Feb 262015

A powerful command in the tool box of Linux (and Unix) systems administrators, lsof stands for list of open files.

Because of the sheer number of options available for this command line utility, some systems administrators prefer to use lsof instead of netstat or ps.

For those aspiring to a career in Linux systems administration, I recommend keeping lsof in your arsenal of frequently used command line tools.

Besides producing a single output list, lsof can also run in repeat mode.

For a complete list of options, I encourage you to check the lsof man pages at your leisure.

Without further ado, let’s take a deko at the key lsof commands.

1. Basic Command

If you don’t specify an option, lsof will list all open files belonging to all active processes.

And that’s a pretty long list of open files, I can assure you.

$ lsof

Just for the heck of it, I ran the basic lsof command and used the pipeline to count the number of lines via the wc command. Take a look at the output below:

$ lsof | wc -l

Wow! That’s a lot of open files.

2. Display All Open Internet Sockets

The following command lists all connections (both listening and established).

lsof -i

3. List Processes Running on a Specific Port

For a list of all open Internet sockets on port 80, run the below command

lsof -i :80

I find the above command extremely useful because I can then use the PIDs to kill suspect or malicious IPs (from Brazil, China, Ukraine, Portugal etc) by running the below command:

kill -9 PID

Similarly, you can see open sockets on other ports too.

lsof -i :22

Let’s look at the SMTP port next.

lsof -i :25

4. List All udp or tcp Connections

lsof -i udp

If you want to display tcp connections, run the below command:

$ lsof -i tcp

Alternatively, run this command:

$ lsof -i tcp:80

5. List Files Opened by a Specific User

To see files opened by an user, we must use the -u option. Here’s the syntax:

$ lsof -u user_name

Now here’s an example:

$ lsof -u larry

Don’t be surprised to see a lengthy list of files.

6. List All Open Files Belonging to Processes Not Owned by a Specified User

The below command will list files opened by users other than Larry.

$ lsof -u ^larry

7. Lists only IPv4 or IPv6 Open Files

$ lsof -i 4

If you’re interested in IPv6 files, go with the below command:

$ lsof -i 6

8. Kill Everything a Specific User is Doing

You can use lsof to kill processes belonging to a particular user.

# kill -9 `lsof -t -u larry`

9. List Established Connections

We can restrict lsof to spit out only established connections with the following command.

$ lsof -i | grep ESTABLISHED

10. List All Open Files by a Specific Process

$ lsof -p PID

Here’s an example:

$ lsof -p 3672

11. List All Open Files EXCEPT Process with PID

$ lsof -p ^1

12. Display Opened Files Based on Process Names

You can use the process name or the first letter (say c, s or m) if you want to see all processes starting with hat letter.

$ lsof -c process_name

Here’s an example:

$ lsof -c ssh

13. List processes which Opened a Specific File

With the below command, you can list only those processes that opened a specific file, by using filename as arguments.

$ lsof /var/log/syslog

14. List Opened Files Under a Directory

$ lsof +D /var/log

15. Repeat Listing Files every 1 or 2 or 3 Seconds

You can get lsof to run at specified intervals of time.

$ lsof -r 2

In the above example, lsof will repeat every 2 seconds.

Rich Options for lsof

As we’ve noted at the outset, lsof comes with a bewildering array of options.

Treat the above examples as an lsof appetizer.

I hope they have whetted your appetite sufficiently enough to want to explore lsof in greater detail by checking the man pages.

Sorry, the comment form is closed at this time.