linuxtechi ~]# lsof -i 6
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd     1   root   44u  IPv6  16578      0t0  TCP *:sunrpc (LISTEN)
systemd     1   root   46u  IPv6  16579      0t0  UDP *:sunrpc
rpcbind  1633    rpc    6u  IPv6  16578      0t0  TCP *:sunrpc (LISTEN)
rpcbind  1633    rpc    7u  IPv6  16579      0t0  UDP *:sunrpc
rpcbind  1633    rpc   11u  IPv6  16650      0t0  UDP *:960
sshd     2258   root    4u  IPv6  19504      0t0  TCP *:ssh (LISTEN)
master   2360   root   14u  IPv6  20088      0t0  TCP localhost:smtp (LISTEN)
dhclient 2494   root   21u  IPv6  20952      0t0  UDP *:16498
dhclient 2514   root   21u  IPv6  20823      0t0  UDP *:34955
httpd    2594   root    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd    2595 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd    2596 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd    2597 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd    2598 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd    2599 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
[root@linuxtechi ~]#

Example:8) List all TCP & UDP process running on specific port (lsof -i TCP/UDP:port)

Let’s assume we want to list all the TCP process running on 80 port, use the below command

[root@linuxtechi ~]# lsof -i TCP:80
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   2594   root    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2595 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2596 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2597 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2598 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
httpd   2599 apache    4u  IPv6  22703      0t0  TCP *:http (LISTEN)
[root@linuxtechi ~]#

To list all open files on TCP port from port range (1 to 1048), use the following command

[root@linuxtechi ~]# lsof -i TCP:1-1048
COMMAND  PID       USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd    1       root   41u  IPv4  16863      0t0  TCP *:sunrpc (LISTEN)
systemd    1       root   44u  IPv6  16865      0t0  TCP *:sunrpc (LISTEN)
rpcbind 1663        rpc    4u  IPv4  16863      0t0  TCP *:sunrpc (LISTEN)
rpcbind 1663        rpc    6u  IPv6  16865      0t0  TCP *:sunrpc (LISTEN)
sshd    2294       root    3u  IPv4  19949      0t0  TCP *:ssh (LISTEN)
sshd    2294       root    4u  IPv6  19965      0t0  TCP *:ssh (LISTEN)
master  2433       root   13u  IPv4  21026      0t0  TCP localhost:smtp (LISTEN)
master  2433       root   14u  IPv6  21027      0t0  TCP localhost:smtp (LISTEN)
sshd    2600       root    3u  IPv4  21737      0t0  TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED)
sshd    2659       root    3u  IPv4  22056      0t0  TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED)
sshd    2663       root    3u  IPv4  22123      0t0  TCP 192.168.1.3:ssh->192.168.1.9:52489 (ESTABLISHED)
httpd   2837       root    4u  IPv6  26112      0t0  TCP *:http (LISTEN)
httpd   2838     apache    4u  IPv6  26112      0t0  TCP *:http (LISTEN)
httpd   2839     apache    4u  IPv6  26112      0t0  TCP *:http (LISTEN)
httpd   2840     apache    4u  IPv6  26112      0t0  TCP *:http (LISTEN)
httpd   2841     apache    4u  IPv6  26112      0t0  TCP *:http (LISTEN)
httpd   2842     apache    4u  IPv6  26112      0t0  TCP *:http (LISTEN)
sshd    2891       root    3u  IPv4  26896      0t0  TCP 192.168.1.3:ssh->192.168.1.9:53541 (ESTABLISHED)
sshd    2895 linuxtechi    3u  IPv4  26896      0t0  TCP 192.168.1.3:ssh->192.168.1.9:53541 (ESTABLISHED)
[root@linuxtechi ~]#

To List all UDP process running on a specific port use the beneath command

[root@linuxtechi ~]# lsof -i UDP:16498
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhclient 2494 root   21u  IPv6  20952      0t0  UDP *:16498
[root@linuxtechi ~]#

Note: To list all open UDP process on your linux system then use the command “lsof -i UDP

Example:9) List all open files for specific device (lsof <device_name>)

The following command can be used to list all open files on /dev/vda1.

