lsof is a powerful utility available for Linux and Unix-based systems which literally stands for ‘list (of) open files’.
Its main function is to retrieve details about various types of files opened up by different running processes. These files can be regular files, directories, block files, network sockets, named pipes, etc.
With lsof, you can find different processes locking up a file or directory, a process listening on a port, a user’s process list, what all files a process is locking. We’ll first cover its installation and then some common usage examples in this article.
Installing lsof
lsof isn’t available by default on most Linux distributions but can be easily installed. Use the below command to install lsof:
CentOS / RHEL / Fedora:
$ sudo yum install lsoffor CentOS/RHEL 8, you can use the DNF command
$ sudo dnf install lsofUbuntu / Debian:
$ sudo apt install lsofGetting Help
You can get a summarised list of lsof supported options using -? or -h flag.
$ lsof -?
lsof 4.87
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [-Z [Z]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
-?|-h list help -a AND selections (OR) -b avoid kernel blocks
-c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s files
-d s select by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY*
-i select IPv[46] files -K list tasKs (threads) -l list UID numbers
-n no host names -N select NFS files -o list file offset
-O no overhead *RISKY* -P no port names -R list paRent PID
-s list file size -t terse listing -T disable TCP/TPI info
-U select Unix socket -v list version info -V verbose search
+|-w Warnings (+) -X skip TCP&UDP* files -Z Z context [Z]
-- end option scan
+f|-f +filesystem or -file names +|-f[gG] flaGs
-F [f] select fields; -F? for help
+|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
+m [m] use|create mount supplement
+|-M portMap registration (-) -o o o 0t offset digits (8)
-p s exclude(^)|select PIDs -S [t] t second stat timeout (15)
-T qs TCP/TPI Q,St (s) info
-g [s] exclude(^)|select and print process group IDs
-i i select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
+|-r [t[m<fmt>]] repeat every t seconds (15); + until no files, - forever.
An optional suffix to t is m<fmt>; m must separate t from <fmt> and
<fmt> is an strftime(3) format for the marker line.
-s p:s exclude(^)|select protocol (p = TCP|UDP) states by name(s).
-u s exclude(^)|select login|UID set s
-x [fl] cross over +d|+D File systems or symbolic Links
names select named files or files on named file systems
Anyone can list all files; /dev warnings disabled; kernel ID check disabled.
$To check detailed installed version information, use:
$ lsof -v
lsof version information:
revision: 4.87
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
constructed: Tue Oct 30 16:28:19 UTC 2018
constructed by and on: mockbuild@x86-01.bsys.centos.org
compiler: cc
compiler version: 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
compiler flags: -DLINUXV=310000 -DGLIBCV=217 -DHASIPv6 -DHASSELINUX -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -DHAS_STRFTIME -DLSOF_VSTR="3.10.0" -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
loader flags: -L./lib -llsof -lselinux
system info: Linux x86-01.bsys.centos.org 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Anyone can list all files.
/dev warnings are disabled.
Kernel ID check is disabled.
$Output Fields
lsof output field structure by default is like:
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAMEMost of these fields are self-explanatory except for FD and TYPE fields that are somewhat unique to lsof and will be explored briefly.
FD refers to the File Descriptor number of the file and TYPE refers to the type of the node associated with the file. We’ll now review the supported values for both these fields.
FD field can contain the following values:
cwd current working directory;
Lnn library references (AIX);
err FD information error (see NAME column);
jld jail directory (FreeBSD);
ltx shared library text (code and data);
Mxx hex memory-mapped type number xx.
m86 DOS Merge mapped file;
mem memory-mapped file;
mmap memory-mapped device;
pd parent directory;
rtd root directory;
tr kernel trace file (OpenBSD);
txt program text (code and data);
v86 VP/ix mapped file;FD field is followed by one or more characters describing the mode under which the file is open:
r for read access;
w for write access;
u for read and write access;
space if mode unknown and no lock character follows;
`-' if mode unknown and lock character follows.Mode character for FD then further can be followed by LOCK character whose description is given below:
N for a Solaris NFS lock of unknown type;
r for read lock on part of the file;
R for a read lock on the entire file;
w for a write lock on part of the file;
W for a write lock on the entire file;
u for a read and write lock of any length;
U for a lock of unknown type;
x for an SCO OpenServer Xenix lock on part of the file;
X for an SCO OpenServer Xenix lock on the entire file;
space if there is no lock.Similarly, TYPE field can contain GDIR, GREG, VDIR, VREG, IPV4, IPV6 etc. To get a complete list of supported TYPE in lsof, refer its man page.
Common Usage
Below are some of the popular usage of the lsof command. The command works across Linux variants and all command-line arguments listed below examples should work across all platforms, considering the same lsof version.
