Cyberithub

41 Best Linux lsof command examples (How to Identify Open Files)

Table of Contents

Advertisements

In this article I will take you through 41 Linux lsof command examples. lsof command is a very useful utility to find out the List of current open files. It will provide complete information about command or process which opens a List of files. You can also monitor the active TCP and UDP Network Connections using lsof command. We will go through multiple examples of lsof command in below sections.

SYNOPSIS

lsof [ -?abChlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-e s ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ -K k ] [
+|-L [l] ] [ +|-m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z]
] [ -- ] [names]

41 Best Linux lsof command examples (How to Identify Open Files) 1

Linux lsof command examples

Also Read: 52 Useful cut command in Linux/Unix with Examples for Beginners

Example 1: How to check lsof command version

If you want to check lsof command version then you need to use lsof -v command as shown below. As you can see from below output, current lsof command version is 4.87.

[root@localhost ~]# lsof -v
lsof version information:
revision: 4.87
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
constructed: Tue Oct 30 16:28:19 UTC 2018
constructed by and on: mockbuild@x86-01.bsys.centos.org
compiler: cc
compiler version: 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
compiler flags: -DLINUXV=310000 -DGLIBCV=217 -DHASIPv6 -DHASSELINUX -D_FILE_ OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -DHAS_STRFTIME -DLSOF_VSTR="3.10.0" -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --para m=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
loader flags: -L./lib -llsof -lselinux
system info: Linux x86-01.bsys.centos.org 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Anyone can list all files.
/dev warnings are disabled.
Kernel ID check is disabled.

-v : selects the listing of lsof version information. More on lsof command Man Page.

NOTE:

Please note that here I am using root user to run all the below commands.You can use any user with sudo access to run all these commands. For more information Please check Step by Step: How to Add User to Sudoers to provide sudo access to the User.

Example 2: How to Identify Open Files Using lsof command in Linux

You can simply run lsof command to check the List of Open files and other important information like User, Type, FD, Device, Name etc related to those files as shown below.

[root@localhost ~]# lsof
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE            NAME
systemd 1       root cwd DIR 253,0     235    64              /
systemd 1       root rtd DIR 253,0     235    64              /
systemd 1       root txt REG 253,0  1628560 100824723 /usr/lib/systemd/systemd
systemd 1       root mem REG 253,0    20064   1415    /usr/lib64/libuuid.so.1.3.0
systemd 1       root mem REG 253,0    265576  1425    /usr/lib64/libblkid.so.1.1.0
systemd 1       root mem REG 253,0    90248   40171   /usr/lib64/libz.so.1.2.7
systemd 1       root mem REG 253,0    157424  57646   /usr/lib64/liblzma.so.5.2.2
systemd 1       root mem REG 253,0    23968   73073   /usr/lib64/libcap-ng.so.0.0.0
systemd 1       root mem REG 253,0    19896   57503   /usr/lib64/libattr.so.1.1.0
systemd 1       root mem REG 253,0    19248   147331  /usr/lib64/libdl-2.17.so
systemd 1       root mem REG 253,0    402384  57519   /usr/lib64/libpcre.so.1.2.0
systemd 1       root mem REG 253,0    2156240 113520  /usr/lib64/libc-2.17.so
systemd 1       root mem REG 253,0    142144  1395    /usr/lib64/libpthread-2.17.so
systemd 1       root mem REG 253,0    88776   1376    /usr/lib64/libgcc_s-4.8.5-20150702.so.1
systemd 1       root mem REG 253,0    43712   414376  /usr/lib64/librt-2.17.so

Example 3: How to Find out who is using a file using lsof command in Linux

If you want to find out who is using a file then you can simply query that file with lsof command as shown below. In this example, we are trying to find out who is using the file /bin/bash using lsof /bin/bash command. As you can see from below output root user is currently using those files.

[root@localhost ~]# lsof /bin/bash
COMMAND  PID  USER FD  TYPE DEVICE SIZE/OFF NODE      NAME
ksmtuned 788  root txt REG  253,0  964536   100766285 /usr/bin/bash
bash     1775 root txt REG  253,0  964536   100766285 /usr/bin/bash

Example 4: How to find Files Open by a Linux Process 

If you want to find files open by a Linux process then you need to use -p option with lsof command as shown below. In this example we are trying to find all the files opened by a Process ID(PID) 1196 using lsof -p 1196 command.

[root@localhost ~]# lsof -p 1196
COMMAND PID  USER FD  TYPE DEVICE SIZE/OFF NODE    NAME
sshd    1196 root cwd DIR  253,0    235    64       /
sshd    1196 root rtd DIR  253,0    235    64       /
sshd    1196 root txt REG  253,0   852856  234221  /usr/sbin/sshd
sshd    1196 root mem REG  253,0   61560   219022  /usr/lib64/libnss_files-2.17.so
sshd    1196 root mem REG  253,0   68192   57656   /usr/lib64/libbz2.so.1.0.6
sshd    1196 root mem REG  253,0   99952   1433    /usr/lib64/libelf-0.176.so
sshd    1196 root mem REG  253,0   19896   57503   /usr/lib64/libattr.so.1.1.0
sshd    1196 root mem REG  253,0   15688   57530   /usr/lib64/libkeyutils.so.1.5
sshd    1196 root mem REG  253,0   67104   113316  /usr/lib64/libkrb5support.so.0.1
sshd    1196 root mem REG  253,0   11392   1388    /usr/lib64/libfreebl3.so
sshd    1196 root mem REG  253,0   251792  1378    /usr/lib64/libnspr4.so
sshd    1196 root mem REG  253,0   20040   33477   /usr/lib64/libplc4.so
sshd    1196 root mem REG  253,0   15744   33478   /usr/lib64/libplds4.so
sshd    1196 root mem REG  253,0   198968  33480   /usr/lib64/libnssutil3.so
sshd    1196 root mem REG  253,0   1257728 17608   /usr/lib64/libnss3.so
sshd    1196 root mem REG  253,0   168336  17609   /usr/lib64/libsmime3.so
sshd    1196 root mem REG  253,0   370584  17610   /usr/lib64/libssl3.so

-p : excludes or selects the listing of files for the processes whose optional process IDentification (PID) numbers are in the comma-separated set. More on lsof command Man Page.

