Using lsof Command in Linux with Examples

default image

The lsof (list open files) command is a powerful tool for viewing open files in Linux. It can display information about files opened by processes, network connections, devices, and more. In this comprehensive guide, we will cover how to install lsof and dive into many useful examples to help you master this tool.

Installing lsof

lsof may not come pre-installed on some Linux distributions, but it is readily available in most distribution repositories and easy to install.

On Debian/Ubuntu:

sudo apt update
sudo apt install lsof


sudo yum install lsof 

For RHEL/CentOS 8 and above using dnf:

sudo dnf install lsof

Once installed, you can verify the version with:

lsof -v

Getting Help

To view a quick help summary of options, use -h or -?:

lsof -?

This will display common usage and command line options. Refer to man lsof for complete documentation.

Understanding lsof Output

Let‘s start with a basic lsof command to view open files:

sudo lsof

This will output all open files on the system. The default columns in the output include:

  • COMMAND – The process name owning the open file
  • PID – Process ID owning the file
  • USER – User that owns the process
  • FD – File descriptor number
  • TYPE – Type of node owning the file (DIR, REG, socket etc)
  • DEVICE – Device number owning the file
  • SIZE/OFF – Size of file or offset for open socket
  • NODE – Node number of device
  • NAME – File path or network connection

We will explore the FD and TYPE columns more as we go through examples.

List Files by Process Name

To view files opened by a specific process, use the -c option followed by the process name:

sudo lsof -c sshd

This will show all open files by the sshd process. You can substitute any process name here.

List Files by Process ID

Instead of the process name, you can look up files by Process ID with -p:

sudo lsof -p 1234 

To exclude a particular PID, prefix it with a ^:

sudo lsof -p ^1234

List Files by User

To display open files for a specific user, use the -u option:

sudo lsof -u john

This will show all files opened by processes owned by user john.

You can also exclude a user with:

sudo lsof -u ^john

Find Files by Name

To search for a specific file name opened by any process, simply provide the file path as an argument:

sudo lsof /var/log/syslog

This is useful for identifying processes with open handles on a particular file.

List Network Connections

One powerful use of lsof is viewing network connections and open sockets.

To list all network files opened, use the -i flag:

sudo lsof -i

This will display network connections grouped by type (TCP vs UDP), address, ports and status.

You can filter this further to show only TCP connections:

sudo lsof -i TCP 

Or only UDP:

sudo lsof -i UDP

To filter by port number, use:

sudo lsof -i :80

This will show all processes with open connections on port 80.

Repeat Output Mode

lsof has a handy repeat mode for continuous monitoring triggered at timed intervals.

To repeat every 2 seconds:

sudo lsof -i TCP -r2

It will keep outputting open TCP network files until killed with Ctrl+C.

List Files in Directory

To find open files inside a directory recursively, use the +D option:

sudo lsof +D /var/log

This will list any open files under /var/log and subdirectories.

To avoid recursion into subdirectories, use -d:

sudo lsof -d /var/log

Understanding File Descriptors

The FD (file descriptor) column in lsof output indicates how a file is opened. Common values include:

  • cwd – Current working directory
  • txt – Program text (code and data)
  • mem – Memory mapped file
  • mmap – Memory mapped device
  • PD – Parent directory
  • TD – Root directory
  • 5r – File descriptor 5 opened for read
  • 6u – File descriptor 6 opened for read and write

File descriptors above are numbered integers starting at 0. The mode they are opened in is indicated by:

  • r – Read mode
  • w – Write mode
  • u – Read and write mode
  • space – Unknown mode
  • – Locked mode

Understanding File Types

The TYPE column displays the type of file opened. Some common values include:

  • DIR – Directory
  • REG – Regular file
  • CHR – Character special file
  • IPv4 – IPv4 network connection
  • IPv6 – IPv6 network connection
  • unix – UNIX domain socket
  • FIFO – Named pipe

Refer to the man pages for a detailed list of all supported file types.

Closing Thoughts

As you can see from the variety of examples above, lsof is a versatile tool for peering into open files in Linux. It has many more options for filtering and formatting output not covered here. The ability to cross reference open files by process, network connections, users, directories and more makes it invaluable for diagnosing issues in Linux systems. Take time to review the full documentation and practice using lsof to inspect your system. It is one of the most useful utilities for any Linux administrator or developer.

Written by