Administration toolsCommandsLinuxMonitoring

Practical examples of the use lsof command

The Linux lsof command lists information about files that are open by processes running on the system. (The lsof command itself stands for “list of open files”.)
In this tutorial show practical examples of the use lsof command.
Some of the Linux distributions do not come with installed lsof packages. However, it can be installed as follows:

Install lsof in RHEL, CentOS and Fedora linux:

# sudo yum install lsof -y

Install lsof in Debian, Ubuntu and Mint linux:

# sudo apt-get install lsof -y

or

# sudo aptitude install lsof

Basic Linux lsof command examples

[box type=”info” align=”aligncenter” ]I’ll assume that you’re logged in as the Unix/Linux root user. If not, you’re lsof command output may be significantly limited.[/box]
Typing the lsof command by itself lists all open files belonging to all active processes on the system:

# lsof

Example output:

[root@localhost ~]# lsof
COMMAND    PID    USER   FD      TYPE     DEVICE SIZE/OFF       NODE NAME
init         1    root  cwd       DIR      253,0     4096          2 /
init         1    root  rtd       DIR      253,0     4096          2 /
init         1    root  txt       REG      253,0   149284     912142 /sbin/init
init         1    root  mem       REG      253,0   284780     261920 /lib/libdbus-1.so.3.4.0
init         1    root  mem       REG      253,0   120672     261678 /lib/libgcc_s-4.4.7-20120601.so.1
init         1    root  mem       REG      253,0   131220     261740 /lib/libpthread-2.12.so
init         1    root  mem       REG      253,0  1907156     261716 /lib/libc-2.12.so
init         1    root  mem       REG      253,0    58704     261732 /lib/libnss_files-2.12.so
init         1    root  mem       REG      253,0   100500     262026 /lib/libnih.so.1.0.0
init         1    root  mem       REG      253,0   141080     261709 /lib/ld-2.12.so
init         1    root  mem       REG      253,0    39676     261744 /lib/librt-2.12.so
...........

By default One file per line is displayed. Most of the columns are self explanatory. We will explain the details about couple of cryptic columns (FD and TYPE).

FD – Represents the file descriptor. Some of the values of FDs are,

  • cwd – Current Working Directory
  • txt – Text file
  • mem – Memory mapped file
  • mmap – Memory mapped device

NUMBER – Represent the actual file descriptor. The character after the number i.e ’1u’, represents the mode in which the file is opened. r for read, w for write, u for read and write.
TYPE – Specifies the type of the file. Some of the values of TYPEs are,

  • REG – Regular File
  • DIR – Directory
  • FIFO – First In First Out
  • CHR – Character special file

For a complete list of FD & TYPE, refer man lsof.

List processes which opened a specific file

You can list only the processes which opened a specific file, by providing the filename as arguments.

[root@localhost ~]# lsof /var/log/httpd/access_log
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
httpd   18529   root   17w   REG  252,0   135505 264243 /var/log/httpd/access_log
httpd   18541 apache   17w   REG  252,0   135505 264243 /var/log/httpd/access_log
httpd   18542 apache   17w   REG  252,0   135505 264243 /var/log/httpd/access_log
httpd   18566 apache   17w   REG  252,0   135505 264243 /var/log/httpd/access_log
httpd   18579 apache   17w   REG  252,0   135505 264243 /var/log/httpd/access_log

Show All processes opening files in a directory

The +D /var/log flags will inform lsof to find all associated processes working with files under /var/log.

# lsof +D /var/log
[root@localhost ~]# lsof +D /var/log/
COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
auditd     794   root    5w   REG  252,0  5057626 264898 /var/log/audit/audit.log
rsyslogd   819   root    1w   REG  252,0   386040 265432 /var/log/messages
rsyslogd   819   root    2w   REG  252,0   101606 263758 /var/log/cron
rsyslogd   819   root    4w   REG  252,0   171107 269787 /var/log/secure
rsyslogd   819   root    5w   REG  252,0  6551830 264563 /var/log/maillog
rsyslogd   819   root    6w   REG  252,0   171107 269787 /var/log/secure
httpd    22676   root    2w   REG  252,0   261330 269783 /var/log/httpd/error_log
httpd    22676   root   17w   REG  252,0   135505 264243 /var/log/httpd/access_log

Show all files opened by processes starting with the letter

To display all files opened by processes starting with the letter c execute lsof with -c b for processes starting with b.