Example 5: How to Know which directories are being used by a Process in Linux

If you want to check all the directories and files in depth used by a process in Linux then you need to use +D option with lsof command as shown below. In this example, we are trying to check all the files and directories used by /var/log using lsof +D /var/log command.

[root@localhost ~]# lsof +D /var/log
COMMAND   PID  USER FD TYPE DEVICE SIZE/OFF NODE            NAME
auditd    721  root 5w REG  253,0  6685061 101331972 /var/log/audit/audit.log
firewalld 793  root 3w REG  253,0  4903    67146826  /var/log/firewalld
tuned     1192 root 3w REG  253,0  58277   67527610  /var/log/tuned/tuned.log
rsyslogd  1197 root 6w REG  253,0  155     73116760  /var/log/messages
rsyslogd  1197 root 7w REG  253,0  464     73116758  /var/log/cron

+D : causes lsof to search for all open instances of directory D and all the files and directories it contains to its complete depth. More on lsof command Man Page.

Example 6: How to List all the Process related to a Mount Point using lsof command

You can also list all the open files using a specific mount point using lsof command. In this example, we are checking all the process related to mount point /run using lsof /run command as shown below.

[root@localhost ~]# lsof /run
COMMAND   PID  USER FD  TYPE DEVICE SIZE/OFF NODE   NAME
systemd   1    root 22u FIFO  0,19    0t0    12342 /run/systemd/initctl/fifo
systemd   1    root 33u FIFO  0,19    0t0    12676 /run/dmeventd-server
systemd   1    root 34u FIFO  0,19    0t0    12677 /run/dmeventd-client
systemd-j 541  root mem REG   0,19   8388608 7747  /run/log/journal/f1c1e83465fa4dd2b7e3d295527d29a5/system.journal
systemd-j 541  root mem REG   0,19     8     7742  /run/systemd/journal/kernel-seqnum
systemd-j 541  root 13u REG   0,19   8388608 7747  /run/log/journal/f1c1e83465fa4dd2b7e3d295527d29a5/system.journal
lvmetad   558  root 4wW REG   0,19     4     13320 /run/lvmetad.pid
systemd-l 752  root 18r FIFO  0,19    0t0    22271 /run/systemd/sessions/1.ref
rpcbind   756  rpc  4r  REG   0,19     0     16967 /run/rpcbind.lock
rsyslogd  1197 root mem REG   0,19   8388608 7747  /run/log/journal/f1c1e83465fa4dd2b7e3d295527d29a5/system.journal
rsyslogd  1197 root 5r  REG   0,19   8388608 7747  /run/log/journal/f1c1e83465fa4dd2b7e3d295527d29a5/system.journal
libvirtd  1202 root 4ww REG   0,19     4     20500 /run/libvirtd.pid
libvirtd  1202 root 21u REG   0,19     0     20668 /run/libvirt/network/nwfilter.leases
crond     1218 root 3uW REG   0,19     5     20387 /run/crond.pid
sshd      1772 root 6w  FIFO  0,19    0t0    22271 /run/systemd/sessions/1.ref

Example 7: How to Check All the Files Opened by a Specific User

If you want to check all the files opened by a specific user then you need to use -u option with lsof command in Linux as shown below. In this example, we are trying to check all the files opened by user postfix using lsof -u postfix command.

[root@localhost ~]# lsof -u postfix
COMMAND PID   USER   FD   TYPE  DEVICE  SIZE/OFF NODE            NAME
pickup 1607 postfix cwd   DIR    253,0    201    33947528  /var/spool/postfix
pickup 1607 postfix rtd   DIR    253,0    235     64            /
pickup 1607 postfix txt   REG    253,0  285160   33947461  /usr/libexec/postfix/pickup
pickup 1607 postfix mem   REG    253,0  61560    219022    /usr/lib64/libnss_files-2.17.so
pickup 1607 postfix mem   REG    253,0  155744   1410      /usr/lib64/libselinux.so.1
pickup 1607 postfix mem   REG    253,0  15688    57530     /usr/lib64/libkeyutils.so.1.5
pickup 1607 postfix mem   REG    253,0  11392    1388      /usr/lib64/libfreebl3.so
pickup 1607 postfix mem   REG    253,0  88776    1376      /usr/lib64/libgcc_s-4.8.5-20150702.so.1
pickup 1607 postfix mem   REG    253,0  43712    414376    /usr/lib64/librt-2.17.so
pickup 1607 postfix mem   REG    253,0  67104    113316    /usr/lib64/libkrb5support.so.0.1
pickup 1607 postfix mem   REG    253,0  15856    1429      /usr/lib64/libcom_err.so.2.1
pickup 1607 postfix mem   REG    253,0  210784   113308    /usr/lib64/libk5crypto.so.3.1
pickup 1607 postfix mem   REG    253,0  967760   113314    /usr/lib64/libkrb5.so.3.3
pickup 1607 postfix mem   REG    253,0  320720   57582     /usr/lib64/libgssapi_krb5.so.2.2
pickup 1607 postfix mem   REG    253,0  40600    147273    /usr/lib64/libcrypt-2.17.so
pickup 1607 postfix mem   REG    253,0  991616   40146     /usr/lib64/libstdc++.so.6.0.19

-u : selects the listing of files for the user whose login names or user ID numbers are in the comma-separated set. More on lsof command Man Page.

