This is our ongoing series of Linux commands and in this article, we’re going to review lsof command with practical examples. lsof which stands for ‘LiSt Open Files’ is used to find out which files are open by which Linux process.
As we all know, Linux/Unix considers everything as a file (pipes, sockets, directories, devices, etc.). One of the reasons for using the lsof command is when a disk cannot be unmounted, as it says that the files are being used. With the help of lsof command, we can easily identify the files that are in use.
1. List all
open files with lsof Command
In the following example, it will show a long list of open files, some of them are extracted for better understanding showing columns like Command, PID, USER, FD, TYPE, etc. # lsof PID COMMAND FD USER DEVICE TYPE SIZE/OFF NODE NAME init 1 root cwd DIR 253.0
4096 2 / init 1 root rtd DIR 253.0 4096 2 / init 1 root txt REG 253.0 145180 147164 /sbin/init init 1 root mem REG 253.0 1889704 190149 /lib/libc-2.12.so init 1 root 0u CHR 1.3 0t0 3764 /dev/null init 1 root 1u CHR 1.3 0t0 3764 /dev/null init 1 root 2u CHR 1.3 0t0 3764 /dev/null init 1 root 3r FIFO 0.8 0t0 8449 pipe init 1 root 4w FIFO 0.8 0t0 8449 pipe init 1 root 5r DIR 0.10 0 1 inotify init 1 root 6r DIR 0.10 0 1 inotify init 1 root 7u unix 0xc1513880 0t0 8450 socket
The sections and their values are self-explanatory. However, we will review the FD&TYPE columns more accurately.
FD – stands for a
file descriptor and you can see some of the values like:
- cwd current working
- directory rtd
- txt root directory program text (code and data)
- mapped in mem memory
file
Also in FD column numbers like 1u is the actual file descriptor and followed by u,r,w of its mode as:
r for read access. w for write access.
- u for read and write
access. TYPE – of files and their identification. DIR – REG Directory – Normal file CHR – Special character file.
- FIFO – First In First Out
2. List
of user-specific open files The following command will display the list of all open files of the user tecmint. # lsof -u tecmint PID COMMAND USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1838 tecmint cwd DIR 253.0 4096 2 / sshd 1838 tecmint rtd DIR 253.0 4096 2 / sshd 1838 tecmint txt REG 253.0 532336 188129 /usr/sbin/sshd
sshd 1838 tecmint mem REG 253.0 19784 190237 /lib/libdl-2.12.so sshd 1838 tecmint
mem REG 253.0 122436 190247 /lib/libselinux.so.1 sshd 1838 tecmint mem REG 253.0 255968 190256 /lib/libgssapi_krb5.so.2.2 sshd 1838 tecmint mem REG 253.0 874580 190255 /lib/libkrb5.so.3.3
3. Search for
processes running on a specific port
To find out all Linux processes running on a specific port, simply use the following command with the -i option. The following example will list all running processes on port 22.
# lsof -i TCP:22 PID COMMAND USER FD TYPE DEVICE SIZE/NODE NAME OFF sshd 1471 root 3u IPv4 12683 0t0 TCP *:ssh (LISTEN) sshd 1471 root 4u IPv6 12685 0t0 TCP *:ssh (LISTEN)
4. List
only IPv4 and IPv6 Open files
The following example shows only IPv4 and IPv6 network files opened with separate commands.
# lsof -i 4 PID COMMAND USER FD TYPE DEVICE SIZE/NODE NAME OFF rpcbind 1203 rpc 6u IPv4 11326 0t0 UDP *:sunrpc rpcbind 1203 rpc 7u IPv4 11330 0t0 UDP *:954 rpcbind 1203 rpc 8u IPv4 11331 0t0 TCP *: sunrpc (LISTEN) avahi-dae 1241 avahi 13u IPv4 11579 0t0 UDP *:mdns avahi-dae 1241 avahi 14u IPv4 11580 0t0 UDP *:58600 # lsof -i 6 PID COMMAND USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1203 rpc 9u IPv6 11333 0t0 UDP *:sunrpc rpcbind 1203 rpc 10u IPv6 11335 0t0 UDP *:954 rpcbind 1203 rpc 11u IPv6 11336 0t0 TCP *: sunrpc (LISTEN) rpc.statd 1277 rpcuser 10u IPv6 11858 0t0 UDP *:55800 rpc.statd 1277 rpcuser 11u IPv6 11862 0t0 TCP *:56428 (LISTEN) cupsd 1346 root 6u IPv6 12112 0t0 TCP localhost: IPP (LISTEN)
5. List
of open files of TCP port ranges 1-1024
To list the entire running process of TCP open files Port ranges from 1-1024. # lsof -i TCP:1-1024 PID COMMAND USER FD TYPE DEVICE SIZE/NODE NAME OFF rpcbind 1203 rpc 11u IPv6 11336 0t0 TCP *:sunrpc (LISTEN) cupsd 1346 root 7u IPv4 12113 0t0 TCP
localhost: ipp (LISTEN) sshd 1471 root 4u IPv6 12685 0t0 TCP *:ssh (LISTEN) master 1551 root 13u IPv6 12898 0t0 TCP localhost:smtp (LISTEN) sshd 1834 root 3r IPv4 15101 0t0 TCP 192.168.0.2:ssh->192.168.0.1:conclave-cpp (ESTABLISHED) sshd 1838 tecmint 3u IPv4 15101 0t0 TCP 192.168.0.2:ssh->192.168.0.1:conclave-cpp (ESTABLISHED) sshd 1871 root 3r IPv4 15842 0t0 TCP 192.168.0.2: ssh->192.168.0.1:groove (ESTABLISHED) httpd 1918 root 5u IPv6 15991 0t0 TCP *:http (LISTEN) httpd 1918 root 7u IPv6 15995 0t0 TCP *:https (LISTEN)
6. Exclude user with the character ‘^’ Here
, we have excluded the root user. You can exclude a particular user using ‘^’ with the command as shown above.
