lsof Command in Linux with Examples

August 4, 2022

Home » SysAdmin » lsof Command in Linux with Examples

Introduction

The lsof command stands for LiSt Open Files and shows open files and which process uses them. Since Linux sees every object as a file, such as devices, directories, etc., unidentified open files prevent users from modifying them.

Additionally, the sheer number of files makes it difficult to find malicious processes. The lsof command helps identify these processes so you can terminate them.

This article will explain how to use the lsof command in Linux with examples.

Prerequisites

Access to the terminal.
Sudo group privileges.
Root privileges for some commands.

lsof Command Syntax

The lsof command syntax is:

lsof [options]

Note: For most commands, run lsof with sudo to avoid "permission denied" errors.

lsof Command Options

The lsof command has many of options. The table below includes arguments that are used most often:

Option	Description
`lsof`	Lists all open files.
`-b`	Suppresses kernel blocks.
`/ [file system] /`	Shows open files in a particular file system.
*`/dev/tty`**	Displays files associated with the terminal.
`-u [username]`	Prints all files opened by a user.
`-u ^[username]`	Prints all files opened by everyone except a specific user.
`-c [process]`	Lists all files accessed by a particular process.
`-p [process ID]`	Shows all open files associated with a specific process ID.
`-p ^[process ID]`	Shows files opened by all other PIDs.
`-R`	Lists parent process IDs.
`+D [directory path]`	Prints all open files in a directory.
`-i`	Displays all files accessed by network connections.
`-i [IP version number]`	Filters files based on their IP.
`- i [udp or tcp]`	Filters open files based on the connection type (TCP or UDP).
`-i :[port number]`	Finds processes running on a specific port.
`-i :[port range]`	Finds processes running on specific port ranges.
-t `[file name]`	Lists IDs of processes that have accessed a particular file.
`# kill -9 'lsof -t -u [user]`'	Kills all user processes.
`-d mem`	Shows all memory-mapped files.
`[path] \| grep deleted`	Prints locked deleted files.
`man`	Opens the man page.

lsof Command Examples

lsof incorporates different arguments allowing users to manage system and network administration activities. Outlined below are the most common lsof use cases.

List All Files

When run without any options, lsof lists all files opened by any process:

sudo lsof

The lsof command outputs a lot of details. Therefore, always pipe lsof with less to display the output one page at a time.

sudo lsof | less

Isof Command Option Less Terminal Output

To navigate to the bottom of the list, hit Enter or down arrow. Exit the list with Q.

The lsof output consists of different columns. However, not all columns apply to every type of file. The header looks like this:

The default columns in the lsof output are:

COMMAND - Refers to the command associated with the process that opened the file.
PID - The process identification number of the process running the file.
TID - Represents a task identification number for the respective process. It is blank if a process, not a task, has opened the file.
TASKCMD - Refers to the command name in the first column. However, TASKCMD can differ when a task changes its command name.
USER - Names the user executing the process. The column contains the User ID or name.
FD - Is the file descriptor the process uses to associate with the file.
TYPE - Shows the type of file and its identification number.
DEVICE - Prints device numbers related to the file.
SIZE/OFF - Represents the value or the file taken during the runtime (size or offset).
NODE - The local file's node number or inode number of the directory/parent directory.
NAME - Shows the path or link to the file.

Conceal Kernel Blocks

The default lsof output also includes files that are opened by the kernel. To suppress kernel blocks, run lsof with the -b flag:

sudo lsof -b

Display Files of a Specific Filesystem

Use the lsof command to show open files in a particular file system:

sudo lsof / [file system] /

For example, to see all open files in the sys directory, run:

sudo lsof / sys/

Print Terminal Files

List all open files connected to the terminal by targeting the dev directory with lsof:

lsof /dev/tty*

Show All Files Accessed by a User

Use lsof with a -u flag to display files opened by a specific user:

sudo lsof -u [username]

For example:

lsof -u saraz

sudo Isof -u Username Command Terminal Output

The command lists files opened by saraz.

To print all files opened by everyone except a specific user, run:

sudo lsof -u ^[username]

For instance:

lsof -u ^saraz

The output shows files controlled by users other than saraz.