Example 8: How to List Process ID's of all the Files opened by a Specific User

If you want to list the Process ID(PID) of all the processes started by a specific user then you need to use -t option with lsof command as shown below. In this example, we are trying to check the PID of all the files opened by user postfix using lsof -t -u postfix command.

[root@localhost ~]# lsof -t -u postfix
1608
2775

-t : specifies that lsof should produce terse output with process identifiers only and no header. More on lsof command Man Page.

Example 9: How to List Process ID's of all the Files using directory /run

If you want simply know the Process ID(PID) of all the files using some directory then you need to use -t option with lsof command as shown below. In this example, we are trying to check the Process ID of all the open files using directory /run with the help of lsof -t /run command.

[root@localhost ~]# lsof -t /run
1
541
558
752
756
1197
1202
1218
1772

Example 10: How to Find out a Process Listening on a Specific Port

If you want to find out a process listening on a specific Port then you need to use -i option with lsof command as shown below. In this example, we are trying to find out all the processes listening on Port 22 using lsof -i TCP:22 command.

[root@localhost ~]# lsof -i TCP:22
COMMAND PID  USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd    1196 root 3u IPv4 20091    0t0    TCP  *:ssh (LISTEN)
sshd    1196 root 4u IPv6 20100    0t0    TCP  *:ssh (LISTEN)
sshd    1772 root 3u IPv4 22159    0t0    TCP  server1.example.com:ssh->192.168.0.102:31776 (ESTABLISHED)

-i : selects the listing of files any of whose Internet address matches the address specified in i. More on lsof command Man Page.

Example 11: How to List All the Processes Running on a Range of Ports

If you want to list all the processes running on a range of TCP Ports then you need to use -i option with lsof command as shown below. In this example we are trying to list all the processes running on a range of TCP ports from 22-300 using lsof -i TCP:22-300 command as shown below.

[root@localhost ~]# lsof -i TCP:22-300
COMMAND PID  USER   FD  TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 756  rpc    8u  IPv4 17071    0t0    TCP  *:sunrpc (LISTEN)
rpcbind 756  rpc    11u IPv6 17074    0t0    TCP  *:sunrpc (LISTEN)
sshd    1196 root   3u  IPv4 20091    0t0    TCP  *:ssh (LISTEN)
sshd    1196 root   4u  IPv6 20100    0t0    TCP  *:ssh (LISTEN)
dnsmasq 1445 nobody 6u  IPv4 21398    0t0    TCP  localhost:domain (LISTEN)
master  1602 root   13u IPv4 21668    0t0    TCP  localhost:smtp (LISTEN)
master  1602 root   14u IPv6 21669    0t0    TCP  localhost:smtp (LISTEN)
sshd    1772 root   3u  IPv4 22159    0t0    TCP  server1.example.com:ssh->192.168.0.102:31776 (ESTABLISHED)

Example 12: How to List All Unix Domain Socket Files using lsof command

In this example, we are trying to List all Unix Domain Socket files using -U option with lsof command as shown below.

[root@localhost ~]# lsof -U
COMMAND PID USER FD  TYPE DEVICE             SIZE/OFF NODE     NAME
systemd 1   root 12u unix 0xffffa0d0b6763300 0t0      12190  /run/systemd/private
systemd 1   root 20u unix 0xffffa0d0b6760880 0t0      12240  /run/lvm/lvmpolld.socket
systemd 1   root 21u unix 0xffffa0d0b6761100 0t0      12243  /run/lvm/lvmetad.socket
systemd 1   root 23u unix 0xffffa0d0bca58440 0t0      7468   /run/systemd/notify
systemd 1   root 24u unix 0xffffa0d0bca58880 0t0      7470   /run/systemd/cgroups-agent
systemd 1   root 25u unix 0xffffa0d0b6760cc0 0t0      12371  /run/systemd/shutdownd
systemd 1   root 27u unix 0xffffa0d0bca59540 0t0      7488   /run/systemd/journal/stdout
systemd 1   root 28u unix 0xffffa0d0bca59980 0t0      7491   /run/systemd/journal/socket
systemd 1   root 29u unix 0xffffa0d0bca59dc0 0t0      7493   /dev/log
systemd 1   root 30u unix 0xffffa0d0b6762200 0t0      12481  /run/udev/control
systemd 1   root 36u unix 0xffffa0d0369a1dc0 0t0      13005  socket

-U : selects the listing of UNIX domain socket files. More on lsof command Man Page.

Example 13: How to show total number of Open Files using lsof command in Linux

If you want to count the total number of open files from lsof command output, you can use wc -l command on the output to count the total number of open files as shown below.

[root@localhost ~]# lsof | wc -l
4832

Example 14: How to Show All the Recursively Open Process Files and Directories

If you want to recursively show all the Open files and directories then you need to use +d option with lsof command as shown below. In this example, we are trying to check all recursively open files and directories of directory /run using lsof +d /run command.

[root@localhost ~]# lsof +d /run
COMMAND  PID  USER FD  TYPE DEVICE              SIZE/OFF NODE      NAME
systemd   1   root 33u FIFO  0,19                0t0     12676 /run/dmeventd-server
systemd   1   root 34u FIFO  0,19                0t0     12677 /run/dmeventd-client
lvmetad  558  root 4wW REG   0,19                4       13320 /run/lvmetad.pid
rpcbind  756  rpc  4r  REG   0,19                0       16967 /run/rpcbind.lock
gssproxy 759  root 9u  unix  0xffffa0d0b82f5980 0t0      17164 /run/gssproxy.sock
libvirtd 1202 root 4ww REG   0,19                4       20500 /run/libvirtd.pid
crond    1218 root 3uW REG   0,19                5       20387 /run/crond.pid

+d : causes lsof to search for all open instances of directory s and the files and directories it contains at its top level. More on lsof command Man Page.

