lsof command displays the list of open files. It could be the list of files opened by a process or it could be a list of files opened by a user or it could be a list of files opened by an IP or it could be a list of files opened by a port.
Let’s analyse the lsof command and its output. Only when you understand the output, you have a better idea of how it could be made useful.
[root@server ~]# lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 253,0 4096 2 / init 1 root rtd DIR 253,0 4096 2 / init 1 root txt REG 253,0 150352 92012573 /sbin/init init 1 root mem REG 253,0 66432 90974918 /lib64/libnss_files-2.12.so init 1 root mem REG 253,0 1924768 90963979 /lib64/libc-2.12.so init 1 root mem REG 253,0 90912 90963993 /lib64/libgcc_s-4.4.7-20120601.so.1 init 1 root mem REG 253,0 44472 90974925 /lib64/librt-2.12.so
The fields displayed are:
COMMAND is the command which is responsible for the file PID - Process ID TID - Thread ID USER - Owner of the process FD - File Descriptor Type - Type of files DEVICE - Type of device with major, minor numbers SIZE/OFFSET - Size of the file NODE - inode number of the file NAME - name of the file The File Descriptor can take the following values:
cwd - current working directory rtd - root directory txt - program text (code and data) mem - memory-mapped file, usually for shared library 1r - file descriptor 1 opened for reading. pd - parent directory
In FD column, numbers like 1u is actual file descriptor and followed by u,r,w which indicates itʼs mode as:
u - File open with Read and Write permission r - File open with Read permission w - File open with Write permission W - File open with Write permission and with Write Lock on entire file mem - Memory mapped file, usually for share library mmap - Memory mapped device
TYPE displays type of files and itʼs identification.
DIR – Directory
REG – Regular file
CHR – Character special file.
FIFO – First In First Out
Let’s get into few usages of lsof.
List of open files of a user, root
[root@server ~]# lsof -u root COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 253,0 4096 2 / init 1 root rtd DIR 253,0 4096 2 / init 1 root txt REG 253,0 150352 92012573 /sbin/init init 1 root mem REG 253,0 66432 90974918 /lib64/libnss_files-2.12.so init 1 root mem REG 253,0 1924768 90963979 /lib64/libc-2.12.so init 1 root mem REG 253,0 90912 90963993 /lib64/libgcc_s-4.4.7-20120601.so.1 init 1 root mem REG 253,0 44472 90974925 /lib64/librt-2.12.so init 1 root mem REG 253,0 143280 90964003 /lib64/libpthread-2.12.so init 1 root mem REG 253,0 265736 90964061 /lib64/libdbus-1.so.3.4.0 Exclusion is lsof is with ^ (carrot symbol)
eg: lsof -p ^5341 (will list open files 3ll processes excluding the one with 5341 PID) lsof -u ^root (will list 3ll open files, except the ones opened by root)
List of Open Files – By Process Name Starting With
[root@server ~]# lsof -c dovecot COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dovecot 5328 root cwd DIR 253,0 4096 2228598 /var/run/dovecot dovecot 5328 root rtd DIR 253,0 4096 2 / dovecot 5328 root txt REG 253,0 93740 56364377 /usr/sbin/dovecot dovecot 5328 root mem REG 253,0 2279343 2098498 /var/db/nscd/hosts
dovecot 5328 root mem REG 253,0 143280 90964003 /lib64/libpthread-2.12.so dovecot 5328 root mem REG 253,0 44472 90974925 /lib64/librt-2.12.so dovecot 5328 root mem REG 253,0 20024 90974866 /lib64/libdl-2.12.so dovecot 5328 root mem REG 253,0 18712 90964028 /lib64/libattr.so.1.1.0 dovecot 5328 root mem REG 253,0 1924768 90963979 /lib64/libc-2.12.so
Find Parent process ID of a process. Here in this case, 1 is the parent process of the PID 7597
