Table of Contents
In this article I will take you through 41 Linux lsof command examples. lsof command is a very useful utility to find out the List of current open files. It will provide complete information about command or process which opens a List of files. You can also monitor the active TCP and UDP Network Connections using lsof command. We will go through multiple examples of lsof command in below sections.
SYNOPSIS
lsof [ -?abChlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-e s ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ -K k ] [
+|-L [l] ] [ +|-m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z]
] [ -- ] [names]
Linux lsof command examples
Also Read: 52 Useful cut command in Linux/Unix with Examples for Beginners
Example 1: How to check lsof command version
If you want to check lsof command version then you need to use lsof -v
command as shown below. As you can see from below output, current lsof command version is 4.87
.
[root@localhost ~]# lsof -v lsof version information: revision: 4.87 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man constructed: Tue Oct 30 16:28:19 UTC 2018 constructed by and on: mockbuild@x86-01.bsys.centos.org compiler: cc compiler version: 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) compiler flags: -DLINUXV=310000 -DGLIBCV=217 -DHASIPv6 -DHASSELINUX -D_FILE_ OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -DHAS_STRFTIME -DLSOF_VSTR="3.10.0" -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --para m=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic loader flags: -L./lib -llsof -lselinux system info: Linux x86-01.bsys.centos.org 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux Anyone can list all files. /dev warnings are disabled. Kernel ID check is disabled.
-v : selects the listing of lsof version information. More on lsof command Man Page.
NOTE:
root
user to run all the below commands.You can use any user with sudo
access to run all these commands. For more information Please check Step by Step: How to Add User to Sudoers to provide sudo
access to the User.Example 2: How to Identify Open Files Using lsof command in Linux
You can simply run lsof command to check the List of Open files and other important information like User, Type, FD, Device, Name etc related to those files as shown below.
[root@localhost ~]# lsof COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 253,0 235 64 / systemd 1 root rtd DIR 253,0 235 64 / systemd 1 root txt REG 253,0 1628560 100824723 /usr/lib/systemd/systemd systemd 1 root mem REG 253,0 20064 1415 /usr/lib64/libuuid.so.1.3.0 systemd 1 root mem REG 253,0 265576 1425 /usr/lib64/libblkid.so.1.1.0 systemd 1 root mem REG 253,0 90248 40171 /usr/lib64/libz.so.1.2.7 systemd 1 root mem REG 253,0 157424 57646 /usr/lib64/liblzma.so.5.2.2 systemd 1 root mem REG 253,0 23968 73073 /usr/lib64/libcap-ng.so.0.0.0 systemd 1 root mem REG 253,0 19896 57503 /usr/lib64/libattr.so.1.1.0 systemd 1 root mem REG 253,0 19248 147331 /usr/lib64/libdl-2.17.so systemd 1 root mem REG 253,0 402384 57519 /usr/lib64/libpcre.so.1.2.0 systemd 1 root mem REG 253,0 2156240 113520 /usr/lib64/libc-2.17.so systemd 1 root mem REG 253,0 142144 1395 /usr/lib64/libpthread-2.17.so systemd 1 root mem REG 253,0 88776 1376 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 systemd 1 root mem REG 253,0 43712 414376 /usr/lib64/librt-2.17.so
Example 3: How to Find out who is using a file using lsof command in Linux
If you want to find out who is using a file then you can simply query that file with lsof command as shown below. In this example, we are trying to find out who is using the file /bin/bash using lsof /bin/bash
command. As you can see from below output root user is currently using those files.
[root@localhost ~]# lsof /bin/bash COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ksmtuned 788 root txt REG 253,0 964536 100766285 /usr/bin/bash bash 1775 root txt REG 253,0 964536 100766285 /usr/bin/bash
Example 4: How to find Files Open by a Linux Process
If you want to find files open by a Linux process then you need to use -p
option with lsof command as shown below. In this example we are trying to find all the files opened by a Process ID(PID) 1196 using lsof -p 1196
command.
