A powerful command in the tool box of Linux (and Unix) systems administrators, lsof stands for list of open files.
Because of the sheer number of options available for this command line utility, some systems administrators prefer to use lsof instead of netstat or ps.
For those aspiring to a career in Linux systems administration, I recommend keeping lsof in your arsenal of frequently used command line tools.
Besides producing a single output list, lsof can also run in repeat mode.
For a complete list of options, I encourage you to check the lsof man pages at your leisure.
Without further ado, let’s take a deko at the key lsof commands.
1. Basic Command
If you don’t specify an option, lsof will list all open files belonging to all active processes.
And that’s a pretty long list of open files, I can assure you.
Just for the heck of it, I ran the basic lsof command and used the pipeline to count the number of lines via the wc command. Take a look at the output below:
$ lsof | wc -l 11814
Wow! That’s a lot of open files.
2. Display All Open Internet Sockets
The following command lists all connections (both listening and established).
3. List Processes Running on a Specific Port
For a list of all open Internet sockets on port 80, run the below command
lsof -i :80
I find the above command extremely useful because I can then use the PIDs to kill suspect or malicious IPs (from Brazil, China, Ukraine, Portugal etc) by running the below command:
kill -9 PID
Similarly, you can see open sockets on other ports too.
lsof -i :22
Let’s look at the SMTP port next.
lsof -i :25
4. List All udp or tcp Connections
lsof -i udp
If you want to display tcp connections, run the below command:
$ lsof -i tcp
Alternatively, run this command:
$ lsof -i tcp:80
5. List Files Opened by a Specific User
To see files opened by an user, we must use the -u option. Here’s the syntax:
$ lsof -u user_name
Now here’s an example:
$ lsof -u larry
Don’t be surprised to see a lengthy list of files.
6. List All Open Files Belonging to Processes Not Owned by a Specified User
The below command will list files opened by users other than Larry.
$ lsof -u ^larry
7. Lists only IPv4 or IPv6 Open Files
$ lsof -i 4
If you’re interested in IPv6 files, go with the below command:
$ lsof -i 6
8. Kill Everything a Specific User is Doing
You can use lsof to kill processes belonging to a particular user.
# kill -9 `lsof -t -u larry`
9. List Established Connections
We can restrict lsof to spit out only established connections with the following command.
$ lsof -i | grep ESTABLISHED
10. List All Open Files by a Specific Process
$ lsof -p PID
Here’s an example:
$ lsof -p 3672
11. List All Open Files EXCEPT Process with PID
$ lsof -p ^1
12. Display Opened Files Based on Process Names
You can use the process name or the first letter (say c, s or m) if you want to see all processes starting with hat letter.
$ lsof -c process_name
Here’s an example:
$ lsof -c ssh
13. List processes which Opened a Specific File
With the below command, you can list only those processes that opened a specific file, by using filename as arguments.
$ lsof /var/log/syslog
14. List Opened Files Under a Directory
$ lsof +D /var/log
15. Repeat Listing Files every 1 or 2 or 3 Seconds
You can get lsof to run at specified intervals of time.
$ lsof -r 2
In the above example, lsof will repeat every 2 seconds.
Rich Options for lsof
As we’ve noted at the outset, lsof comes with a bewildering array of options.
Treat the above examples as an lsof appetizer.
I hope they have whetted your appetite sufficiently enough to want to explore lsof in greater detail by checking the man pages.