Linux lsof Command: Complete Guide and Reference

Table of Contents

Introduction

The lsof command, which stands for "List Open Files," is a powerful diagnostic tool available on Unix-like systems including Linux. It displays information about files that are currently opened by processes running on the system. In Unix-like systems, everything is treated as a file, including regular files, directories, network sockets, pipes, devices, and more. This makes lsof an incredibly versatile tool for system administration, debugging, and security analysis.

The command provides detailed information about which processes have opened which files, network connections, and other system resources. This capability makes it invaluable for troubleshooting issues related to file access, network connections, and resource usage.

Installation

Ubuntu/Debian Systems

CentOS/RHEL/Fedora Systems

For CentOS/RHEL 7 and earlier

For CentOS/RHEL 8+ and Fedora

Arch Linux

macOS

Usually pre-installed, but can be installed via Homebrew

Basic Syntax

`bash lsof [options] [names] `

The basic syntax allows for various combinations of options and file/process names to filter the output according to specific requirements.

Command Options

Primary Options Table

| Option | Description | Example Usage | |--------|-------------|---------------| | -a | AND logic for multiple conditions | lsof -a -u user -c process | | -c | List files opened by processes with specified name | lsof -c apache | | -d | List files with specified file descriptor | lsof -d 1 | | -f | Inhibit the listing of kernel file structure info | lsof -f -- /path/file | | -g | List files opened by processes with specified PGID | lsof -g 1234 | | -i | List network connections | lsof -i :80 | | -n | Don't resolve network numbers to names | lsof -n -i | | -o | Display file offset | lsof -o | | -p | List files opened by specified PID | lsof -p 1234 | | -P | Don't resolve port numbers to names | lsof -P -i | | -r | Repeat mode with specified delay | lsof -r 5 | | -s | Display file size or protocol info | lsof -s | | -t | Terse output (PID only) | lsof -t -i :22 | | -u | List files opened by specified user | lsof -u username | | -v | Verbose mode | lsof -v | | +D | Recursively search directory | lsof +D /var/log | | +d | Search directory (non-recursive) | lsof +d /tmp |

Network-Specific Options

| Option | Description | Example | |--------|-------------|---------| | -i4 | IPv4 connections only | lsof -i4 | | -i6 | IPv6 connections only | lsof -i6 | | -iTCP | TCP connections only | lsof -iTCP | | -iUDP | UDP connections only | lsof -iUDP | | -i:port | Connections on specific port | lsof -i:22 | | -i@host | Connections to/from specific host | lsof -i@192.168.1.1 |

Output Format

The standard lsof output contains the following columns:

Output Columns Table

| Column | Description | Example Value | |--------|-------------|---------------| | COMMAND | Process name (truncated to 9 characters) | apache2 | | PID | Process ID | 1234 | | TID | Task ID (thread ID) | 5678 | | USER | Username of process owner | www-data | | FD | File descriptor | 3u, cwd, txt | | TYPE | File type | REG, DIR, CHR, IPv4 | | DEVICE | Device numbers | 8,1 | | SIZE/OFF | File size or offset | 1024 | | NODE | Inode number | 123456 | | NAME | File name or connection details | /var/log/apache2/access.log |

File Descriptor (FD) Values

| FD Value | Meaning | |----------|---------| | cwd | Current working directory | | txt | Program text (executable code) | | mem | Memory-mapped file | | mmap | Memory-mapped device | | pd | Parent directory | | rtd | Root directory | | 0r | File descriptor 0 opened for reading | | 1w | File descriptor 1 opened for writing | | 2u | File descriptor 2 opened for read/write |

File Type Values

| Type | Description | |------|-------------| | REG | Regular file | | DIR | Directory | | CHR | Character device | | BLK | Block device | | FIFO | Named pipe | | LINK | Symbolic link | | IPv4 | IPv4 network connection | | IPv6 | IPv6 network connection | | unix | Unix domain socket |

Practical Examples

Basic File Listing

`bash

List all open files (warning: produces extensive output)

List files opened by a specific process

List files opened by multiple processes

List files opened by a specific PID

List files opened by multiple PIDs

User-Based Queries

`bash

List files opened by a specific user

List files opened by multiple users

List files NOT opened by a specific user

Combine user and process filters (AND logic)

Directory and File Queries

`bash

List processes using files in a directory (non-recursive)

List processes using files in a directory (recursive)