[root@localhost ~]# lsof -p 1196 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1196 root cwd DIR 253,0 235 64 / sshd 1196 root rtd DIR 253,0 235 64 / sshd 1196 root txt REG 253,0 852856 234221 /usr/sbin/sshd sshd 1196 root mem REG 253,0 61560 219022 /usr/lib64/libnss_files-2.17.so sshd 1196 root mem REG 253,0 68192 57656 /usr/lib64/libbz2.so.1.0.6 sshd 1196 root mem REG 253,0 99952 1433 /usr/lib64/libelf-0.176.so sshd 1196 root mem REG 253,0 19896 57503 /usr/lib64/libattr.so.1.1.0 sshd 1196 root mem REG 253,0 15688 57530 /usr/lib64/libkeyutils.so.1.5 sshd 1196 root mem REG 253,0 67104 113316 /usr/lib64/libkrb5support.so.0.1 sshd 1196 root mem REG 253,0 11392 1388 /usr/lib64/libfreebl3.so sshd 1196 root mem REG 253,0 251792 1378 /usr/lib64/libnspr4.so sshd 1196 root mem REG 253,0 20040 33477 /usr/lib64/libplc4.so sshd 1196 root mem REG 253,0 15744 33478 /usr/lib64/libplds4.so sshd 1196 root mem REG 253,0 198968 33480 /usr/lib64/libnssutil3.so sshd 1196 root mem REG 253,0 1257728 17608 /usr/lib64/libnss3.so sshd 1196 root mem REG 253,0 168336 17609 /usr/lib64/libsmime3.so sshd 1196 root mem REG 253,0 370584 17610 /usr/lib64/libssl3.so
-p : excludes or selects the listing of files for the processes whose optional process IDentification (PID) numbers are in the comma-separated set. More on lsof command Man Page.
Example 5: How to Know which directories are being used by a Process in Linux
If you want to check all the directories and files in depth used by a process in Linux then you need to use +D
option with lsof command as shown below. In this example, we are trying to check all the files and directories used by /var/log
using lsof +D /var/log
command.
[root@localhost ~]# lsof +D /var/log COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME auditd 721 root 5w REG 253,0 6685061 101331972 /var/log/audit/audit.log firewalld 793 root 3w REG 253,0 4903 67146826 /var/log/firewalld tuned 1192 root 3w REG 253,0 58277 67527610 /var/log/tuned/tuned.log rsyslogd 1197 root 6w REG 253,0 155 73116760 /var/log/messages rsyslogd 1197 root 7w REG 253,0 464 73116758 /var/log/cron
+D : causes lsof to search for all open instances of directory D and all the files and directories it contains to its complete depth. More on lsof command Man Page.
Example 6: How to List all the Process related to a Mount Point using lsof command
You can also list all the open files using a specific mount point using lsof command. In this example, we are checking all the process related to mount point /run
using lsof /run
command as shown below.
[root@localhost ~]# lsof /run COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 22u FIFO 0,19 0t0 12342 /run/systemd/initctl/fifo systemd 1 root 33u FIFO 0,19 0t0 12676 /run/dmeventd-server systemd 1 root 34u FIFO 0,19 0t0 12677 /run/dmeventd-client systemd-j 541 root mem REG 0,19 8388608 7747 /run/log/journal/f1c1e83465fa4dd2b7e3d295527d29a5/system.journal systemd-j 541 root mem REG 0,19 8 7742 /run/systemd/journal/kernel-seqnum systemd-j 541 root 13u REG 0,19 8388608 7747 /run/log/journal/f1c1e83465fa4dd2b7e3d295527d29a5/system.journal lvmetad 558 root 4wW REG 0,19 4 13320 /run/lvmetad.pid systemd-l 752 root 18r FIFO 0,19 0t0 22271 /run/systemd/sessions/1.ref rpcbind 756 rpc 4r REG 0,19 0 16967 /run/rpcbind.lock rsyslogd 1197 root mem REG 0,19 8388608 7747 /run/log/journal/f1c1e83465fa4dd2b7e3d295527d29a5/system.journal rsyslogd 1197 root 5r REG 0,19 8388608 7747 /run/log/journal/f1c1e83465fa4dd2b7e3d295527d29a5/system.journal libvirtd 1202 root 4ww REG 0,19 4 20500 /run/libvirtd.pid libvirtd 1202 root 21u REG 0,19 0 20668 /run/libvirt/network/nwfilter.leases crond 1218 root 3uW REG 0,19 5 20387 /run/crond.pid sshd 1772 root 6w FIFO 0,19 0t0 22271 /run/systemd/sessions/1.ref
Example 7: How to Check All the Files Opened by a Specific User
If you want to check all the files opened by a specific user then you need to use -u
option with lsof command in Linux as shown below. In this example, we are trying to check all the files opened by user postfix
using lsof -u postfix
command.