List all open files
Running lsof without any options will list all files that are currently open by active processes.
$ sudo lsof | lessOutput:
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,0 224 64 /
systemd 1 root rtd DIR 253,0 224 64 /
systemd 1 root txt REG 253,0 1632776 308905 /usr/lib/systemd/systemd
systemd 1 root mem REG 253,0 20064 16063 /usr/lib64/libuuid.so.1.3.0
systemd 1 root mem REG 253,0 265576 186547 /usr/lib64/libblkid.so.1.1.0
systemd 1 root mem REG 253,0 90248 16051 /usr/lib64/libz.so.1.2.7
systemd 1 root mem REG 253,0 157424 16059 /usr/lib64/liblzma.so.5.2.2
systemd 1 root mem REG 253,0 23968 59696 /usr/lib64/libcap-ng.so.0.0.0
systemd 1 root mem REG 253,0 19896 59686 /usr/lib64/libattr.so.1.1.0
systemd 1 root mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
systemd 1 root mem REG 253,0 402384 16039 /usr/lib64/libpcre.so.1.2.0
systemd 1 root mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
systemd 1 root mem REG 253,0 142144 15699 /usr/lib64/libpthread-2.17.so
systemd 1 root mem REG 253,0 88720 84 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
systemd 1 root mem REG 253,0 43712 15703 /usr/lib64/librt-2.17.so
systemd 1 root mem REG 253,0 277808 229793 /usr/lib64/libmount.so.1.1.0
systemd 1 root mem REG 253,0 91800 76005 /usr/lib64/libkmod.so.2.2.10
systemd 1 root mem REG 253,0 127184 59698 /usr/lib64/libaudit.so.1.0.0
systemd 1 root mem REG 253,0 61680 229827 /usr/lib64/libpam.so.0.83.1
systemd 1 root mem REG 253,0 20048 59690 /usr/lib64/libcap.so.2.22
systemd 1 root mem REG 253,0 155744 16048 /usr/lib64/libselinux.so.1List by filename
To list all processes that have opened a specific file, we can specify file-name as an argument:
$ sudo lsof {file-name}Output:
$ sudo lsof /var/log/messages
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 1000 root 6w REG 253,0 205 16777741 /var/log/messages
$List open files by username
In a multi-user system, you can filter the list of files by specific user-owned processes, using -u flag followed by username.
$ sudo lsof -u {username}Output:
$ sudo lsof -u abhisheknair
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1239 abhisheknair cwd DIR 253,0 224 64 /
sshd 1239 abhisheknair rtd DIR 253,0 224 64 /
sshd 1239 abhisheknair txt REG 253,0 852856 425229 /usr/sbin/sshd
sshd 1239 abhisheknair mem REG 253,0 15488 17204727 /usr/lib64/security/pam_lastlog.so
sshd 1239 abhisheknair mem REG 253,0 15648 229829 /usr/lib64/libpam_misc.so.0.82.0
sshd 1239 abhisheknair mem REG 253,0 309248 17303270 /usr/lib64/security/pam_systemd.so
sshd 1239 abhisheknair mem REG 253,0 19616 17204728 /usr/lib64/security/pam_limits.so
sshd 1239 abhisheknair mem REG 253,0 11168 17204726 /usr/lib64/security/pam_keyinit.so
sshd 1239 abhisheknair mem REG 253,0 40800 17204735 /usr/lib64/security/pam_namespace.soAlternatively, if you want to list files that are opened by any user except a specific one, use -u flag followed by ^username as shown below:
$ sudo lsof -u ^{username}Output:
$ sudo lsof -u ^root
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dbus-daem 630 dbus cwd DIR 253,0 224 64 /
dbus-daem 630 dbus rtd DIR 253,0 224 64 /
dbus-daem 630 dbus txt REG 253,0 223232 50590133 /usr/bin/dbus-daemon
dbus-daem 630 dbus mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
dbus-daem 630 dbus mem REG 253,0 68192 59651 /usr/lib64/libbz2.so.1.0.6
dbus-daem 630 dbus mem REG 253,0 90248 16051 /usr/lib64/libz.so.1.2.7
dbus-daem 630 dbus mem REG 253,0 99944 59680 /usr/lib64/libelf-0.176.so
dbus-daem 630 dbus mem REG 253,0 19896 59686 /usr/lib64/libattr.so.1.1.0
dbus-daem 630 dbus mem REG 253,0 402384 16039 /usr/lib64/libpcre.so.1.2.0One way you can use lsof is for situations where you want to kill all processes by a specific user quickly in a single command. We can combine kill with lsof as shown in the below example to achieve this (execute as root):
# kill -9 `lsof -t -u {username}`As seen in the above example, we can use -t flag to filter out all other information except process-id. This can be useful in automation and scripting as shown in the previous example by combining it with kill command.