Example 15: How to List all the files based on Process Name

If you want to list all the files based on command name then you need to use -c option with lsof command as shown below. In this example, we are trying to list all the files based on command name sshd using lsof -c sshd command.

[root@localhost ~]# lsof -c sshd
COMMAND PID  USER FD  TYPE DEVICE SIZE/OFF NODE  NAME
sshd    1196 root cwd DIR  253,0    235     64    /
sshd    1196 root rtd DIR  253,0    235     64    /
sshd    1196 root txt REG  253,0  852856   234221 /usr/sbin/sshd
sshd    1196 root mem REG  253,0   61560   219022 /usr/lib64/libnss_files-2.17.so
sshd    1196 root mem REG  253,0   68192   57656  /usr/lib64/libbz2.so.1.0.6
sshd    1196 root mem REG  253,0   99952   1433   /usr/lib64/libelf-0.176.so
sshd    1196 root mem REG  253,0   19896   57503  /usr/lib64/libattr.so.1.1.0
sshd    1196 root mem REG  253,0   15688   57530  /usr/lib64/libkeyutils.so.1.5
sshd    1196 root mem REG  253,0   67104   113316 /usr/lib64/libkrb5support.so.0.1
sshd    1196 root mem REG  253,0   11392   1388   /usr/lib64/libfreebl3.so
sshd    1196 root mem REG  253,0   251792  1378   /usr/lib64/libnspr4.so
sshd    1196 root mem REG  253,0   20040   33477  /usr/lib64/libplc4.so
sshd    1196 root mem REG  253,0   15744   33478  /usr/lib64/libplds4.so

-c : selects the listing of files for processes executing the command that begins with the characters of c. More on lsof command Man Page.

Example 16: How to List all Network Files Currently in Use by a Specific Process

If you wan to List all Network Files currently in use by a specific command then you need to use below lsof command . In this example, we are trying to List all Network Files currently in use by sshd command using lsof -i -a -c sshd command.

[root@localhost ~]# lsof -i -a -c sshd
COMMAND PID  USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd    1196 root 3u IPv4 20091    0t0    TCP  *:ssh (LISTEN)
sshd    1196 root 4u IPv6 20100    0t0    TCP  *:ssh (LISTEN)
sshd    1772 root 3u IPv4 22159    0t0    TCP  server1.example.com:ssh->192.168.0.102:31776 (ESTABLISHED)

-i : selects the listing of files any of whose Internet address matches the address specified in i. More on lsof command Man Page.

-a : causes list selection options to be ANDed, as described above. More on lsof command Man Page.

Example 17: How to List All Open files with their Parent Process ID(PPID)

If you want to List all open files with their Parent Process ID(PPID) then you need to use -R option with lsof command as shown below.

[root@localhost ~]# lsof -R 
COMMAND PID TID PPID USER FD   TYPE DEVICE SIZE/OFF NODE           NAME
systemd  1       0   root cwd  DIR  253,0    235     64              /
systemd  1       0   root rtd  DIR  253,0    235     64              /
systemd  1       0   root txt  REG  253,0   1628560 100824723 /usr/lib/systemd/systemd
systemd  1       0   root mem  REG  253,0   20064   1415      /usr/lib64/libuuid.so.1.3.0
systemd  1       0   root mem  REG  253,0   265576  1425      /usr/lib64/libblkid.so.1.1.0
systemd  1       0   root mem  REG  253,0   90248   40171     /usr/lib64/libz.so.1.2.7
systemd  1       0   root mem  REG  253,0   157424  57646     /usr/lib64/liblzma.so.5.2.2
systemd  1       0   root mem  REG  253,0   23968   73073     /usr/lib64/libcap-ng.so.0.0.0
systemd  1       0   root mem  REG  253,0   19896   57503     /usr/lib64/libattr.so.1.1.0
systemd  1       0   root mem  REG  253,0   19248   147331    /usr/lib64/libdl-2.17.so
systemd  1       0   root mem  REG  253,0   402384  57519     /usr/lib64/libpcre.so.1.2.0
systemd  1       0   root mem  REG  253,0   2156240 113520    /usr/lib64/libc-2.17.so
systemd  1       0   root mem  REG  253,0   142144  1395      /usr/lib64/libpthread-2.17.so

-R : directs lsof to list the Parent Process IDentification number in the PPID column. More on lsof command Man Page.

Example 18: How to find all currently open files based on File Descriptor

You can also find open files based on File Descriptor using -d option with lsof command as shown below. In this example, we are trying to find all the open files based on descriptor cwd using lsof -d cwd command.

[root@localhost ~]# lsof -d cwd
COMMAND  PID USER FD  TYPE DEVICE SIZE/OFF NODE NAME
systemd   1  root cwd DIR  253,0    235     64   /
kthreadd  2  root cwd DIR  253,0    235     64   /
kworker/0 4  root cwd DIR  253,0    235     64   /
ksoftirqd 6  root cwd DIR  253,0    235     64   /
migration 7  root cwd DIR  253,0    235     64   /
rcu_bh    8  root cwd DIR  253,0    235     64   /
rcu_sched 9  root cwd DIR  253,0    235     64   /
lru-add-d 10 root cwd DIR  253,0    235     64   /
watchdog/ 11 root cwd DIR  253,0    235     64   /
kdevtmpfs 13 root cwd DIR  0,5      3240     3   /
netns     14 root cwd DIR  253,0    235     64   /
khungtask 15 root cwd DIR  253,0    235     64   /
writeback 16 root cwd DIR  253,0    235     64   /

-d : specifies a list of file descriptors (FDs) to exclude from or include in the output listing. More on lsof command Man Page.

