lsof command tutorial in linux/unix with examples and use cases
linux lsof command – list open files
In the Linux system, everything is a file. Files can access not only regular data, but also network connections and hardware. Therefore, the lsof command can not only view the files and directories opened by the process, but also view the socket information such as the port that the process listens to.
This article will introduce the basic usage of the lsof command. The demo environment of this article is ubuntu 19.04.
Syntax
lsof [option]Common options
- -a
indicates the AND relationship between other options - -c
output the file opened by the specified process - -d
list processes occupying the file number - +d
output directory and the files and directories opened under the directory (not recursive) - +D
recursive output and opened files and directories under the directory - -i
output files related to the network that meet the conditions - -n
don’t resolve hostname - -p
output the file opened by the process with the specified PID - -P
does not parse the port number - -t
only output PID - -u
output files opened by the specified user - -U
print open UNIX domain socket file
Output
- COMMAND : the name of the program
- PID : process identifier
- USER : process owner
- FD : file descriptor, the application identifies the file through the file descriptor
- TYPE : file type, such as DIR, REG, etc.
- DEVICE : Separate device numbers with commas
- SIZE : file size (bytes)
- NODE : inode (the identification of the file on the disk)
- NAME : the exact name of the file opened
Here are some common types in FD column and TYPE column.
Common types in the FD column are cwd, rtd, txt, mem, some numbers, and so on.
- cwd – the current working directory;
- rtd – the root directory;
- txt – the executable file of the program;
- mem – a memory-mapped file:
The common REG and DIR in the TYPE column represent ordinary files and directories, respectively.
Exmaples
View which processes have the specified file opened
In the following example, we will use the lsof command to see which processes are opening the specified file, such as querying the process that opens the /bin/zsh file:
➜ ~ lsof /bin/zsh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
zsh 1964 ylspirit txt REG 8,1 848960 135362 /usr/bin/zsh
zsh 2129 ylspirit txt REG 8,1 848960 135362 /usr/bin/zsh
➜ ~See which processes have opened a certain directory and the files in the directory
The +d option does not perform recursive queries, only find processes that have opened the specified directory and files and directories under the specified directory, such as
➜ ~ sudo lsof +d /var/log
The +D option will recurse the specified directory:
➜ ~ sudo lsof +D /var/log
View opened network-related files
The -i option is used to view the opened network-related files.
lsof -i [46][protocol][@hostname|hostaddr][:service|port]- 46 :
indicates the version of the IP protocol - protocol :
represents the name of the network protocol, such as TCP or UDP - hostname or hostaddr :
indicates the host address - service :
refers to the name in /etc/services, such as smtp or a list of multiple services - port :
represents the port number, you can specify one or more
The -i option will output both IPv4 and IPv6 opened files by default:
➜ ~ sudo lsof -i
Only list files opened by IPv4
➜ ~ sudo lsof -i 4
List files related to port 22
➜ ~ sudo lsof -i:22
View all files opened by a user
The -u option can specify a user name or user ID, and like the -c option, multiple user names or user IDs can be separated by commas, or the condition can be reversed by the symbol ^.
View network-related files opened by user ylspirit
➜ ~ sudo lsof -i -a -u ylspiritExclude a user
➜ ~ sudo lsof -i -a -u ^ylspiritView the file opened by the program with the specified name
The -c option can match the name of the program (executable file) that the process runs. For example, we want to find a list of files opened by programs beginning with the letter sy:
➜ ~ sudo lsof -c sy