$ sudo lsof -t -u {username}Output:
$ sudo lsof -t -u abhisheknair
1239
1240
$With lsof, we can combine multiple arguments using OR logic as shown below:
$ sudo lsof -u {username} -c {process-name}Output:
$ sudo lsof -u ftpuser -c bash
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1240 abhisheknair cwd DIR 253,0 120 510681 /home/abhisheknair
bash 1240 abhisheknair rtd DIR 253,0 224 64 /
bash 1240 abhisheknair txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1240 abhisheknair mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1240 abhisheknair mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1240 abhisheknair mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1240 abhisheknair mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1240 abhisheknair mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1240 abhisheknair mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1240 abhisheknair mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1240 abhisheknair 0u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 1u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 2u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 255u CHR 136,0 0t0 3 /dev/pts/0
bash 1425 ftpuser cwd DIR 253,0 182 33578272 /home/ftpuser
bash 1425 ftpuser rtd DIR 253,0 224 64 /
bash 1425 ftpuser txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1425 ftpuser mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1425 ftpuser mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1425 ftpuser mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1425 ftpuser mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1425 ftpuser mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1425 ftpuser mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1425 ftpuser 0u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 1u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 2u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 255u CHR 4,1 0t0 1043 /dev/tty1
$Alternatively, if you want to use AND logic condition use -a flag.
$ sudo lsof -u {username} -c {process-name} -aOutput:
$ sudo lsof -u ftpuser -c bash -a
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser cwd DIR 253,0 182 33578272 /home/ftpuser
bash 1425 ftpuser rtd DIR 253,0 224 64 /
bash 1425 ftpuser txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1425 ftpuser mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1425 ftpuser mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1425 ftpuser mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1425 ftpuser mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1425 ftpuser mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1425 ftpuser mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1425 ftpuser 0u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 1u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 2u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 255u CHR 4,1 0t0 1043 /dev/tty1
$List open files by process
We can also list files opened by a particular process by using -c option followed by the process name.
$ sudo lsof -c {process-name}Output:
$ sudo lsof -c ssh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root cwd DIR 253,0 224 64 /
sshd 997 root rtd DIR 253,0 224 64 /
sshd 997 root txt REG 253,0 852856 425229 /usr/sbin/sshd
sshd 997 root mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
sshd 997 root mem REG 253,0 68192 59651 /usr/lib64/libbz2.so.1.0.6
sshd 997 root mem REG 253,0 99944 59680 /usr/lib64/libelf-0.176.so
sshd 997 root mem REG 253,0 19896 59686 /usr/lib64/libattr.so.1.1.0
sshd 997 root mem REG 253,0 15688 75906 /usr/lib64/libkeyutils.so.1.5
sshd 997 root mem REG 253,0 67104 186525 /usr/lib64/libkrb5support.so.0.1List open files by PID
Alternatively, to list files opened by a process but instead of process-name you want to specify its ID, you can use -p flag followed by process-id.
$ sudo lsof -p {process-id}Output:
$ sudo lsof -p 663
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firewalld 663 root cwd DIR 253,0 224 64 /
firewalld 663 root rtd DIR 253,0 224 64 /
firewalld 663 root txt REG 253,0 7144 50491220 /usr/bin/python2.7
firewalld 663 root mem REG 253,0 298828 50617647 /usr/lib64/girepository-1.0/NM-1.0.typelib
firewalld 663 root mem REG 253,0 343452 50507562 /usr/lib64/girepository-1.0/Gio-2.0.typelib
firewalld 663 root mem REG 253,0 12352 17202092 /usr/lib64/python2.7/lib-dynload/grpmodule.so
firewalld 663 root mem REG 253,0 29184 17202105 /usr/lib64/python2.7/lib-dynload/selectmodule.so
firewalld 663 root mem REG 253,0 168312 388240 /usr/lib64/libdbus-glib-1.so.2.2.2
firewalld 663 root mem REG 253,0 11976 34028597 /usr/lib64/python2.7/site-packages/_dbus_glib_bindings.so
firewalld 663 root mem REG 253,0 185712 50507559 /usr/lib64/girepository-1.0/GLib-2.0.typelib- If you want to list every open file except for the ones opened by a particular process, use
-pfollowed by^process-id.
$ sudo lsof -p ^{process-id}List open files containing directory
To list processes that opened files under a specific directory, use +D option followed by directory path.