[root@localhost ~]# lsof -u postfix COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME pickup 1607 postfix cwd DIR 253,0 201 33947528 /var/spool/postfix pickup 1607 postfix rtd DIR 253,0 235 64 / pickup 1607 postfix txt REG 253,0 285160 33947461 /usr/libexec/postfix/pickup pickup 1607 postfix mem REG 253,0 61560 219022 /usr/lib64/libnss_files-2.17.so pickup 1607 postfix mem REG 253,0 155744 1410 /usr/lib64/libselinux.so.1 pickup 1607 postfix mem REG 253,0 15688 57530 /usr/lib64/libkeyutils.so.1.5 pickup 1607 postfix mem REG 253,0 11392 1388 /usr/lib64/libfreebl3.so pickup 1607 postfix mem REG 253,0 88776 1376 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 pickup 1607 postfix mem REG 253,0 43712 414376 /usr/lib64/librt-2.17.so pickup 1607 postfix mem REG 253,0 67104 113316 /usr/lib64/libkrb5support.so.0.1 pickup 1607 postfix mem REG 253,0 15856 1429 /usr/lib64/libcom_err.so.2.1 pickup 1607 postfix mem REG 253,0 210784 113308 /usr/lib64/libk5crypto.so.3.1 pickup 1607 postfix mem REG 253,0 967760 113314 /usr/lib64/libkrb5.so.3.3 pickup 1607 postfix mem REG 253,0 320720 57582 /usr/lib64/libgssapi_krb5.so.2.2 pickup 1607 postfix mem REG 253,0 40600 147273 /usr/lib64/libcrypt-2.17.so pickup 1607 postfix mem REG 253,0 991616 40146 /usr/lib64/libstdc++.so.6.0.19
-u : selects the listing of files for the user whose login names or user ID numbers are in the comma-separated set. More on lsof command Man Page.
Example 8: How to List Process ID's of all the Files opened by a Specific User
If you want to list the Process ID(PID) of all the processes started by a specific user then you need to use -t
option with lsof command as shown below. In this example, we are trying to check the PID of all the files opened by user postfix
using lsof -t -u postfix
command.
[root@localhost ~]# lsof -t -u postfix 1608 2775
-t : specifies that lsof should produce terse output with process identifiers only and no header. More on lsof command Man Page.
Example 9: How to List Process ID's of all the Files using directory /run
If you want simply know the Process ID(PID) of all the files using some directory then you need to use -t
option with lsof command as shown below. In this example, we are trying to check the Process ID of all the open files using directory /run
with the help of lsof -t /run
command.
[root@localhost ~]# lsof -t /run 1 541 558 752 756 1197 1202 1218 1772
Example 10: How to Find out a Process Listening on a Specific Port
If you want to find out a process listening on a specific Port then you need to use -i
option with lsof command as shown below. In this example, we are trying to find out all the processes listening on Port 22
using lsof -i TCP:22
command.
[root@localhost ~]# lsof -i TCP:22 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1196 root 3u IPv4 20091 0t0 TCP *:ssh (LISTEN) sshd 1196 root 4u IPv6 20100 0t0 TCP *:ssh (LISTEN) sshd 1772 root 3u IPv4 22159 0t0 TCP server1.example.com:ssh->192.168.0.102:31776 (ESTABLISHED)
-i : selects the listing of files any of whose Internet address matches the address specified in i. More on lsof command Man Page.
Example 11: How to List All the Processes Running on a Range of Ports
If you want to list all the processes running on a range of TCP Ports then you need to use -i
option with lsof command as shown below. In this example we are trying to list all the processes running on a range of TCP ports from 22-300 using lsof -i TCP:22-300
command as shown below.
[root@localhost ~]# lsof -i TCP:22-300 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 756 rpc 8u IPv4 17071 0t0 TCP *:sunrpc (LISTEN) rpcbind 756 rpc 11u IPv6 17074 0t0 TCP *:sunrpc (LISTEN) sshd 1196 root 3u IPv4 20091 0t0 TCP *:ssh (LISTEN) sshd 1196 root 4u IPv6 20100 0t0 TCP *:ssh (LISTEN) dnsmasq 1445 nobody 6u IPv4 21398 0t0 TCP localhost:domain (LISTEN) master 1602 root 13u IPv4 21668 0t0 TCP localhost:smtp (LISTEN) master 1602 root 14u IPv6 21669 0t0 TCP localhost:smtp (LISTEN) sshd 1772 root 3u IPv4 22159 0t0 TCP server1.example.com:ssh->192.168.0.102:31776 (ESTABLISHED)
Example 12: How to List All Unix Domain Socket Files using lsof command
In this example, we are trying to List all Unix Domain Socket files using -U
option with lsof command as shown below.
