Its main function is to retrieve details about various types of files opened up by different running processes. These files can be regular files, directories, block files, network sockets, named pipes, etc. With lsof, you can find different processes locking up a file or directory, a process listening on a port, a user’s process list, what all files a process is locking. We’ll first cover its installation and then some common usage examples in this article.
Installing lsof
lsof isn’t available by default on most Linux distributions but can be easily installed. Use the below command to install lsof: CentOS / RHEL / Fedora: for CentOS/RHEL 8, you can use the DNF command Ubuntu / Debian:
Getting Help
You can get a summarised list of lsof supported options using -? or -h flag. To check detailed installed version information, use:
Output Fields
lsof output field structure by default is like: Most of these fields are self-explanatory except for FD and TYPE fields that are somewhat unique to lsof and will be explored briefly. FD refers to the File Descriptor number of the file and TYPE refers to the type of the node associated with the file. We’ll now review the supported values for both these fields. FD field can contain the following values: FD field is followed by one or more characters describing the mode under which the file is open: Mode character for FD then further can be followed by LOCK character whose description is given below: Similarly, TYPE field can contain GDIR, GREG, VDIR, VREG, IPV4, IPV6 etc. To get a complete list of supported TYPE in lsof, refer its man page.
Common Usage
Below are some of the popular usage of the lsof command. The command works across Linux variants and all command-line arguments listed below examples should work across all platforms, considering the same lsof version.
List all open files
Running lsof without any options will list all files that are currently open by active processes. Output:
List by filename
To list all processes that have opened a specific file, we can specify file-name as an argument: Output:
List open files by username
In a multi-user system, you can filter the list of files by specific user-owned processes, using -u flag followed by username. Output: Alternatively, if you want to list files that are opened by any user except a specific one, use -u flag followed by ^username as shown below: Output: One way you can use lsof is for situations where you want to kill all processes by a specific user quickly in a single command. We can combine kill with lsof as shown in the below example to achieve this (execute as root): As seen in the above example, we can use -t flag to filter out all other information except process-id. This can be useful in automation and scripting as shown in the previous example by combining it with kill command. Output: With lsof, we can combine multiple arguments using OR logic as shown below: Output: Alternatively, if you want to use AND logic condition use -a flag. Output:
List open files by process
We can also list files opened by a particular process by using -c option followed by the process name. Output:
List open files by PID
Alternatively, to list files opened by a process but instead of process-name you want to specify its ID, you can use -p flag followed by process-id. Output:
If you want to list every open file except for the ones opened by a particular process, use -p followed by ^process-id.
List open files containing directory
To list processes that opened files under a specific directory, use +D option followed by directory path. Output: If you don’t want to recursively list files inside sub-directories, use -d flag followed by directory path. Output:
Repeat mode
lsof can be run in repeat mode. In repeat mode, lsof will generate and print output at regular intervals. Again, there are two repeat modes supported by lsof, i.e., with -r and +r flags. With -r flag, lsof repeats to execute until it receives an interrupt/kill signal from the user while with +r flag, lsof repeat mode will end as soon as its output has no open files. Additionally, we can specify time delay with -r or +r flag. Output:
List open files with network protocol
lsof supports the listing of any type of Linux files which includes network sockets etc. As such we can list details of open network connections using -i flag. Output: To list all network connections in use by a specific process-id, you can use lsof as: Output: Or to list all network connections in use by a specific process, we can give process-name as: Output: We can filter the output of lsof with -i flag by network protocol type, i.e., TCP or UDP by specifying the protocol type. Output: OR Output:
List open files by port
We can also filter the output of lsof with -i flag by port number using command syntax as below: Output:
List open files by IPv4/IPv6
There’s an option to filter network connections listing by limiting it to either IPv4 or IPv6. Use below command syntax to get only IP v4 listing: Output: OR to get only IPv6 details, use: Output:
List open files on NFS
lsof can also list all NFS files currently open by a user.
List locked deleted files
Sometimes it happens that files are deleted in Linux but still are being locked by one or more processes. As such, those files don’t list on normal file system listing using ls command etc. but they still consume disk space as reported by df output, this happens especially for large files deleted on purpose to clear disk space without releasing the process lock. You can find such processes using lsof as: Output:
Conclusion
lsof offers a range of options to customize its output according to your needs. It’s a useful utility in day-to-day system and network administration tasks. The ability to combine different arguments together makes it all the more useful and allows you to get the required output easily. Refer lsof man page to learn all supported arguments and their usage.