Note: In this case the device type is virtual, in general this can be of type /dev/hd<number>/ sd{number}

root@linuxtechi ~]# lsof  /dev/vda1 | more
COMMAND    PID       USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
systemd      1       root  cwd    DIR  253,1     4096       2 /
systemd      1       root  rtd    DIR  253,1     4096       2 /
systemd      1       root  txt    REG  253,1  1577264  262271 /lib/systemd/systemd
systemd      1       root  mem    REG  253,1    18976  262252 /lib/x86_64-linux-gnu/libuuid.so.1.3.0
systemd      1       root  mem    REG  253,1   262408  262245 /lib/x86_64-linux-gnu/libblkid.so.1.1.0
systemd      1       root  mem    REG  253,1    14608  266364 /lib/x86_64-linux-gnu/libdl-2.23.so
systemd      1       root  mem    REG  253,1   456632  262207 /lib/x86_64-linux-gnu/libpcre.so.3.13.2
systemd      1       root  mem    REG  253,1  1868984  266362 /lib/x86_64-linux-gnu/libc-2.23.so
systemd      1       root  mem    REG  253,1   138696  266361 /lib/x86_64-linux-gnu/libpthread-2.23.so
systemd      1       root  mem    REG  253,1   286824  261756 /lib/x86_64-linux-gnu/libmount.so.1.1.0

Example:10) List processes with open files on NFS file system

There are some situations where you have mounted nfs file system on your linux box but nfs server is inaccessible and want to list all process with open files on that nfs file system,

[root@linuxtechi ~]# lsof -b <nfs-share-mount-point>

Example:11) List terminal related open files (lsof /dev/tty{number})

The following command is used for all open files on /dev/tty1.

Note: In this case the terminal type is “tty1”. Any other terminal type also can be used like /dev/tty<number>

[root@linuxtechi ~]# lsof /dev/tty1
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
bash    2442 root    0u   CHR    4,1      0t0 4689 /dev/tty1
bash    2442 root    1u   CHR    4,1      0t0 4689 /dev/tty1
bash    2442 root    2u   CHR    4,1      0t0 4689 /dev/tty1
bash    2442 root  255u   CHR    4,1      0t0 4689 /dev/tty1
[root@linuxtechi ~]#

Example:12) List PID, Command Name, File descriptor, Device Number & File inode Number (lsof -FpcfDi)

One of the interesting options in “lsof” to obtain PID(P) and command name(c) field output for each process, file descriptor (f), file device number(D), and file inode number(i) for each file of each process, example is shown below

[root@linuxtechi ~]# lsof -FpcfDi | more
p1
csystemd
fcwd
D0xfd00
i128
frtd
D0xfd00
i128
ftxt
D0xfd00
i51034677
fmem
D0xfd00
i33628284
………………

Note: Long list of output is displayed, but this is cut short to save space.

Example:13) List all the network connections (lsof -i)

Use “-i” option in lsof command to list all network related process or commands, example is shown below,

[root@linuxtechi ~]# lsof -i
COMMAND    PID       USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd      1       root   41u  IPv4  16863      0t0  TCP *:sunrpc (LISTEN)
systemd      1       root   43u  IPv4  16864      0t0  UDP *:sunrpc
rpcbind   1663        rpc    4u  IPv4  16863      0t0  TCP *:sunrpc (LISTEN)
rpcbind   1663        rpc    5u  IPv4  16864      0t0  UDP *:sunrpc
rpcbind   1663        rpc   11u  IPv6  17051      0t0  UDP *:988
sshd      2294       root    3u  IPv4  19949      0t0  TCP *:ssh (LISTEN)
sshd      2294       root    4u  IPv6  19965      0t0  TCP *:ssh (LISTEN)
rpc.statd 2300    rpcuser   10u  IPv6  19974      0t0  UDP *:48486
rpc.statd 2300    rpcuser   11u  IPv6  20045      0t0  TCP *:39334 (LISTEN)
rpc.mount 2311       root    7u  IPv4  19897      0t0  UDP *:mountd
rpc.mount 2311       root    8u  IPv4  19911      0t0  TCP *:mountd (LISTEN)
master    2433       root   13u  IPv4  21026      0t0  TCP localhost:smtp (LISTEN)
master    2433       root   14u  IPv6  21027      0t0  TCP localhost:smtp (LISTEN)
dhclient  2563       root    6u  IPv4  21589      0t0  UDP *:bootpc
dhclient  2583       root   21u  IPv6  21365      0t0  UDP *:10368
sshd      2600       root    3u  IPv4  21737      0t0  TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED)
sshd      2659       root    3u  IPv4  22056      0t0  TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED)
[root@linuxtechi ~]#