List processes using a specific file

List processes using files matching a pattern

Network Connection Analysis

`bash

List all network connections

List connections on a specific port

List TCP connections only

List UDP connections only

List connections to a specific host

List listening ports

List established connections

Advanced Usage

Combining Options with Logic

`bash

AND logic: files opened by user 'apache' AND process 'httpd'

OR logic (default): files opened by user 'apache' OR process 'httpd'

Complex combination: TCP connections by specific user

Files in /tmp opened by root user

Output Formatting and Control

`bash

Terse output (PIDs only)

No header line

Suppress kernel warnings

Don't resolve hostnames

Don't resolve port numbers

Both numeric (no name resolution)

Repeat Mode for Monitoring

`bash

Monitor network connections every 5 seconds

Monitor file access in directory every 2 seconds

Monitor with incremental output (only changes)

Network Monitoring

Port Analysis

`bash

Find what's listening on port 80

Find all listening services

Find established SSH connections

Monitor network activity

Connection State Monitoring

`bash

List all TCP connection states

Specific connection states

Network Security Analysis

`bash

Find processes with network connections

Identify suspicious connections

Monitor for new connections

Process Management

Process Analysis

`bash

Find all files opened by a process

Find processes using deleted files

Find processes with many open files

Kill processes using a specific file

Resource Usage Analysis

`bash

Count open files per process

Find processes with most network connections

Memory-mapped files

File System Analysis

Disk Usage and File Access

`bash

Find processes preventing umount

Find deleted but still open files

Large files currently open

Find processes writing to log files

Device and Special File Analysis

`bash

Processes using character devices

Processes using block devices

Processes using pipes

Unix domain sockets

Security Applications

Security Monitoring

`bash

Monitor for unauthorized network access

Find processes with unusual network activity

Identify processes accessing sensitive files

Monitor for privilege escalation

Forensic Analysis

`bash

Capture current state for analysis

Find processes with network connections to external hosts

Identify processes using configuration files

Performance Considerations

Optimization Techniques

The lsof command can be resource-intensive on systems with many open files. Here are optimization strategies:

`bash

Limit scope to reduce execution time

Use specific filters instead of broad searches

Avoid recursive directory searches on large filesystems

Use numeric output to avoid DNS lookups

Performance Monitoring

`bash

Time lsof execution

Monitor lsof resource usage

Limit output for performance

Common Use Cases

System Administration Tasks

`bash

Find why a filesystem won't unmount

Identify processes using excessive file descriptors

Find processes with deleted executables (potential security issue)

Monitor log file access

Development and Debugging

`bash

Debug application file access

Find shared libraries used by a process

Monitor database connections

Find memory leaks (processes with many deleted files)

Network Troubleshooting

`bash

Find what's using a port

Identify connection bottlenecks

Find processes with TIME_WAIT connections

Monitor connection establishment

Troubleshooting

Common Issues and Solutions

#### Permission Denied Errors `bash

Run with sudo for full system visibility

Some files may not be accessible even with sudo

#### Performance Issues `bash

Use more specific filters

Avoid deep directory recursion

#### Output Too Large `bash

Limit output

Filter specific information

Use terse output

Error Messages and Solutions

| Error Message | Cause | Solution | |---------------|-------|----------| | lsof: WARNING: can't stat() file | File permissions or missing file | Use -w to suppress warnings | | lsof: no pwd entry for UID | User doesn't exist in /etc/passwd | Normal for system processes | | lsof: avoiding stat() for path | Performance optimization | Use -s to force stat() |

Best Practices

1. Use Specific Filters: Always use the most specific filters possible to reduce execution time and output volume.

2. Combine with Other Tools: Use lsof output with tools like grep, awk, and sort for better analysis.

3. Regular Monitoring: Set up regular lsof checks for security and performance monitoring.

4. Documentation: Document your lsof commands and their purposes for future reference.

5. Script Integration: Integrate lsof into monitoring scripts for automated system analysis.

Example monitoring script: `bash #!/bin/bash

System monitoring script using lsof

Check for processes with too many open files

Check for unusual network connections

Check for deleted but open files

The lsof command is an essential tool for system administrators, developers, and security professionals. Its ability to provide detailed information about file and network usage makes it invaluable for troubleshooting, monitoring, and security analysis. By mastering its various options and understanding its output format, users can effectively diagnose and resolve a wide range of system issues.