Introduction
The lsof command stands for LiSt Open Files and shows open files and which process uses them. Since Linux sees every object as a file, such as devices, directories, etc., unidentified open files prevent users from modifying them.
Additionally, the sheer number of files makes it difficult to find malicious processes. The lsof command helps identify these processes so you can terminate them.
This article will explain how to use thelsof command in Linux with examples.
Prerequisites
- Access to the terminal.
- Sudo groupprivileges.
- Root privileges for some commands.
lsof Command Syntax
The lsof command syntax is:
lsof [options]Note: For most commands, run lsof with sudo to avoid "permission denied" errors.
lsof Command Options
The lsof command has many of options. The table below includes arguments that are used most often:
| Option | Description |
|---|---|
lsof | Lists all open files. |
-b | Suppresses kernel blocks. |
/ [file system] / | Shows open files in a particular file system. |
/dev/tty* | Displays files associated with the terminal. |
-u [username] | Prints all files opened by a user. |
-u ^[username] | Prints all files opened by everyone except a specific user. |
-c [process] | Lists all files accessed by a particular process. |
-p [process ID] | Shows all open files associated with a specific process ID. |
-p ^[process ID] | Shows files opened by all other PIDs. |
-R | Lists parent process IDs. |
+D [directory path] | Prints all open files in a directory. |
-i | Displays all files accessed by network connections. |
-i [IP version number] | Filters files based on their IP. |
- i [udp or tcp] | Filters open files based on the connection type (TCP or UDP). |
-i :[port number] | Finds processes running on a specific port. |
-i :[port range] | Finds processes running on specific port ranges. |
-t [file name] | Lists IDs of processes that have accessed a particular file. |
# kill -9 'lsof -t -u [user]' | Kills all user processes. |
-d mem | Shows all memory-mapped files. |
[path] | grep deleted | Prints locked deleted files. |
man | Opens the man page. |
lsof Command Examples
lsof incorporates different arguments allowing users to manage system and network administration activities. Outlined below are the most common lsof use cases.
List All Files
When run without any options, lsof lists all files opened by any process:
sudo lsof
The lsof command outputs a lot of details. Therefore, always pipe lsof with less to display the output one page at a time.
sudo lsof | less
To navigate to the bottom of the list, hit Enter or down arrow. Exit the list with Q.
The lsof output consists of different columns. However, not all columns apply to every type of file. The header looks like this:
The default columns in thelsofoutput are:
- COMMAND- Refers to the command associated with the process that opened the file.
- PID- The process identification number of the process running the file.
- TID- Represents a task identification number for the respective process. It is blank if a process, not a task, has opened the file.
- TASKCMD- Refers to the command name in the first column. However, TASKCMD can differ when a task changes its command name.
- USER- Names the user executing the process. The column contains the User ID or name.
- FD- Is the file descriptor the process uses to associate with the file.
- TYPE- Shows the type of file and its identification number.
- DEVICE- Prints device numbers related to the file.
- SIZE/OFF- Represents the value or the file taken during the runtime (size or offset).
- NODE- The local file's node number or inode number of the directory/parent directory.
- NAME- Shows the path or link to the file.
Conceal Kernel Blocks
The default lsof output also includes files that are opened by the kernel. To suppress kernel blocks, run lsof with the -b flag:
sudo lsof -b
Display Files of a Specific Filesystem
Use the lsof command to show open files in a particular file system:
sudo lsof / [file system] /For example, to see all open files in the sys directory, run:
sudo lsof / sys/
Print Terminal Files
List all open files connected to the terminal by targeting the dev directory with lsof:
lsof /dev/tty*
Show All Files Accessed by a User
Use lsof with a -u flag to display files opened by a specific user:
sudo lsof -u [username]For example:
lsof -u saraz
The command lists files opened by saraz.
To print all files opened by everyone except a specific user, run:
sudo lsof -u ^[username]For instance:
lsof -u ^saraz
The output shows files controlled by users other than saraz.