[root@localhost ~]# lsof -U COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 12u unix 0xffffa0d0b6763300 0t0 12190 /run/systemd/private systemd 1 root 20u unix 0xffffa0d0b6760880 0t0 12240 /run/lvm/lvmpolld.socket systemd 1 root 21u unix 0xffffa0d0b6761100 0t0 12243 /run/lvm/lvmetad.socket systemd 1 root 23u unix 0xffffa0d0bca58440 0t0 7468 /run/systemd/notify systemd 1 root 24u unix 0xffffa0d0bca58880 0t0 7470 /run/systemd/cgroups-agent systemd 1 root 25u unix 0xffffa0d0b6760cc0 0t0 12371 /run/systemd/shutdownd systemd 1 root 27u unix 0xffffa0d0bca59540 0t0 7488 /run/systemd/journal/stdout systemd 1 root 28u unix 0xffffa0d0bca59980 0t0 7491 /run/systemd/journal/socket systemd 1 root 29u unix 0xffffa0d0bca59dc0 0t0 7493 /dev/log systemd 1 root 30u unix 0xffffa0d0b6762200 0t0 12481 /run/udev/control systemd 1 root 36u unix 0xffffa0d0369a1dc0 0t0 13005 socket
-U : selects the listing of UNIX domain socket files. More on lsof command Man Page.
Example 13: How to show total number of Open Files using lsof command in Linux
If you want to count the total number of open files from lsof command output, you can use wc -l
command on the output to count the total number of open files as shown below.
[root@localhost ~]# lsof | wc -l 4832
Example 14: How to Show All the Recursively Open Process Files and Directories
If you want to recursively show all the Open files and directories then you need to use +d
option with lsof command as shown below. In this example, we are trying to check all recursively open files and directories of directory /run
using lsof +d /run
command.
[root@localhost ~]# lsof +d /run COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root 33u FIFO 0,19 0t0 12676 /run/dmeventd-server systemd 1 root 34u FIFO 0,19 0t0 12677 /run/dmeventd-client lvmetad 558 root 4wW REG 0,19 4 13320 /run/lvmetad.pid rpcbind 756 rpc 4r REG 0,19 0 16967 /run/rpcbind.lock gssproxy 759 root 9u unix 0xffffa0d0b82f5980 0t0 17164 /run/gssproxy.sock libvirtd 1202 root 4ww REG 0,19 4 20500 /run/libvirtd.pid crond 1218 root 3uW REG 0,19 5 20387 /run/crond.pid
+d : causes lsof to search for all open instances of directory s and the files and directories it contains at its top level. More on lsof command Man Page.
Example 15: How to List all the files based on Process Name
If you want to list all the files based on command name then you need to use -c
option with lsof command as shown below. In this example, we are trying to list all the files based on command name sshd using lsof -c sshd
command.
[root@localhost ~]# lsof -c sshd COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1196 root cwd DIR 253,0 235 64 / sshd 1196 root rtd DIR 253,0 235 64 / sshd 1196 root txt REG 253,0 852856 234221 /usr/sbin/sshd sshd 1196 root mem REG 253,0 61560 219022 /usr/lib64/libnss_files-2.17.so sshd 1196 root mem REG 253,0 68192 57656 /usr/lib64/libbz2.so.1.0.6 sshd 1196 root mem REG 253,0 99952 1433 /usr/lib64/libelf-0.176.so sshd 1196 root mem REG 253,0 19896 57503 /usr/lib64/libattr.so.1.1.0 sshd 1196 root mem REG 253,0 15688 57530 /usr/lib64/libkeyutils.so.1.5 sshd 1196 root mem REG 253,0 67104 113316 /usr/lib64/libkrb5support.so.0.1 sshd 1196 root mem REG 253,0 11392 1388 /usr/lib64/libfreebl3.so sshd 1196 root mem REG 253,0 251792 1378 /usr/lib64/libnspr4.so sshd 1196 root mem REG 253,0 20040 33477 /usr/lib64/libplc4.so sshd 1196 root mem REG 253,0 15744 33478 /usr/lib64/libplds4.so
-c : selects the listing of files for processes executing the command that begins with the characters of c. More on lsof command Man Page.
Example 16: How to List all Network Files Currently in Use by a Specific Process
If you wan to List all Network Files currently in use by a specific command then you need to use below lsof command . In this example, we are trying to List all Network Files currently in use by sshd command using lsof -i -a -c sshd
command.
