The lsof command in Linux displays in its output information about files that are opened by processes. In this article, we will discuss the Linux lsof tool using 15 easy-to-understand examples. Please note that all examples mentioned in this tutorial have been tested on Ubuntu 20.04 LTS, but they will work on other Linux distributions too like Debian, Fedora, and CentOS.
About lsof Command
If you want to quickly see the name of files that have been opened by a particular process (or all processes), the lsof command lets you do that. An open file could be a regular file or a directory, a library, a special file or block device, a character special file, an executing text reference, or even a stream or a network file. You can also list processes by port number. If you are not logged in as the root user, then you might have to prepend ‘sudo’ to the commands.
Install Linux lsof command
Most Linux distributions come with lsof pre-installed. If it is not installed on your system yet, use the following commands:
On Ubuntu and Debian:
$ sudo apt install lsof
Ond CentOS and Fedora:
$ dnf install lsof
1. How to list all open files
To list all open files, run the lsof command without any arguments:
For example, Here is the screengrab of a part of the output the above command produced on my system:
The first column represents the process while the last column contains the file name. For details on all the columns, head to the command’s man page.
2. How to list files opened by processes belonging to a specific user
The tool also allows you to list files opened by processes belonging to a specific user. This feature can be accessed by using the -u command-line option.
lsof -u [user-name]
lsof -u administrator
3. How to list files based on their Internet address
The tool lets you list files based on their Internet address. This can be done using the -i command-line option. For example, if you want, you can have IPv4 and IPv6 files displayed separately. For IPv4, run the following command:
lsof -i 4
Similarly, for IPv6, run the following command:
lsof -i 6
lsof -i 6
4. How to list all files by application name
The -c command-line option allows you to get all files opened by program name.
$ lsof -c apache
You do not have to use the full program name as all programs that start with the word ‘apache’ are shown. So in our case, it will list all processes of the ‘apache2’ application.
The -c option is basically just a shortcut for the two commands:
$ lsof | grep apache
5. How to list files specific to a process
The tool also lets you display opened files based on process identification (PID) numbers. This can be done by using the -p command-line option.
lsof -p [PID]
lsof -p 856
Moving on, you can also exclude specific PIDs in the output by adding the ^ symbol before them. To exclude a specific PID, you can run the following command:
lsof -p [^PID]
lsof -p ^1
As you can see in the above screenshot, the process with id 1 is excluded from the list.
6. How to list IDs of processes that have opened a particular file
The tool allows you to list IDs of processes that have opened a particular file. This can be done by using the -t command line option.
$ lsof -t [file-name]
$ lsof -t /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.9.0
7. How to list all open files in a directory
If you want, you can also make lsof search for all open instances of a directory (including all the files and directories it contains). This feature can be accessed using the +D command-line option.
$ lsof +D [directory-path]
$ lsof +D /usr/lib/locale
8. How to list all Internet and x.25 (HP-UX) network files
This is possible by using the -i command-line option we described earlier. Just that you have to use it without any arguments.
$ lsof -i
9. Find out which program is using a port
The -i switch of the command allows you to find a process or application which listens to a specific port number. In the example below, I checked which program is using port 80.
$ lsof -i :80
Instead of the port number, you can use the service name as listed in the /etc/services file. Example to check which app listens on the HTTPS (443) port:
$ lsof -i :https
The above examples will check both TCP and UDP. If you like to check for TCP or UDP only, prepend the word ‘tcp’ or ‘udp’. For example, which application is using port 25 TCP:
$ lsof -i tcp:25
or which app uses UDP port 53:
$ lsof -i udp:53
10. How to list open files based on port range
The utility also allows you to list open files based on a specific port or port range. For example, to display open files for port 1-1024, use the following command:
$ lsof -i :1-1024
11. How to list open files based on the type of connection (TCP or UDP)
The tool allows you to list files based on the type of connection. For example, for UDP specific files, use the following command:
$ lsof -i udp
Similarly, you can make lsof display TCP-specific files.
12. How to make lsof list Parent PID of processes
There’s also an option that forces lsof to list the Parent Process IDentification (PPID) number in the output. The option in question is -R.
$ lsof -R
To get PPID info for a specific PID, you can run the following command:
$ lsof -p [PID] -R
$ lsof -p 3 -R
13. How to find network activity by user
By using a combination of the -i and -u command-line options, we can search for all network connections of a Linux user. This can be helpful if you inspect a system that might have been hacked. In this example, we check all network activity of the user www-data:
$ lsof -a -i -u www-data
14. List all memory-mapped files
This command lists all memory-mapped files on Linux.
$ lsof -d mem
15. List all NFS files
The -N option shows you a list of all NFS (Network File System) files.
Although lsof offers a plethora of options, the ones we’ve discussed here should be enough to get you started. Once you’re done practicing with these, head to the tool’s man page to learn more about it. Oh, and in case you have any doubts and queries, drop in a comment below.
Source : HOWTOFORGE