$ sudo lsof +D {path}Output:
$ sudo lsof +D /var/log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
auditd 607 root 5w REG 253,0 1065095 425227 /var/log/audit/audit.log
firewalld 663 root 3w REG 253,0 13817 17663786 /var/log/firewalld
tuned 999 root 3w REG 253,0 13395 33574994 /var/log/tuned/tuned.log
rsyslogd 1000 root 6w REG 253,0 4302 16777753 /var/log/cron
rsyslogd 1000 root 7w REG 253,0 64740 16777755 /var/log/messages
rsyslogd 1000 root 8w REG 253,0 5513 16787904 /var/log/secure
rsyslogd 1000 root 9w REG 253,0 198 16777754 /var/log/maillog
$If you don’t want to recursively list files inside sub-directories, use -d flag followed by directory path.
$ sudo lsof +d {path}Output:
$ sudo lsof +d /var/log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firewalld 663 root 3w REG 253,0 13817 17663786 /var/log/firewalld
rsyslogd 1000 root 6w REG 253,0 4302 16777753 /var/log/cron
rsyslogd 1000 root 7w REG 253,0 64740 16777755 /var/log/messages
rsyslogd 1000 root 8w REG 253,0 5833 16787904 /var/log/secure
rsyslogd 1000 root 9w REG 253,0 198 16777754 /var/log/maillog
$Repeat mode
lsof can be run in repeat mode. In repeat mode, lsof will generate and print output at regular intervals. Again, there are two repeat modes supported by lsof, i.e., with -r and +r flags. With -r flag, lsof repeats to execute until it receives an interrupt/kill signal from the user while with +r flag, lsof repeat mode will end as soon as its output has no open files. Additionally, we can specify time delay with -r or +r flag.
$ sudo lsof {arguments} -r{time-interval}Output:
$ sudo lsof -u ftpuser -c bash +D /usr/lib -a -r3
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======List open files with network protocol
lsof supports the listing of any type of Linux files which includes network sockets etc. As such we can list details of open network connections using -i flag.
$ sudo lsof -iOutput:
$ sudo lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 5u IPv4 14333 0t0 UDP localhost:323
chronyd 639 chrony 6u IPv6 14334 0t0 UDP localhost:323
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
master 1229 root 13u IPv4 18129 0t0 TCP localhost:smtp (LISTEN)
master 1229 root 14u IPv6 18130 0t0 TCP localhost:smtp (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$To list all network connections in use by a specific process-id, you can use lsof as:
$ sudo lsof -i -a -p {process-id}Output:
$ sudo lsof -i -a -p 997
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
$Or to list all network connections in use by a specific process, we can give process-name as:
$ sudo lsof -i -a -c {process-name}Output:
$ sudo lsof -i -a -c ssh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$We can filter the output of lsof with -i flag by network protocol type, i.e., TCP or UDP by specifying the protocol type.
$ sudo lsof -i {protocol}Output:
$ sudo lsof -i tcp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
master 1229 root 13u IPv4 18129 0t0 TCP localhost:smtp (LISTEN)
master 1229 root 14u IPv6 18130 0t0 TCP localhost:smtp (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$OR
Output:
$ sudo lsof -i udp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 5u IPv4 14333 0t0 UDP localhost:323
chronyd 639 chrony 6u IPv6 14334 0t0 UDP localhost:323
$List open files by port
We can also filter the output of lsof with -i flag by port number using command syntax as below:
$ sudo lsof -i :{port-number}Output:
$ sudo lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$List open files by IPv4/IPv6
There’s an option to filter network connections listing by limiting it to either IPv4 or IPv6. Use below command syntax to get only IP v4 listing:
$ sudo lsof -i4Output:
$ sudo lsof -i4
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 5u IPv4 14333 0t0 UDP localhost:323
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
master 1229 root 13u IPv4 18129 0t0 TCP localhost:smtp (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$OR to get only IPv6 details, use:
$ sudo lsof -i6Output:
$ sudo lsof -i6
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 6u IPv6 14334 0t0 UDP localhost:323
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
master 1229 root 14u IPv6 18130 0t0 TCP localhost:smtp (LISTEN)
$List open files on NFS
lsof can also list all NFS files currently open by a user.
$ sudo lsof -N -u abhisheknair -aList locked deleted files
Sometimes it happens that files are deleted in Linux but still are being locked by one or more processes. As such, those files don’t list on normal file system listing using ls command etc. but they still consume disk space as reported by df output, this happens especially for large files deleted on purpose to clear disk space without releasing the process lock. You can find such processes using lsof as:
$ sudo lsof {path} | grep deletedOutput:
$ sudo lsof / | grep deleted
firewalld 654 root 8u REG 253,0 4096 16777726 /tmp/#16777726 (deleted)
tuned 968 root 8u REG 253,0 4096 16777720 /tmp/#16777720 (deleted)
$Conclusion
lsof offers a range of options to customize its output according to your needs. It’s a useful utility in day-to-day system and network administration tasks. The ability to combine different arguments together makes it all the more useful and allows you to get the required output easily. Refer lsof man page to learn all supported arguments and their usage.
$ man lsof