[root@localhost ~]# lsof -i -a -c sshd COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1196 root 3u IPv4 20091 0t0 TCP *:ssh (LISTEN) sshd 1196 root 4u IPv6 20100 0t0 TCP *:ssh (LISTEN) sshd 1772 root 3u IPv4 22159 0t0 TCP server1.example.com:ssh->192.168.0.102:31776 (ESTABLISHED)
-i : selects the listing of files any of whose Internet address matches the address specified in i. More on lsof command Man Page.
-a : causes list selection options to be ANDed, as described above. More on lsof command Man Page.
Example 17: How to List All Open files with their Parent Process ID(PPID)
If you want to List all open files with their Parent Process ID(PPID) then you need to use -R
option with lsof command as shown below.
[root@localhost ~]# lsof -R COMMAND PID TID PPID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 0 root cwd DIR 253,0 235 64 / systemd 1 0 root rtd DIR 253,0 235 64 / systemd 1 0 root txt REG 253,0 1628560 100824723 /usr/lib/systemd/systemd systemd 1 0 root mem REG 253,0 20064 1415 /usr/lib64/libuuid.so.1.3.0 systemd 1 0 root mem REG 253,0 265576 1425 /usr/lib64/libblkid.so.1.1.0 systemd 1 0 root mem REG 253,0 90248 40171 /usr/lib64/libz.so.1.2.7 systemd 1 0 root mem REG 253,0 157424 57646 /usr/lib64/liblzma.so.5.2.2 systemd 1 0 root mem REG 253,0 23968 73073 /usr/lib64/libcap-ng.so.0.0.0 systemd 1 0 root mem REG 253,0 19896 57503 /usr/lib64/libattr.so.1.1.0 systemd 1 0 root mem REG 253,0 19248 147331 /usr/lib64/libdl-2.17.so systemd 1 0 root mem REG 253,0 402384 57519 /usr/lib64/libpcre.so.1.2.0 systemd 1 0 root mem REG 253,0 2156240 113520 /usr/lib64/libc-2.17.so systemd 1 0 root mem REG 253,0 142144 1395 /usr/lib64/libpthread-2.17.so
-R : directs lsof to list the Parent Process IDentification number in the PPID column. More on lsof command Man Page.
Example 18: How to find all currently open files based on File Descriptor
You can also find open files based on File Descriptor using -d
option with lsof command as shown below. In this example, we are trying to find all the open files based on descriptor cwd
using lsof -d cwd
command.
[root@localhost ~]# lsof -d cwd COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 253,0 235 64 / kthreadd 2 root cwd DIR 253,0 235 64 / kworker/0 4 root cwd DIR 253,0 235 64 / ksoftirqd 6 root cwd DIR 253,0 235 64 / migration 7 root cwd DIR 253,0 235 64 / rcu_bh 8 root cwd DIR 253,0 235 64 / rcu_sched 9 root cwd DIR 253,0 235 64 / lru-add-d 10 root cwd DIR 253,0 235 64 / watchdog/ 11 root cwd DIR 253,0 235 64 / kdevtmpfs 13 root cwd DIR 0,5 3240 3 / netns 14 root cwd DIR 253,0 235 64 / khungtask 15 root cwd DIR 253,0 235 64 / writeback 16 root cwd DIR 253,0 235 64 /
-d : specifies a list of file descriptors (FDs) to exclude from or include in the output listing. More on lsof command Man Page.
Example 19: How to List a File that lsof command failed to find
If you want to show additional messages indicating the items which lsof trying to list but failed to find then you need to use -V
option with lsof command as shown below.
[root@localhost ~]# lsof -p 9999999 -V lsof: process ID not located: 9999999
-V : directs lsof to indicate the items it was asked to list and failed to find - command names, file names, Internet addresses or files, login names,NFS files, PIDs, PGIDs, and UIDs. More on lsof command Man Page.
Example 20: How to display additional Information
If you want to display additional TCP/TPI Information then you need to use -T
option with lsof command in Linux as shown below.