Example:14) Find IPv4 /IPv6 Socket file

To find the IPv4 socket file use the below command, replace IP address with your system IP

[root@linuxtechi ~]# lsof -i@192.168.1.3
COMMAND  PID       USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    2600       root    3u  IPv4  21737      0t0  TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED)
sshd    2659       root    3u  IPv4  22056      0t0  TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED)
sshd    2663       root    3u  IPv4  22123      0t0  TCP 192.168.1.3:ssh->192.168.1.9:52489 (ESTABLISHED)
sshd    2724       root    3u  IPv4  25004      0t0  TCP 192.168.1.3:ssh->192.168.1.9:52848 (ESTABLISHED)
sshd    2728 linuxtechi    3u  IPv4  25004      0t0  TCP 192.168.1.3:ssh->192.168.1.9:52848 (ESTABLISHED)
[root@linuxtechi ~]#

To find an IP version 6 socket file by an associated numeric colon-form address that has a run of zeroes in it – e.g., the loop-back address(127.0.0.1) use below command and options:

[root@linuxtechi ~]# lsof -i@[::1]
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
master  2433 root   14u  IPv6  21027      0t0  TCP localhost:smtp (LISTEN)
[root@linuxtechi ~]#

Example:15) List all Process or Commands that belongs to a Process ID (lsof -p <pid>)

Let’s assume we want to list all process or commands that belongs to a specific process id, Example is shown below

[root@linuxtechi ~]# lsof -p 2842 | more
COMMAND  PID   USER   FD      TYPE             DEVICE SIZE/OFF     NODE NAME
httpd   2842 apache  cwd       DIR              253,0     4096      128 /
httpd   2842 apache  rtd       DIR              253,0     4096      128 /
httpd   2842 apache  txt       REG              253,0   523680 34641136 /usr/sbin/httpd
httpd   2842 apache  mem       REG              253,0   110808 33618576 /usr/lib64/libresolv-2.17.so
httpd   2842 apache  mem       REG              253,0    27512 33618564 /usr/lib64/libnss_dns-2.17.so
httpd   2842 apache  mem       REG              253,0    57824 33618566 /usr/lib64/libnss_files-2.17.so
httpd   2842 apache  mem       REG              253,0    27808 17080385 /usr/lib64/httpd/modules/mod_cgi.so
httpd   2842 apache  mem       REG              253,0    68192 33628305 /usr/lib64/libbz2.so.1.0.6
………………………………………………

Example:16) Kill all process that belongs to a specific user

lsof command become very handy where we want to kill all the process that belongs to a specific user, below example will kill all process that belongs to linuxtechi user

[root@linuxtechi ~]# kill -9 `lsof -t -u linuxtechi`
[root@linuxtechi ~]#

Example:17) List all open files under a specific directory (lsod +D <directory-path>)

Let’s assume we want list all open files under /var/log directory, then use the following lsof command,