[root@server ~]# lsof -p 7597 -R COMMAND PID PPID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 7597 1 root cwd DIR 8,3 4096 2 / httpd 7597 1 root rtd DIR 8,3 4096 2 / httpd 7597 1 root txt REG 8,3 662696 4202194 /usr/sbin/httpd httpd 7597 1 root DEL REG 0,4 0 /SYSV000015b3 httpd 7597 1 root mem REG 8,5 217032 4980742 /var/db/nscd/passwd httpd 7597 1 root mem REG 8,5 217032 4980743 /var/db/nscd/group httpd 7597 1 root DEL REG 0,4 3482411066 /dev/zero httpd 7597 1 root DEL REG 0,4 3482411067 /dev/zero httpd 7597 1 root DEL REG 0,4 3482411070 /dev/zero httpd 7597 1 root mem REG 8,3 163400 4194605 /usr/lib64/ld-2.17.so If you just want to list the open files based on process ID, just issue, lsof -p 7597
List of open files to a specific port
[root@serveur ~]# lsof -i :80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 15462 root 6u IPv4 3437785568 0t0 TCP *:http (LISTEN) nginx 15463 nginx 6u IPv4 3437785568 0t0 TCP *:http (LISTEN) nginx 15466 nginx 6u IPv4 3437785568 0t0 TCP *:http (LISTEN) nginx 15469 nginx 4u IPv4 3483569271 0t0 TCP serveur.ex2-p32.com:http->83.137.2.249:50698 (ESTABLISHED) nginx 15469 nginx 6u IPv4 3437785568 0t0 TCP *:http (LISTEN)
nginx 15470 nginx 4u IPv4 3483569216 0t0 TCP serveur.ex2-p32.com:http->172.69.226.114:60336 (ESTABLISHED)
Find open connections to a specific host and that too of a specific port of a specific host
[root@serveur ~]# lsof -i@149.202.75.180 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME french 5909 maqfr 8u IPv4 3483726686 0t0 UDP serveur.ex2-p32.com:64544->cdns.ovh.net:domain french 5911 maqfr 10u IPv4 3483774248 0t0 UDP serveur.ex2-p32.com:39678->cdns.ovh.net:domain
french 5913 maqfr 14u IPv4 3483732945 0t0 UDP serveur.ex2-p32.com:60288->cdns.ovh.net:domain french 5914 maqfr 21u IPv4 3483774113 0t0 UDP serveur.ex2-p32.com:13654->cdns.ovh.net:domain french 5916 maqfr 20u IPv4 3483774259 0t0 UDP serveur.ex2-p32.com:50760->cdns.ovh.net:domain
french 5917 maqfr 22u IPv4 3483771117 0t0 UDP serveur.ex2-p32.com:48329->cdns.ovh.net:domain exim 6016 mailnull 8u IPv4 3483768849 0t0 TCP serveur.ex2-p32.com:38514->dev.serveurex2.info:smtp (ESTABLISHED) imap 6154 cyberren 7u IPv4 3483768128 0t0 TCP serveur.ex2-p32.com:imap->94-224-82-148.access.telenet.be:60681 (ESTABLISHED)
Or even
[root@serveur ~]# lsof -i@149.202.75.180:80
will display the below output:
nginx 15488 nginx 20u IPv4 3483851490 0t0 TCP serveur.ex2-p32.com:http->79.103.55.23.dsl.dyn.forthnet.gr:61805 (ESTABLISHED) nginx 15488 nginx 22u IPv4 3483850530 0t0 TCP serveur.ex2-p32.com:http->162.158.7.84:31578 (ESTABLISHED)
nginx 15488 nginx 24u IPv4 3483843477 0t0 TCP serveur.ex2-p32.com:http->102.132.37.126:53389 (ESTABLISHED) nginx 15488 nginx 30u IPv4 3483858141 0t0 TCP serveur.ex2-p32.com:http->adsl196-188-162-217-196.adsl196-14.iam.net.ma:51282 (ESTABLISHED)
Search for all open instances of directory
[root@server ~]# lsof +D /home/ceeaco/mail/
Kill all processes run by the user sages
[root@server ~]# kill -9 `lsof -t -u sages`
List of Files in Repeat Mode
[root@serveur home]# lsof -i -a -c ssh -r2 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 9023 root 3u IPv4 3483661449 0t0 TCP serveur.ex2-p32.com:d2k-datamover2->launchpad2.majesticsupport.com:42901 (ESTABLISHED) sshd 21514 root 3u IPv4 3483456549 0t0 TCP serveur.ex2-p32.com:d2k-datamover2->launchpad2.majesticsupport.com:42894 (ESTABLISHED) sshd 30037 root 3u IPv4 2835783768 0t0 TCP *:d2k-datamover2 (LISTEN) sshd 30037 root 4u IPv6 2835783770 0t0 TCP *:d2k-datamover2 (LISTEN)
=======