lsof (list open files) command is a powerful tool for viewing open files in Linux. It can display information about files opened by processes, network connections, devices, and more. In this comprehensive guide, we will cover how to install
lsof and dive into many useful examples to help you master this tool.
lsof may not come pre-installed on some Linux distributions, but it is readily available in most distribution repositories and easy to install.
sudo apt update sudo apt install lsof
sudo yum install lsof
For RHEL/CentOS 8 and above using dnf:
sudo dnf install lsof
Once installed, you can verify the version with:
To view a quick help summary of options, use
This will display common usage and command line options. Refer to
man lsof for complete documentation.
Understanding lsof Output
Let‘s start with a basic
lsof command to view open files:
This will output all open files on the system. The default columns in the output include:
- COMMAND – The process name owning the open file
- PID – Process ID owning the file
- USER – User that owns the process
- FD – File descriptor number
- TYPE – Type of node owning the file (DIR, REG, socket etc)
- DEVICE – Device number owning the file
- SIZE/OFF – Size of file or offset for open socket
- NODE – Node number of device
- NAME – File path or network connection
We will explore the FD and TYPE columns more as we go through examples.
List Files by Process Name
To view files opened by a specific process, use the
-c option followed by the process name:
sudo lsof -c sshd
This will show all open files by the
sshd process. You can substitute any process name here.
List Files by Process ID
Instead of the process name, you can look up files by Process ID with
sudo lsof -p 1234
To exclude a particular PID, prefix it with a ^:
sudo lsof -p ^1234
List Files by User
To display open files for a specific user, use the
sudo lsof -u john
This will show all files opened by processes owned by user
You can also exclude a user with:
sudo lsof -u ^john
Find Files by Name
To search for a specific file name opened by any process, simply provide the file path as an argument:
sudo lsof /var/log/syslog
This is useful for identifying processes with open handles on a particular file.
List Network Connections
One powerful use of
lsof is viewing network connections and open sockets.
To list all network files opened, use the
sudo lsof -i
This will display network connections grouped by type (TCP vs UDP), address, ports and status.
You can filter this further to show only TCP connections:
sudo lsof -i TCP
Or only UDP:
sudo lsof -i UDP
To filter by port number, use:
sudo lsof -i :80
This will show all processes with open connections on port 80.
Repeat Output Mode
lsof has a handy repeat mode for continuous monitoring triggered at timed intervals.
To repeat every 2 seconds:
sudo lsof -i TCP -r2
It will keep outputting open TCP network files until killed with Ctrl+C.
List Files in Directory
To find open files inside a directory recursively, use the
sudo lsof +D /var/log
This will list any open files under
/var/log and subdirectories.
To avoid recursion into subdirectories, use
sudo lsof -d /var/log
Understanding File Descriptors
FD (file descriptor) column in
lsof output indicates how a file is opened. Common values include:
- cwd – Current working directory
- txt – Program text (code and data)
- mem – Memory mapped file
- mmap – Memory mapped device
- PD – Parent directory
- TD – Root directory
- 5r – File descriptor 5 opened for read
- 6u – File descriptor 6 opened for read and write
File descriptors above are numbered integers starting at 0. The mode they are opened in is indicated by:
- r – Read mode
- w – Write mode
- u – Read and write mode
- space – Unknown mode
- – – Locked mode
Understanding File Types
TYPE column displays the type of file opened. Some common values include:
- DIR – Directory
- REG – Regular file
- CHR – Character special file
- IPv4 – IPv4 network connection
- IPv6 – IPv6 network connection
- unix – UNIX domain socket
- FIFO – Named pipe
Refer to the man pages for a detailed list of all supported file types.
As you can see from the variety of examples above,
lsof is a versatile tool for peering into open files in Linux. It has many more options for filtering and formatting output not covered here. The ability to cross reference open files by process, network connections, users, directories and more makes it invaluable for diagnosing issues in Linux systems. Take time to review the full documentation and practice using
lsof to inspect your system. It is one of the most useful utilities for any Linux administrator or developer.