Display Files Used by a Process
The -c flag opens all files used by a process:
sudo lsof -c [process]For example, to list files opened by the wpa_suppl process, run:
sudo lsof -c wpa_suppl
Another option is to use only a part of the program name:
sudo lsof -c wpa
lsof returns all programs starting with the term wpa, which includes wpa_suppl.
Moreover, the -c option gives the same output as piping lsof with grep:
sudo lsof | grep wpa_suppl
Print Files Opened by a Specific PID
Use the -p option to filter specific files by the Process ID number (PID). For example, the output below shows all files with PID 635.
sudo lsof -p 635
On the other hand, add a caret ^ symbol to print files opened by all other processes:
sudo lsof -p ^635
Additionally, combining lsof with the -R flag adds the Parent Process Identification Number (PPID) to the output.
To get PPID info for a specific PID, execute:
sudo lsof -p [PID] -RFor example, to get the PPID for the 635 PID, type:
sudo lsof -p 635 -R
The output shows the PPID column added to the header.
Show Files Under a Directory
To see all files that have been opened under a directory, use the following command:
sudo lsof +D [directory path]
This option also recurses the sub directories. To avoid recursing, use the +d flag.
Show Files Accessed by Network Connections
Use the -i flag with lsof to check which files are opened by a network connection. Execute this command:
sudo lsof -i
The example above prints files open by a network connection, regardless of the connection type.
The -i flag adds a lot of versatility to lsof, allowing users to filter files based on different criteria. Use lsof -i [options] to:
- Filter files based on their IP with:
sudo lsof -i [IP version number]For example, run this command to display only IPv4 files:
sudo lsof -i 4
On the contrary, print only IPv6 files with:
sudo lsof -i 6
- See only files that use tcp or udp connection by providing the protocol type:
sudo lsof -i [udp or tcp]
- Find processes running on a specific port. This option is useful to check which file is preventing another app from binding to a specific port. Execute the command with the port number or service name from the name column:
sudo lsof -i :[port number/name]
- Print all files open on specific port ranges.
For instance, to list open Files of UDP Port ranges 1-1024, run:
List IDs of Processes Holding Open Files
To see PIDs for processes that have opened a particular file, use -t and provide the file name.
lsof -t [file name]
Kill All User’s Processes
The -t flag also kills all processes by a specific user. For example, to kill all processes by user notsara, execute this command as root:
# kill -9 'lsof -t -u notsara'
Print All Memory-Mapped Files
lsof prints which processes have memory-mapped files. To show these processes, run:
lsof -d mem
Display Locked Deleted Files
A process sometimes keeps big files locked even after they have been deleted, consuming disk space.
Use Lsof to find files that are deleted in Linux but are still locked by one or more processes.
For example, find deleted files from the root directory using a slash (/) as a path symbol:
sudo lsof [path] | grep deleted
Combine Multiple Options
The lsof command allows multiple search items on the command line. Use AND and OR logic to combine different arguments to get specific results. Below are most common examples.
- List files open by a particular user or process with:
sudo lsof -u [username] -c [process]
The output prints both files opened by the user saraz and those used by the process snapd.
- Display only files that match the first search term and the second search term with the logical operator
-a(and):
sudo lsof -u [username] -c [process] -a
In this case, lsof shows only files opened by the user saraz and the bash process.
- Find all network connections of a user:
sudo lsof -i -u [username] -a
The -i and -a flags with the lsof command print all activity of the user root.
Learn More About lsof
The lsof command has more options than any other Linux command. The man page is almost 2000 lines long and offers a lot of information.
To explore the command's possibilities, run:
man lsof
Conclusion
This tutorial shows you how to use the lsof command for troubleshooting potential security and system problems with practical examples.
Next, learn how to copy files and directories in Linux and compare two files using the Linux diff command.
