The Linux lsof command lists information about files that are open by processes running on the system. (The lsof command itself stands for “list of open files”.)
In this tutorial show practical examples of the use lsof command.
Some of the Linux distributions do not come with installed lsof packages. However, it can be installed as follows:
Install lsof in RHEL, CentOS and Fedora linux:
# sudo yum install lsof -y
Install lsof in Debian, Ubuntu and Mint linux:
# sudo apt-get install lsof -y
or
# sudo aptitude install lsof
Basic Linux lsof command examples
[box type=”info” align=”aligncenter” ]I’ll assume that you’re logged in as the Unix/Linux root user. If not, you’re lsof command output may be significantly limited.[/box]
Typing the lsof command by itself lists all open files belonging to all active processes on the system:
# lsof
Example output:
[root@localhost ~]# lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 253,0 4096 2 / init 1 root rtd DIR 253,0 4096 2 / init 1 root txt REG 253,0 149284 912142 /sbin/init init 1 root mem REG 253,0 284780 261920 /lib/libdbus-1.so.3.4.0 init 1 root mem REG 253,0 120672 261678 /lib/libgcc_s-4.4.7-20120601.so.1 init 1 root mem REG 253,0 131220 261740 /lib/libpthread-2.12.so init 1 root mem REG 253,0 1907156 261716 /lib/libc-2.12.so init 1 root mem REG 253,0 58704 261732 /lib/libnss_files-2.12.so init 1 root mem REG 253,0 100500 262026 /lib/libnih.so.1.0.0 init 1 root mem REG 253,0 141080 261709 /lib/ld-2.12.so init 1 root mem REG 253,0 39676 261744 /lib/librt-2.12.so ...........
[ads]
By default One file per line is displayed. Most of the columns are self explanatory. We will explain the details about couple of cryptic columns (FD and TYPE).
FD – Represents the file descriptor. Some of the values of FDs are,
- cwd – Current Working Directory
- txt – Text file
- mem – Memory mapped file
- mmap – Memory mapped device
NUMBER – Represent the actual file descriptor. The character after the number i.e ’1u’, represents the mode in which the file is opened. r for read, w for write, u for read and write.
TYPE – Specifies the type of the file. Some of the values of TYPEs are,
- REG – Regular File
- DIR – Directory
- FIFO – First In First Out
- CHR – Character special file
For a complete list of FD & TYPE, refer man lsof.
List processes which opened a specific file
You can list only the processes which opened a specific file, by providing the filename as arguments.
[root@localhost ~]# lsof /var/log/httpd/access_log COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 18529 root 17w REG 252,0 135505 264243 /var/log/httpd/access_log httpd 18541 apache 17w REG 252,0 135505 264243 /var/log/httpd/access_log httpd 18542 apache 17w REG 252,0 135505 264243 /var/log/httpd/access_log httpd 18566 apache 17w REG 252,0 135505 264243 /var/log/httpd/access_log httpd 18579 apache 17w REG 252,0 135505 264243 /var/log/httpd/access_log
Show All processes opening files in a directory
The +D /var/log flags will inform lsof to find all associated processes working with files under /var/log.
# lsof +D /var/log
[root@localhost ~]# lsof +D /var/log/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME auditd 794 root 5w REG 252,0 5057626 264898 /var/log/audit/audit.log rsyslogd 819 root 1w REG 252,0 386040 265432 /var/log/messages rsyslogd 819 root 2w REG 252,0 101606 263758 /var/log/cron rsyslogd 819 root 4w REG 252,0 171107 269787 /var/log/secure rsyslogd 819 root 5w REG 252,0 6551830 264563 /var/log/maillog rsyslogd 819 root 6w REG 252,0 171107 269787 /var/log/secure httpd 22676 root 2w REG 252,0 261330 269783 /var/log/httpd/error_log httpd 22676 root 17w REG 252,0 135505 264243 /var/log/httpd/access_log
Show all files opened by processes starting with the letter
To display all files opened by processes starting with the letter c execute lsof with -c b for processes starting with b.