Example 19: How to List a File that lsof command failed to find

If you want to show additional messages indicating the items which lsof trying to list but failed to find then you need to use -V option with lsof command as shown below.

[root@localhost ~]# lsof -p 9999999 -V
lsof: process ID not located: 9999999

-V : directs lsof to indicate the items it was asked to list and failed to find - command names, file names, Internet addresses or files, login names,NFS files, PIDs, PGIDs, and UIDs. More on lsof command Man Page.

Example 20: How to display additional Information 

If you want to display additional TCP/TPI Information then you need to use -T option with lsof command in Linux as shown below.

[root@localhost ~]# lsof -i -Tq
COMMAND PID  USER   FD  TYPE DEVICE SIZE/OFF NODE     NAME
rpcbind 756  rpc    6u  IPv4 17003   0t0     UDP   *:sunrpc (QR=0 QS=0)
rpcbind 756  rpc    7u  IPv4 17070   0t0     UDP   *:922 (QR=0 QS=0)
rpcbind 756  rpc    8u  IPv4 17071   0t0     TCP   *:sunrpc (QR=0 QS=0)
rpcbind 756  rpc    9u  IPv6 17072   0t0     UDP   *:sunrpc (QR=0 QS=0)
rpcbind 756  rpc    10u IPv6 17073   0t0     UDP   *:922 (QR=0 QS=0)
rpcbind 756  rpc    11u IPv6 17074   0t0     TCP   *:sunrpc (QR=0 QS=0)
chronyd 768  chrony 5u  IPv4 17195   0t0     UDP     localhost:323 (QR=0 QS=0)
chronyd 768  chrony 6u  IPv6 17196   0t0     UDP     localhost:323 (QR=0 QS=0)
sshd    1196 root   3u  IPv4 20091   0t0     TCP   *:ssh (QR=0 QS=0)
sshd    1196 root   4u  IPv6 20100   0t0     TCP   *:ssh (QR=0 QS=0)
vsftpd  1201 root   4u  IPv6 19612   0t0     TCP   *:ftp (QR=0 QS=0)

-T: controls the reporting of some TCP/TPI information. More on lsof command Man Page.

Example 21: How to List All UDP Connections using lsof command in Linux

If you want to List only UDP connections then also you need to use same -i option with lsof command as you have used in previous examples.

[root@localhost ~]# lsof -i udp
COMMAND PID  USER   FD  TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 756  rpc    6u  IPv4 17003    0t0    UDP  *:sunrpc
rpcbind 756  rpc    7u  IPv4 17070    0t0    UDP  *:922
rpcbind 756  rpc    9u  IPv6 17072    0t0    UDP  *:sunrpc
rpcbind 756  rpc    10u IPv6 17073    0t0    UDP  *:922
chronyd 768  chrony 5u  IPv4 17195    0t0    UDP  localhost:323
chronyd 768  chrony 6u  IPv6 17196    0t0    UDP  localhost:323
dnsmasq 1445 nobody 3u  IPv4 21394    0t0    UDP  *:bootps
dnsmasq 1445 nobody 5u  IPv4 21397    0t0    UDP  localhost:domain

Example 22: How to Check all ESTABLISHED State Network Connections using lsof command

If you want to check all ESTABLISHED state network connections then you need to grep the ESTABLISHED keyword from lsof command as shown below and feed the output to awk command to filter out Column 1 and Column 9 which will then be sorted using sort -u command.

[root@localhost ~]# lsof -i -nP | grep ESTABLISHED | awk '{print $1, $9}' | sort -u
sshd 192.168.0.103:22->192.168.0.102:31776

Example 23 : How to Check all LISTEN State Network Connections using lsof command

If you want to check all LISTEN state network connections then you need to grep the LISTEN keyword from lsof command as shown below and feed the output to awk command to filter out Column 1 and Column 9 which will then be sorted using sort -u command.

[root@localhost ~]# lsof -i -nP | grep LISTEN | awk '{print $1, $9}' | sort -u
dnsmasq 192.168.122.1:53
master [::1]:25
master 127.0.0.1:25
rpcbind *:111
sshd *:22
vsftpd *:21

Example 24: How to Check All Open Files using NFS Connections

If you want to list all open files using NFS Connections then you need to use lsof -N command as shown below.

[root@localhost ~]# lsof -N

-N : selects the listing of NFS files.

Example 25: How to Suppress Any Potential Warnings using lsof command in Linux

If you want to suppress any potential warnings then you need to use -w option with lsof command as shown below.

[root@localhost ~]# lsof -t -i -w
756
768
1196
1201
1445
1602
7501

-w : disables the suppression of warning messages.

Example 26: How to Enable Suppressed Warnings using lsof command in Linux

If you want to enable any suppressed potential warnings then you need to use +w option with lsof command as shown below.

[root@localhost ~]# lsof -t -i +w
756
768
1196
1201
1445
1602
7501

+w : Enables the suppression of warning messages.

Example 27: How to Use Regular Expression to find all open files used by a process which starts with Specific keyword

You can also use regular expressions to find all the open files used by a process using lsof command as shown below. In this example, we are trying to find all the processes which starts with character ssh using lsof -c /^ssh*/ command.