[root@linuxtechi ~]# lsof +D /var/log/
COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
auditd    1635   root    4w   REG  253,0  1177238 51031316 /var/log/audit/audit.log
wpa_suppl 1840   root    3w   REG  253,0      240   392280 /var/log/wpa_supplicant.log
tuned     2295   root    3w   REG  253,0     6000 17713597 /var/log/tuned/tuned.log
rsyslogd  2296   root    6w   REG  253,0     7118   392279 /var/log/cron
rsyslogd  2296   root    7w   REG  253,0   449328   338975 /var/log/messages
rsyslogd  2296   root    8w   REG  253,0    26038   338976 /var/log/secure
rsyslogd  2296   root    9w   REG  253,0     1576   338977 /var/log/maillog
rsyslogd  2296   root   10w   REG  253,0     9458      138 /var/log/boot.log
httpd     2837   root    2w   REG  253,0     2829 34768157 /var/log/httpd/error_log
httpd     2837   root    7w   REG  253,0        0 34824416 /var/log/httpd/access_log
httpd     2838 apache    2w   REG  253,0     2829 34768157 /var/log/httpd/error_log
httpd     2838 apache    7w   REG  253,0        0 34824416 /var/log/httpd/access_log
httpd     2839 apache    2w   REG  253,0     2829 34768157 /var/log/httpd/error_log
httpd     2839 apache    7w   REG  253,0        0 34824416 /var/log/httpd/access_log
httpd     2840 apache    2w   REG  253,0     2829 34768157 /var/log/httpd/error_log
httpd     2840 apache    7w   REG  253,0        0 34824416 /var/log/httpd/access_log
httpd     2841 apache    2w   REG  253,0     2829 34768157 /var/log/httpd/error_log
httpd     2841 apache    7w   REG  253,0        0 34824416 /var/log/httpd/access_log
httpd     2842 apache    2w   REG  253,0     2829 34768157 /var/log/httpd/error_log
httpd     2842 apache    7w   REG  253,0        0 34824416 /var/log/httpd/access_log
[root@linuxtechi ~]#

Note: In above command if we use +D option then lsof will list all open files of a directory recursively and if you don’t want to list open files of directory recursively then use “+d” option

Example:18) “lsof” to check who opened the log file (to find PID)

The following command option is used to find who opened the /var/log/httpd/access.log file and what is the PID of that process. And then with “ps -ef” command we can find exact user

[root@linuxtechi ~]# lsof -t /var/log/httpd/access_log
3109
3110
3111
3112
3113
3114
[root@linuxtechi ~]#

[root@linuxtechi ~]# ps -ef | grep -E "3109|3110|3111|3112|3113|3114" | grep -v grep
or
[root@linuxtechi ~]# ps -fp "$(lsof -t /var/log/httpd/access_log | xargs echo)"
root      3109     1  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3110  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3111  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3112  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3113  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3114  3109  0 03:36 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
[root@linuxtechi ~]#

Many options of the “lsof” command can be combined for multiple purposes as below are some combination of flags “-c”, “-u” and “-I”. For more details refer the manual page.

The below command combination will give output every 1 second about “linuxtechi” home directory what all the files opened repeatedly.

root@linuxtechi ~}# lsof -u linuxtechi -c init -a -r1
=======
COMMAND   PID       USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
inita.sh 2971 linuxtechi  cwd    DIR    8,1     4096  393218 /home/linuxtechi
inita.sh 2971 linuxtechi  rtd    DIR    8,1     4096       2 /
inita.sh 2971 linuxtechi  txt    REG    8,1    83344  524367 /bin/dash
inita.sh 2971 linuxtechi  mem    REG    8,1  1434567 1443695 /lib/i386-linux-gnu/libc-2.13.so
……………………………………………………………………………

Conclusion:

As mentioned in the introduction section “lsof” is very powerful and useful command in Linux based distributions. This command and options listed can be used for various purposes like debugging, troubleshooting and triaging Linux processes. Mentioned options and combinations if tried, will help one to establish thorough understanding of “lsof” command. Other commands like lstatstat and ls also can be explored in combination of “lsof” command.

5 (1)
Article Rating (1 Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
RHEL: Manually encrypting a filesystem with LUKS
Viewed 3687 times since Sun, May 27, 2018
RHCS6: Install a two-node basic cluster
Viewed 3331 times since Sun, Jun 3, 2018
Linux - How to get network speed and statistic of ethernet adapter in Linux
Viewed 2062 times since Fri, Jun 8, 2018
HP-UX - Stunnel Configuration
Viewed 2325 times since Fri, Sep 28, 2018
RHEL: Displaying system info (firmware, serial numbers... )
Viewed 11883 times since Sun, May 27, 2018
Watchdog script to keep an application running
Viewed 18406 times since Tue, Jul 31, 2018
YUM CRON RHEL7: Configure automatic updates.
Viewed 1900 times since Fri, Oct 26, 2018
python learning
Viewed 1779 times since Wed, Dec 18, 2019
RHEL: ACLs basics
Viewed 6051 times since Sun, May 27, 2018
Linux 20 Netstat Commands for Linux Network Management
Viewed 9531 times since Mon, Sep 21, 2020