lsof Command

lsof is a command meaning "list open files", which is used in many Unix-like systems to report a list of all open files and the processes that opened them.

As we all know Linux/Unix considers everything as a files (pipes, sockets, directories, devices etc). One of the reason to use lsof command is when a disk cannot be unmounted as it says the files are being used. With the help of this command we can easily identify the files which are in use.

Let see how lsof command works.

# lsof

COMMAND    PID      USER   FD      TYPE     DEVICE  SIZE/OFF       NODE NAME

init         1      root  cwd      DIR      253,0      4096          2 /

init         1      root  rtd      DIR      253,0      4096          2 /

init         1      root  txt      REG      253,0    145180     147164 /sbin/init

init         1      root  mem      REG      253,0   1889704     190149 /lib/libc-2.12.so

init         1      root   0u      CHR        1,3       0t0       3764 /dev/null

init         1      root   1u      CHR        1,3       0t0       3764 /dev/null

init         1      root   2u      CHR        1,3       0t0       3764 /dev/null

init         1      root   3r     FIFO        0,8       0t0       8449 pipe

init         1      root   4w     FIFO       0,8       0t0       8449 pipe

init         1      root   5r      DIR       0,10         0          1 inotify

init         1      root   6r      DIR       0,10         0          1 inotify

init         1      root   7u     unix 0xc1513880       0t0       8450 socket

In above example we can see few standard colums like COMMAND, PID, USER,FD,TYPE, DEVICE and etc.

However, we will review FD & TYPE columns more precisely.

FD – stands for File descriptor and may seen some of the values as

cwd current working directory

rtd root directory

txt program text (code and data)

mem memory-mapped file

Also in FD column numbers like 1u is actual file descriptor and followed by u,r,w of it’s mode as

r for read access.

w for write access.

u for read and write access.

TYPE – of files and it’s identification.

DIR – Directory

REG – Regular file

CHR – Character special file.

FIFO – First In First Out

Now let see few different ways to list out of lsof command.

List IPv4 and IPv6 Open Files.

# lsof -i 4

COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

rpcbind   1203     rpc    6u  IPv4  11326      0t0  UDP *:sunrpc

rpcbind   1203     rpc    7u  IPv4  11330      0t0  UDP *:954

rpcbind   1203     rpc    8u  IPv4  11331      0t0  TCP *:sunrpc (LISTEN)

avahi-dae 1241   avahi   13u  IPv4  11579      0t0  UDP *:mdns

avahi-dae 1241   avahi   14u  IPv4  11580      0t0  UDP *:58600

# lsof -i 6

COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

rpcbind   1203     rpc    9u  IPv6  11333      0t0  UDP *:sunrpc

rpcbind   1203     rpc   10u  IPv6  11335      0t0  UDP *:954

rpcbind   1203     rpc   11u  IPv6  11336      0t0  TCP *:sunrpc (LISTEN)

rpc.statd 1277 rpcuser   10u  IPv6  11858      0t0  UDP *:55800

rpc.statd 1277 rpcuser   11u  IPv6  11862      0t0  TCP *:56428 (LISTEN)

cupsd     1346    root    6u  IPv6  12112      0t0  TCP localhost:ipp (LISTEN)

List all Network Connections

# lsof -i

COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME

rpcbind   1203     rpc    6u  IPv4  11326      0t0  UDP *:sunrpc

rpcbind   1203     rpc    7u  IPv4  11330      0t0  UDP *:954

rpcbind   1203     rpc   11u  IPv6  11336      0t0  TCP *:sunrpc (LISTEN)

avahi-dae 1241   avahi   13u  IPv4  11579      0t0  UDP *:mdns

avahi-dae 1241   avahi   14u  IPv4  11580      0t0  UDP *:58600

rpc.statd 1277 rpcuser   11u  IPv6  11862      0t0  TCP *:56428 (LISTEN)

cupsd     1346    root    6u  IPv6  12112      0t0  TCP localhost:ipp (LISTEN)

cupsd     1346    root    7u  IPv4  12113      0t0  TCP localhost:ipp (LISTEN)

sshd      1471    root    3u  IPv4  12683      0t0  TCP *:ssh (LISTEN)

master    1551    root   12u  IPv4  12896      0t0  TCP localhost:smtp (LISTEN)

master    1551    root   13u  IPv6  12898      0t0  TCP localhost:smtp (LISTEN)

sshd      1834    root    3r  IPv4  15101      0t0  TCP 192.168.0.2:ssh->192.168.0.1:conclave-cpp (ESTABLISHED)

httpd     1918    root    5u  IPv6  15991      0t0  TCP *:http (LISTEN)

httpd     1918    root    7u  IPv6  15995      0t0  TCP *:https (LISTEN)

List out by PID 

# lsof -p 1223

COMMAND    PID USER   FD   TYPE     DEVICE SIZE/OFF   NODE NAME

init      1223 root  cwd    DIR      253,0     4096      2 /

init      1223 root  rtd    DIR      253,0     4096      2 /

init      1223 root  txt    REG      253,0   145180 147164 /sbin/init

init      1223 root  mem    REG      253,0  1889704 190149 /lib/libc-2.12.so

init      1223 root  mem    REG      253,0   142472 189970 /lib/ld-2.12.so

List process using a mount point

# lsof /home

or

# lsof +D /home/

List all TCP or UDP connections

You can list all the TCP or UDP connections by specifying the protocol using ‘-i’.

# lsof -i tcp; lsof -i udp;

List all Network File System ( NFS ) files

You can list all the NFS files by using ‘-N’ option. The following lsof command will list all NFS files used by user ‘kal’.

# lsof -N -u kal -a

Kill all process that belongs to a particular user

# kill -9 `lsof -t -u kal`