[root@localhost ~]# lsof -c /^ssh*/
COMMAND PID  USER FD  TYPE DEVICE SIZE/OFF NODE       NAME
sshd    1196 root cwd DIR  253,0    235     64         /
sshd    1196 root rtd DIR  253,0    235     64         /
sshd    1196 root txt REG  253,0  852856    234221  /usr/sbin/sshd
sshd    1196 root mem REG  253,0  61560     219022  /usr/lib64/libnss_files-2.17.so
sshd    1196 root mem REG  253,0  68192     57656   /usr/lib64/libbz2.so.1.0.6
sshd    1196 root mem REG  253,0  99952     1433    /usr/lib64/libelf-0.176.so
sshd    1196 root mem REG  253,0  19896     57503   /usr/lib64/libattr.so.1.1.0
sshd    1196 root mem REG  253,0  15688     57530   /usr/lib64/libkeyutils.so.1.5
sshd    1196 root mem REG  253,0  67104     113316  /usr/lib64/libkrb5support.so.0.1
sshd    1196 root mem REG  253,0  11392     1388    /usr/lib64/libfreebl3.so
sshd    1196 root mem REG  253,0  251792    1378    /usr/lib64/libnspr4.so
sshd    1196 root mem REG  253,0  20040     33477   /usr/lib64/libplc4.so
sshd    1196 root mem REG  253,0  15744     33478   /usr/lib64/libplds4.so
sshd    1196 root mem REG  253,0  198968    33480   /usr/lib64/libnssutil3.so

Example 28: How to Use Regular Expression to find all open files used by a process which ends with Specific keyword

Another very useful example of using regular expression with lsof command is to find all the processes which matches specific pattern at the end. In this example, we are trying to find all the processes which has shd pattern at the end of the command name using lsof -c /shd$/ command.

[root@localhost ~]# lsof -c /shd$/
COMMAND PID  USER FD  TYPE DEVICE SIZE/OFF NODE     NAME
sshd    1196 root cwd DIR   253,0  235      64       /
sshd    1196 root rtd DIR   253,0  235      64       /
sshd    1196 root txt REG   253,0 852856   234221   /usr/sbin/sshd
sshd    1196 root mem REG   253,0 61560    219022   /usr/lib64/libnss_files-2.17.so
sshd    1196 root mem REG   253,0 68192    57656    /usr/lib64/libbz2.so.1.0.6
sshd    1196 root mem REG   253,0 99952    1433     /usr/lib64/libelf-0.176.so
sshd    1196 root mem REG   253,0 19896    57503    /usr/lib64/libattr.so.1.1.0
sshd    1196 root mem REG   253,0 15688    57530    /usr/lib64/libkeyutils.so.1.5
sshd    1196 root mem REG   253,0 67104    113316   /usr/lib64/libkrb5support.so.0.1
sshd    1196 root mem REG   253,0 11392    1388     /usr/lib64/libfreebl3.so
sshd    1196 root mem REG   253,0 251792   1378     /usr/lib64/libnspr4.so
sshd    1196 root mem REG   253,0 20040    33477    /usr/lib64/libplc4.so
sshd    1196 root mem REG   253,0 15744    33478    /usr/lib64/libplds4.so
sshd    1196 root mem REG   253,0 198968   33480    /usr/lib64/libnssutil3.so
sshd    1196 root mem REG   253,0 1257728  17608    /usr/lib64/libnss3.so

Example 29: How to Kill all the open processes running with a Specific User

If you want to kill all the open files running with a specific user then you can use kill command with lsof command as shown below. In this example we are getting all the open files running with user postfix using lsof -t -u postfix and feeding the output to kill command to kill all the processes.

[root@localhost ~]# kill -9 `lsof -t -u postfix`

Example 30: How to List Active SSH Connections using lsof command in Linux

If you want to List all the Active SSH Connections then you can simply filter out the ESTABLISHED keyword from lsof -i TCP command output as shown below.

[root@localhost ~]# lsof -i TCP | grep ssh | grep ESTABLISHED
sshd 7501 root 3u IPv4 42123 0t0 TCP server1.example.com:ssh->192.168.0.102:p2pq (ESTABLISHED)

Example 31: How to Check Total Number of TCP Connections using lsof command in Linux

If you want to count the total number of TCP connections then you can use awk tool with lsof command as shown below.

[root@localhost ~]# lsof -i | awk '{print $8}' | sort | uniq -c | grep 'TCP'
9 TCP

Example 32: How to Check Total Number of UDP Connections using lsof command in Linux

Similarly, if you want to count the total number of UDP Connections instead of TCP connections then you need to grep the UDP keyword from lsof command output as shown below.

[root@localhost ~]# lsof -i | awk '{print $8}' | sort | uniq -c | grep 'UDP'
8 UDP

Example 33: How to Check Total Number of UDP and TCP Connections using lsof command in Linux

If you want to check the total number of UDP and TCP Connections then you need to grep both TCP and UDP from the lsof command output as shown below.

[root@localhost ~]# lsof -i | awk '{print $8}' | sort | uniq -c | grep 'TCP\|UDP'
9 TCP
8 UDP

Example 34: How to Monitor TCP Network Connections using lsof command in Linux

There is a very useful option called repeat mode which can be used with lsof command to monitor TCP Network Connections in Linux. You can use -r option to specify the number of seconds after which lsof command output will refresh. In this example, we are trying to monitor TCP Network Connections by refreshing lsof command output after every 3 seconds using lsof -r 3 -i TCP command.