Display Files Used by a Process

The -c flag opens all files used by a process:

sudo lsof -c [process]

For example, to list files opened by the wpa_suppl process, run:

sudo lsof -c wpa_suppl

sudo Isof -c process wpa_suppl Terminal Output

Another option is to use only a part of the program name:

sudo lsof -c wpa

sudo Isof -c process wpa Terminal Output

lsof returns all programs starting with the term wpa, which includes wpa_suppl.

Moreover, the -c option gives the same output as piping lsof with grep:

sudo lsof | grep wpa_suppl

Print Files Opened by a Specific PID

Use the -p option to filter specific files by the Process ID number (PID). For example, the output below shows all files with PID 635.

sudo lsof -p 635

On the other hand, add a caret ^ symbol to print files opened by all other processes:

sudo lsof -p ^635

sudo Isof -p ^ PID Command Terminal Output

Additionally, combining lsof with the -R flag adds the Parent Process Identification Number (PPID) to the output.

To get PPID info for a specific PID, execute:

sudo lsof -p [PID] -R

For example, to get the PPID for the 635 PID, type:

sudo lsof -p 635 -R

The output shows the PPID column added to the header.

Show Files Under a Directory

To see all files that have been opened under a directory, use the following command:

sudo lsof +D [directory path]

This option also recurses the sub directories. To avoid recursing, use the +d flag.

Show Files Accessed by Network Connections

Use the -i flag with lsof to check which files are opened by a network connection. Execute this command:

sudo lsof -i

The example above prints files open by a network connection, regardless of the connection type.

The -i flag adds a lot of versatility to lsof, allowing users to filter files based on different criteria. Use lsof -i [options] to:

Filter files based on their IP with:

sudo lsof -i [IP version number]

For example, run this command to display only IPv4 files:

sudo lsof -i 4

On the contrary, print only IPv6 files with:

sudo lsof -i  6

See only files that use tcp or udp connection by providing the protocol type:

sudo lsof -i [udp or tcp]

Find processes running on a specific port. This option is useful to check which file is preventing another app from binding to a specific port. Execute the command with the port number or service name from the name column:

sudo lsof -i :[port number/name]

sudo lsof -i Port Number or Name Terminal Output

Print all files open on specific port ranges.

For instance, to list open Files of UDP Port ranges 1-1024, run:

List IDs of Processes Holding Open Files

To see PIDs for processes that have opened a particular file, use -t and provide the file name.

lsof -t [file name]

Kill All User’s Processes

The -t flag also kills all processes by a specific user. For example, to kill all processes by user notsara, execute this command as root:

# kill -9 'lsof -t -u notsara'

Print All Memory-Mapped Files

lsof prints which processes have memory-mapped files. To show these processes, run:

 lsof -d mem

Display Locked Deleted Files

A process sometimes keeps big files locked even after they have been deleted, consuming disk space.
Use Lsof to find files that are deleted in Linux but are still locked by one or more processes.
For example, find deleted files from the root directory using a slash (/) as a path symbol:

sudo lsof [path] | grep deleted

sudo lsof path grep deleted Terminal Output

Combine Multiple Options

The lsof command allows multiple search items on the command line. Use AND and OR logic to combine different arguments to get specific results. Below are most common examples.

List files open by a particular user or process with:

sudo lsof -u [username] -c [process]

sudo lsof -u saraz -c snapd Terminal Output

The output prints both files opened by the user saraz and those used by the process snapd.

Display only files that match the first search term and the second search term with the logical operator -a (and):

sudo lsof -u [username] -c [process] -a

sudo lsof -u user -c process -a Terminal Output

In this case, lsof shows only files opened by the user saraz and the bash process.

Find all network connections of a user:

sudo lsof -i -u [username] -a

The -i and -a flags with the lsof command print all activity of the user root.

Learn More About lsof

The lsof command has more options than any other Linux command. The man page is almost 2000 lines long and offers a lot of information.

To explore the command's possibilities, run:

man lsof

Conclusion

This tutorial shows you how to use the lsof command for troubleshooting potential security and system problems with practical examples.

Next, learn how to copy files and directories in Linux and compare two files using the Linux diff command.

Was this article helpful?

YesNo

Twitter Facebook LinkedIn Email

Sara Zivanov

Sara Zivanov is a technical writer at phoenixNAP who is passionate about making high-tech concepts accessible to everyone. Her experience as a content writer and her background in Engineering and Project Management allows her to streamline complex processes and make them user-friendly through her content.

Next you should read