# lsof -i -u^root PID COMMAND USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 1203 rpc 6u IPv4 11326 0t0 UDP *:sunrpc rpcbind 1203 rpc 7u IPv4 11330 0t0 UDP *:954 rpcbind 1203 rpc 8u IPv4 11331 0t0 TCP *:sunrpc (LISTEN) rpcbind 1203 rpc 9u IPv6 11333 0t0 UDP *:sunrpc rpcbind 1203 rpc 10u IPv6 11335 0t0 UDP *:954 rpcbind 1203 rpc 11u IPv6 11336 0t0 TCP *: sunrpc (LISTEN) avahi-dae 1241 avahi 13u IPv4 11579 0t0 UDP *:mdns avahi-dae 1241 avahi 14u IPv4 11580 0t0 UDP *::58600 rpc.statd 1277 rpcuser 5r IPv4 11836 0t0 UDP *:soap-beep rpc.statd 1277 rpcuser 8u IPv4 11850 0t0 UDP *:55146 rpc.statd 1277 rpcuser 9u IPv4 11854 0t0 TCP *:32981 (LISTEN) rpc.statd 1277 rpcuser 10u IPv6 11858 0t0 UDP *:55800 rpc.statd 1277 rpcuser 11u IPv6 11862 0t0 TCP *:56428 (LISTEN)
7. Find out who is looking for what files and Commands?
The following example shows that the user tecmint is using commands such as ping and /etc directory.
# lsof -i -u tecmint PID COMMAND USER FD DEVICE TYPE SIZE/OFF NODE NAME bash 1839 tecmint cwd DIR 253.0 12288 15 /etc ping 2525 tecmint cwd DIR 253.0 12288 15 /etc
8. List
all network connections
The following command with the ‘-i’ option displays the list of all ‘LISTENING & ESTABLISHED’ network connections.
# lsof -i PID COMMAND USER FD DEVICE TYPE SIZE/OFF NODE NAME rpcbind 1203 rpc 6u IPv4 11326 0t0 UDP *::sunrpc rpcbind 1203 rpc 7u IPv4 11330 0t0 UDP *:954 rpcbind 1203 rpc 11u IPv6 11336 0t0 TCP *: sunrpc (LISTEN) avahi-dae 1241 avahi 13u IPv4 11579 0t0 UDP *:mdns avahi-dae 1241 avahi 14u IPv4 11580 0t0 UDP *:58600 rpc.statd 1277 rpcuser 11u IPv6 11862 0t0 TCP*:56428 (LISTEN) cupsd 1346 root 6u IPv6 12112 0t0 TCP localhost:ipp (LISTEN) cupsd 1346 root 7u IPv4 12113 0t0 TCP localhost:ipp (LISTEN) sshd 1471 root 3u IPv4 12683 0t0 TCP *: ssh (LISTEN) master 1551 root 12u IPv4 12896 0t0 TCP localhost:smtp (LISTEN) master 1551 root 13u IPv6 12898 0t0 TCP localhost:smtp (LISTEN) sshd 1834 root 3r IPv4 15101 0t0 TCP 192.168.0.2: ssh->192.168.0.1:conclave-cpp (ESTABLISHED) httpd 1918 root 5u IPv6 15991 0t0 TCP *::http (LISTEN) httpd 1918 root 7u IPv6 15995 0t0 TCP *: https (LISTEN) clock-app 2362 narad 21u IPv4 22591 0t0 TCP 192.168.0.2:45284->www.gov.com:http (CLOSE_WAIT) chrome 2377 narad 61u IPv4 25862 0t0 TCP 192.168.0.2:33358->maa03s04-in-f3.1e100.net:http (ESTABLISHED) chrome 2377 narad 80u IPv4 25866 0t0 TCP 192.168.0.2:36405->bom03s01-in-f15.1e100.net: http (ESTABLISHED)
9. Search by
PID
The following example only shows which PID is 1 [One].
# lsof -p 1 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 253.0 4096 2 / init 1 root rtd DIR 253.0 4096 2 / init 1 root txt REG 253.0 145180 147164 /sbin/init init 1 root mem REG 253.0 1889704 190149 /lib/libc-2.12.so init 1 root mem REG 253.0 142472 189970 /lib/ld-2.12.so
10. Kill all activity of a particular
user
Sometimes you may have to kill all processes for a specific user. The following command will kill all processes of the tecmint user.
# kill -9 ‘lsof –t -u tecmint’
Note: Here, it is not possible to give examples of all available options, this guide is only to show how the lsof command can be used. You can refer to the lsof command man page to learn more about it. Please share it if you find this article useful via our comment box below.