[root@localhost ~]# lsof -r 3 -i TCP
COMMAND PID  USER   FD  TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 756  rpc    8u  IPv4 17071    0t0    TCP  *:sunrpc (LISTEN)
rpcbind 756  rpc    11u IPv6 17074    0t0    TCP  *:sunrpc (LISTEN)
sshd    1196 root   3u  IPv4 20091    0t0    TCP  *:ssh (LISTEN)
sshd    1196 root   4u  IPv6 20100    0t0    TCP  *:ssh (LISTEN)
vsftpd  1201 root   4u  IPv6 19612    0t0    TCP  *:ftp (LISTEN)
dnsmasq 1445 nobody 6u  IPv4 21398    0t0    TCP  localhost:domain (LISTEN)
master  1602 root   13u IPv4 21668    0t0    TCP  localhost:smtp (LISTEN)
master  1602 root   14u IPv6 21669    0t0    TCP  localhost:smtp (LISTEN)
sshd    7501 root   3u  IPv4 42123    0t0    TCP  server1.example.com:ssh->192.168.0.102:p2pq (ESTABLISHED)
=======
COMMAND PID  USER   FD  TYPE DEVICE SIZE/OFF NODE    NAME
rpcbind 756  rpc    8u  IPv4 17071    0t0    TCP   *:sunrpc (LISTEN)
rpcbind 756  rpc    11u IPv6 17074    0t0    TCP   *:sunrpc (LISTEN)
sshd    1196 root   3u  IPv4 20091    0t0    TCP   *:ssh (LISTEN)
sshd    1196 root   4u  IPv6 20100    0t0    TCP   *:ssh (LISTEN)
vsftpd  1201 root   4u  IPv6 19612    0t0    TCP   *:ftp (LISTEN)
dnsmasq 1445 nobody 6u  IPv4 21398    0t0    TCP   localhost:domain (LISTEN)
master  1602 root   13u IPv4 21668    0t0    TCP   localhost:smtp (LISTEN)
master  1602 root   14u IPv6 21669    0t0    TCP   localhost:smtp (LISTEN)
sshd    7501 root   3u  IPv4 42123    0t0    TCP   server1.example.com:ssh->192.168.0.102:p2pq (ESTABLISHED)
=======

-r : puts lsof in repeat mode. More on lsof command Man Page.

Example 35: How to inhibits the conversion of network numbers to host names using lsof command in Linux

You can also inhibits the conversion of network numbers to host names by using -n option with lsof command in Linux as shown below.

[root@localhost ~]# lsof -i -n
COMMAND PID  USER   FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 756  rpc    6u IPv4 17003 0t0 UDP *:sunrpc
rpcbind 756  rpc    7u IPv4 17070 0t0 UDP *:922
rpcbind 756  rpc    8u IPv4 17071 0t0 TCP *:sunrpc (LISTEN)
rpcbind 756  rpc    9u IPv6 17072 0t0 UDP *:sunrpc
rpcbind 756  rpc    10u IPv6 17073 0t0 UDP *:922
rpcbind 756  rpc    11u IPv6 17074 0t0 TCP *:sunrpc (LISTEN)
chronyd 768  chrony 5u IPv4 17195 0t0 UDP 127.0.0.1:323
chronyd 768  chrony 6u IPv6 17196 0t0 UDP [::1]:323
sshd    1196 root   3u IPv4 20091 0t0 TCP *:ssh (LISTEN)
sshd    1196 root   4u IPv6 20100 0t0 TCP *:ssh (LISTEN)
vsftpd  1201 root   4u IPv6 19612 0t0 TCP *:ftp (LISTEN)
dnsmasq 1445 nobody 3u IPv4 21394 0t0 UDP *:bootps

-n : inhibits the conversion of network numbers to host names for network files. More on lsof command Man Page.

Example 36 : How to inhibits the conversion of port numbers to port names for network files

Like inhibiting the conversion of network numbers, you can also inhibits the conversion of port numbers to port names using -P option with lsof command in Linux as shown below.

[root@localhost ~]# lsof -i -Tqs -P
COMMAND PID  USER   FD  TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 756  rpc    6u  IPv4 17003    0t0    UDP  *:111 (QR=0 QS=0)
rpcbind 756  rpc    7u  IPv4 17070    0t0    UDP  *:922 (QR=0 QS=0)
rpcbind 756  rpc    8u  IPv4 17071    0t0    TCP  *:111 (LISTEN QR=0 QS=0)
rpcbind 756  rpc    9u  IPv6 17072    0t0    UDP  *:111 (QR=0 QS=0)
rpcbind 756  rpc    10u IPv6 17073    0t0    UDP  *:922 (QR=0 QS=0)
rpcbind 756  rpc    11u IPv6 17074    0t0    TCP  *:111 (LISTEN QR=0 QS=0)
chronyd 768  chrony 5u  IPv4 17195    0t0    UDP  localhost:323 (QR=0 QS=0)
chronyd 768  chrony 6u  IPv6 17196    0t0    UDP  localhost:323 (QR=0 QS=0)
sshd    1196 root   3u  IPv4 20091    0t0    TCP  *:22 (LISTEN QR=0 QS=0)
sshd    1196 root   4u  IPv6 20100    0t0    TCP  *:22 (LISTEN QR=0 QS=0)
vsftpd  1201 root   4u  IPv6 19612    0t0    TCP  *:21 (LISTEN QR=0 QS=0)
dnsmasq 1445 nobody 3u  IPv4 21394    0t0    UDP  *:67 (QR=0 QS=0)

-P : inhibits the conversion of port numbers to port names for network files. More on lsof command Man Page.

Example 37: How to find all the deleted files still holding the disk space

If you want to find all the deleted files which is still occupying the disk space then you can grep for deleted keyword from lsof command output as shown below. In this example, we are looking for deleted files related to directory /run which is still occupying disk space using lsof /run | grep -i deleted command.

[root@localhost ~]# lsof /run | grep -i deleted

Example 38: How to List all the Files opened by Users except root user

If you want to List all the files opened by all the users except root user then you need to use -u ^root with lsof command in Linux as shown below.