# lsof -c b
[root@localhost ~]# lsof -c b COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bdi-defau 14 root cwd DIR 252,0 4096 2 / bdi-defau 14 root rtd DIR 252,0 4096 2 / bdi-defau 14 root txt unknown /proc/14/exe bash 21089 root cwd DIR 252,0 4096 1835103 /root bash 21089 root rtd DIR 252,0 4096 2 / bash 21089 root txt REG 252,0 903336 1835049 /bin/bash bash 21089 root mem REG 252,0 65928 1704310 /lib64/libnss_files-2.12.so
Display who is accessing a device
To display who is accessing a device, directory, or binary. In this case I am outlining who is accessing the shared memory region.
# lsof /dev/shm
[root@localhost ~]# lsof /dev/shm COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cinnamon- 2145 rasho mem REG 0,19 67108904 27267 /run/shm/pulse-shm-2217975160 cinnamon- 2145 rasho mem REG 0,19 67108904 27298 /run/shm/pulse-shm-1565638956 pulseaudi 2155 rasho mem REG 0,19 67108904 35966 /run/shm/pulse-shm-3406707045 cinnamon 2267 rasho mem REG 0,19 67108904 27612 /run/shm/pulse-shm-3631705626 cinnamon 2267 rasho mem REG 0,19 67108904 27334 /run/shm/pulse-shm-711406352 chrome 2457 rasho DEL REG 0,19 395599 /run/shm/.com.google.Chrome.pwKxnF chrome 2457 rasho DEL REG 0,19 40693 /run/shm/.com.google.Chrome.4hVV3P
List files opened by a specific user
In order to find the list of files opened by a specific users, use ‘-u’ option.
# lsof -u username
[root@localhost ~]# lsof -u rasho |more COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME gnome-key 1952 rasho cwd unknown /proc/1952/cwd (readlink: Permission denied) gnome-key 1952 rasho rtd unknown /proc/1952/root (readlink: Permission denied) gnome-key 1952 rasho txt unknown /proc/1952/exe (readlink: Permission denied) gnome-key 1952 rasho NOFD /proc/1952/fd (opendir: Permission denied) x-session 2028 rasho cwd DIR 8,5 4096 1966081 /home/rasho x-session 2028 rasho rtd DIR 8,1 4096 2 / x-session 2028 rasho txt REG 8,1 239904 133000 /usr/bin/cinnamon-session x-session 2028 rasho mem REG 8,1 67472 929467 /lib/x86_64-linux-gnu/libudev.so.1.3.5 x-session 2028 rasho mem REG 8,1 237504 400053 /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so x-session 2028 rasho mem REG 8,1 202696 402357 /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so x-session 2028 rasho mem REG 8,1 48344 406895 /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so
[ads]
List all network connections
You can list all the network connections opened by using ‘-i’ option.
# lsof -i
[root@localhost ~]# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chrome 2457 rasho 67u IPv4 311546 0t0 TCP Gandalf.local:39971->fa-in-f125.1e100.net:xmpp-client (ESTABLISHED) chrome 2457 rasho 99u IPv4 313525 0t0 TCP Gandalf.local:53798->muc03s02-in-f20.1e100.net:https (ESTABLISHED) chrome 2457 rasho 104u IPv4 411867 0t0 TCP Gandalf.local:55330->muc03s02-in-f15.1e100.net:http (ESTABLISHED) chrome 2457 rasho 106u IPv4 389719 0t0 TCP Gandalf.local:32768->mil01s17-in-f14.1e100.net:https (ESTABLISHED)
List all open files by a specific process
You can list all the files opened by a specific process using ‘-p’ option. It will be helpful sometimes to get more information about a specific process.
[root@localhost ~]# lsof -p 5358 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chrome 5358 rasho cwd unknown /proc/5358/cwd (readlink: Permission denied) chrome 5358 rasho rtd unknown /proc/5358/root (readlink: Permission denied) chrome 5358 rasho txt unknown /proc/5358/exe (readlink: Permission denied) chrome 5358 rasho NOFD /proc/5358/fd (opendir: Permission denied)
For more usage lsof command see man pages:
# man lsof