# lsof -c b
[root@localhost ~]# lsof -c b
COMMAND     PID USER   FD      TYPE DEVICE SIZE/OFF    NODE NAME
bdi-defau    14 root  cwd       DIR  252,0     4096       2 /
bdi-defau    14 root  rtd       DIR  252,0     4096       2 /
bdi-defau    14 root  txt   unknown                         /proc/14/exe
bash      21089 root  cwd       DIR  252,0     4096 1835103 /root
bash      21089 root  rtd       DIR  252,0     4096       2 /
bash      21089 root  txt       REG  252,0   903336 1835049 /bin/bash
bash      21089 root  mem       REG  252,0    65928 1704310 /lib64/libnss_files-2.12.so

Display who is accessing a device

To display who is accessing a device, directory, or binary. In this case I am outlining who is accessing the shared memory region.

# lsof /dev/shm
[root@localhost ~]# lsof /dev/shm
COMMAND    PID  USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
cinnamon- 2145 rasho  mem    REG   0,19 67108904  27267 /run/shm/pulse-shm-2217975160
cinnamon- 2145 rasho  mem    REG   0,19 67108904  27298 /run/shm/pulse-shm-1565638956
pulseaudi 2155 rasho  mem    REG   0,19 67108904  35966 /run/shm/pulse-shm-3406707045
cinnamon  2267 rasho  mem    REG   0,19 67108904  27612 /run/shm/pulse-shm-3631705626
cinnamon  2267 rasho  mem    REG   0,19 67108904  27334 /run/shm/pulse-shm-711406352
chrome    2457 rasho  DEL    REG   0,19          395599 /run/shm/.com.google.Chrome.pwKxnF
chrome    2457 rasho  DEL    REG   0,19           40693 /run/shm/.com.google.Chrome.4hVV3P

List files opened by a specific user

In order to find the list of files opened by a specific users, use ‘-u’ option.

# lsof -u username
[root@localhost ~]# lsof -u rasho |more
COMMAND    PID  USER   FD      TYPE             DEVICE  SIZE/OFF     NODE NAME
gnome-key 1952 rasho  cwd   unknown                                       /proc/1952/cwd (readlink: Permission denied)
gnome-key 1952 rasho  rtd   unknown                                       /proc/1952/root (readlink: Permission denied)
gnome-key 1952 rasho  txt   unknown                                       /proc/1952/exe (readlink: Permission denied)
gnome-key 1952 rasho NOFD                                                 /proc/1952/fd (opendir: Permission denied)
x-session 2028 rasho  cwd       DIR                8,5      4096  1966081 /home/rasho
x-session 2028 rasho  rtd       DIR                8,1      4096        2 /
x-session 2028 rasho  txt       REG                8,1    239904   133000 /usr/bin/cinnamon-session
x-session 2028 rasho  mem       REG                8,1     67472   929467 /lib/x86_64-linux-gnu/libudev.so.1.3.5
x-session 2028 rasho  mem       REG                8,1    237504   400053 /usr/lib/x86_64-linux-gnu/gvfs/libgvfscommon.so
x-session 2028 rasho  mem       REG                8,1    202696   402357 /usr/lib/x86_64-linux-gnu/gio/modules/libgvfsdbus.so
x-session 2028 rasho  mem       REG                8,1     48344   406895 /usr/lib/x86_64-linux-gnu/gio/modules/libdconfsettings.so

List all network connections

You can list all the network connections opened by using ‘-i’ option.

# lsof -i
[root@localhost ~]# lsof -i
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chrome  2457 rasho   67u  IPv4 311546      0t0  TCP Gandalf.local:39971->fa-in-f125.1e100.net:xmpp-client (ESTABLISHED)
chrome  2457 rasho   99u  IPv4 313525      0t0  TCP Gandalf.local:53798->muc03s02-in-f20.1e100.net:https (ESTABLISHED)
chrome  2457 rasho  104u  IPv4 411867      0t0  TCP Gandalf.local:55330->muc03s02-in-f15.1e100.net:http (ESTABLISHED)
chrome  2457 rasho  106u  IPv4 389719      0t0  TCP Gandalf.local:32768->mil01s17-in-f14.1e100.net:https (ESTABLISHED)

List all open files by a specific process

You can list all the files opened by a specific process using ‘-p’ option. It will be helpful sometimes to get more information about a specific process.

[root@localhost ~]# lsof -p 5358
COMMAND  PID  USER   FD      TYPE DEVICE SIZE/OFF NODE NAME
chrome  5358 rasho  cwd   unknown                      /proc/5358/cwd (readlink: Permission denied)
chrome  5358 rasho  rtd   unknown                      /proc/5358/root (readlink: Permission denied)
chrome  5358 rasho  txt   unknown                      /proc/5358/exe (readlink: Permission denied)
chrome  5358 rasho NOFD                                /proc/5358/fd (opendir: Permission denied)

For more usage lsof command see man pages:

# man lsof

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close