[root@localhost ~]# lsof -u ^root
COMMAND   PID TID  USER FD   TYPE DEVICE SIZE/OFF NODE            NAME
dbus-daem 754      dbus cwd  DIR  253,0    235     64              /
dbus-daem 754      dbus rtd  DIR  253,0    235     64              /
dbus-daem 754      dbus txt  REG  253,0  223320   100840163 /usr/bin/dbus-daemon
dbus-daem 754      dbus mem  REG  253,0   61560   219022    /usr/lib64/libnss_files-2.17.so
dbus-daem 754      dbus mem  REG  253,0   68192   57656     /usr/lib64/libbz2.so.1.0.6
dbus-daem 754      dbus mem  REG  253,0   90248   40171     /usr/lib64/libz.so.1.2.7
dbus-daem 754      dbus mem  REG  253,0   99952   1433      /usr/lib64/libelf-0.176.so
dbus-daem 754      dbus mem  REG  253,0   19896   57503     /usr/lib64/libattr.so.1.1.0
dbus-daem 754      dbus mem  REG  253,0   402384  57519     /usr/lib64/libpcre.so.1.2.0
dbus-daem 754      dbus mem  REG  253,0   88776   1376      /usr/lib64/libgcc_s-4.8.5-20150702.so.1
dbus-daem 754      dbus mem  REG  253,0   19248   147331    /usr/lib64/libdl-2.17.so
dbus-daem 754      dbus mem  REG  253,0   338672  187671    /usr/lib64/libdw-0.176.so
dbus-daem 754      dbus mem  REG  253,0   109976  1397      /usr/lib64/libresolv-2.17.so
dbus-daem 754      dbus mem  REG  253,0   19384   73064     /usr/lib64/libgpg-error.so.0.10.0
dbus-daem 754      dbus mem  REG  253,0   535064  73080     /usr/lib64/libgcrypt.so.11.8.2

Example 39: How to check Some Specific Command Open files running with Specific User

In the above examples, you must have seen how we checked all open files running with specific user and also how to find all the open files related to specific command. Now we will see how to check a specific process running with a specific user. In this example, we are trying to check rpcbind process running with user rpc using lsof -a -u rpc -c rpcbind command.

[root@localhost ~]# lsof -a -u rpc -c rpcbind
COMMAND PID USER FD  TYPE DEVICE SIZE/OFF NODE          NAME
rpcbind 756 rpc  cwd DIR  253,0    235     64            /
rpcbind 756 rpc  rtd DIR  253,0    235     64            /
rpcbind 756 rpc  txt REG  253,0   61512    316334   /usr/sbin/rpcbind
rpcbind 756 rpc  mem REG  253,0   61560    219022   /usr/lib64/libnss_files-2.17.so
rpcbind 756 rpc  mem REG  253,0   68192    57656    /usr/lib64/libbz2.so.1.0.6
rpcbind 756 rpc  mem REG  253,0   90248    40171    /usr/lib64/libz.so.1.2.7
rpcbind 756 rpc  mem REG  253,0   99952    1433     /usr/lib64/libelf-0.176.so
rpcbind 756 rpc  mem REG  253,0   402384   57519    /usr/lib64/libpcre.so.1.2.0
rpcbind 756 rpc  mem REG  253,0   19896    57503    /usr/lib64/libattr.so.1.1.0
rpcbind 756 rpc  mem REG  253,0   15688    57530    /usr/lib64/libkeyutils.so.1.5
rpcbind 756 rpc  mem REG  253,0   67104    113316   /usr/lib64/libkrb5support.so.0.1
rpcbind 756 rpc  mem REG  253,0   88776    1376     /usr/lib64/libgcc_s-4.8.5-20150702.so.1

Example 40: How to Check all the Options of lsof command

If you want to check all the other options that can be used with lsof command then you need to use lsof -h command as shown below.

[root@localhost ~]# lsof -h
lsof 4.87
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
-?|-h list help -a AND selections (OR) -b avoid kernel blocks
-c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s files
-d s select by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY*
-i select IPv[46] files -K list tasKs (threads) -l list UID numbers
-n no host names -N select NFS files -o list file offset
-O no overhead *RISKY* -P no port names -R list paRent PID
-s list file size -t terse listing -T disable TCP/TPI info
-U select Unix socket -v list version info -V verbose search
+|-w Warnings (+) -X skip TCP&UDP* files -Z Z context [Z]

Example 41: How to check Man Page of lsof command in Linux/Unix

If you want to check the man page of lsof command then you need to use man lsof command as shown below.

[root@localhost ~]# man lsof
LSOF(8) System Manager's Manual LSOF(8)

NAME
lsof - list open files

SYNOPSIS
lsof [ -?abChlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-e s ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ -K k ] [
+|-L [l] ] [ +|-m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z]
] [ -- ] [names]

DESCRIPTION
Lsof revision 4.87 lists on its standard output file information about files opened by processes for the following UNIX dialects:

Apple Darwin 9 and Mac OS X 10.[567]
FreeBSD 4.9 and 6.4 for x86-based systems
FreeBSD 8.2, 9.0 and 10.0 for AMD64-based systems
Linux 2.1.72 and above for x86-based systems
Solaris 9, 10 and 11

 

 

 

 

Popular Recommendations:-

How to Install PHP on Ubuntu 18.04

How to Install Ruby on Ubuntu 18.04 with Easy Steps

How to Install Ruby on CentOS/RedHat 7 in 5 Easy Steps

33 Practical Examples of ulimit command in Linux/Unix for Professionals

Install Node.js in 6 Easy Steps on Ubuntu 18.04

How to Install NVM for Node.js on Ubuntu 18.04

How to Limit CPU Limit of a Process Using CPULimit in Linux (RHEL/CentOS 7/8)

How to Install Rust Programming Language in Linux Using 6 Best Steps

How to Install LEMP Stack on CentOS 8

10 lsof command examples in Linux

Leave a Comment