[root@localhost ~]# lsof -i -Tq COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 756 rpc 6u IPv4 17003 0t0 UDP *:sunrpc (QR=0 QS=0) rpcbind 756 rpc 7u IPv4 17070 0t0 UDP *:922 (QR=0 QS=0) rpcbind 756 rpc 8u IPv4 17071 0t0 TCP *:sunrpc (QR=0 QS=0) rpcbind 756 rpc 9u IPv6 17072 0t0 UDP *:sunrpc (QR=0 QS=0) rpcbind 756 rpc 10u IPv6 17073 0t0 UDP *:922 (QR=0 QS=0) rpcbind 756 rpc 11u IPv6 17074 0t0 TCP *:sunrpc (QR=0 QS=0) chronyd 768 chrony 5u IPv4 17195 0t0 UDP localhost:323 (QR=0 QS=0) chronyd 768 chrony 6u IPv6 17196 0t0 UDP localhost:323 (QR=0 QS=0) sshd 1196 root 3u IPv4 20091 0t0 TCP *:ssh (QR=0 QS=0) sshd 1196 root 4u IPv6 20100 0t0 TCP *:ssh (QR=0 QS=0) vsftpd 1201 root 4u IPv6 19612 0t0 TCP *:ftp (QR=0 QS=0)
-T: controls the reporting of some TCP/TPI information. More on lsof command Man Page.
Example 21: How to List All UDP Connections using lsof command in Linux
If you want to List only UDP connections then also you need to use same -i
option with lsof command as you have used in previous examples.
[root@localhost ~]# lsof -i udp COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 756 rpc 6u IPv4 17003 0t0 UDP *:sunrpc rpcbind 756 rpc 7u IPv4 17070 0t0 UDP *:922 rpcbind 756 rpc 9u IPv6 17072 0t0 UDP *:sunrpc rpcbind 756 rpc 10u IPv6 17073 0t0 UDP *:922 chronyd 768 chrony 5u IPv4 17195 0t0 UDP localhost:323 chronyd 768 chrony 6u IPv6 17196 0t0 UDP localhost:323 dnsmasq 1445 nobody 3u IPv4 21394 0t0 UDP *:bootps dnsmasq 1445 nobody 5u IPv4 21397 0t0 UDP localhost:domain
Example 22: How to Check all ESTABLISHED State Network Connections using lsof command
If you want to check all ESTABLISHED
state network connections then you need to grep the ESTABLISHED
keyword from lsof command as shown below and feed the output to awk command to filter out Column 1
and Column 9
which will then be sorted using sort -u
command.
[root@localhost ~]# lsof -i -nP | grep ESTABLISHED | awk '{print $1, $9}' | sort -u sshd 192.168.0.103:22->192.168.0.102:31776
Example 23 : How to Check all LISTEN State Network Connections using lsof command
If you want to check all LISTEN
state network connections then you need to grep the LISTEN
keyword from lsof command as shown below and feed the output to awk command to filter out Column 1
and Column 9
which will then be sorted using sort -u
command.
[root@localhost ~]# lsof -i -nP | grep LISTEN | awk '{print $1, $9}' | sort -u dnsmasq 192.168.122.1:53 master [::1]:25 master 127.0.0.1:25 rpcbind *:111 sshd *:22 vsftpd *:21
Example 24: How to Check All Open Files using NFS Connections
If you want to list all open files using NFS Connections then you need to use lsof -N
command as shown below.
[root@localhost ~]# lsof -N
-N : selects the listing of NFS files.
Example 25: How to Suppress Any Potential Warnings using lsof command in Linux
If you want to suppress any potential warnings then you need to use -w
option with lsof command as shown below.
[root@localhost ~]# lsof -t -i -w 756 768 1196 1201 1445 1602 7501
-w : disables the suppression of warning messages.
Example 26: How to Enable Suppressed Warnings using lsof command in Linux
If you want to enable any suppressed potential warnings then you need to use +w
option with lsof command as shown below.
[root@localhost ~]# lsof -t -i +w 756 768 1196 1201 1445 1602 7501
+w : Enables the suppression of warning messages.
Example 27: How to Use Regular Expression to find all open files used by a process which starts with Specific keyword
You can also use regular expressions to find all the open files used by a process using lsof command as shown below. In this example, we are trying to find all the processes which starts with character ssh using lsof -c /^ssh*/
command.
[root@localhost ~]# lsof -c /^ssh*/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1196 root cwd DIR 253,0 235 64 / sshd 1196 root rtd DIR 253,0 235 64 / sshd 1196 root txt REG 253,0 852856 234221 /usr/sbin/sshd sshd 1196 root mem REG 253,0 61560 219022 /usr/lib64/libnss_files-2.17.so sshd 1196 root mem REG 253,0 68192 57656 /usr/lib64/libbz2.so.1.0.6 sshd 1196 root mem REG 253,0 99952 1433 /usr/lib64/libelf-0.176.so sshd 1196 root mem REG 253,0 19896 57503 /usr/lib64/libattr.so.1.1.0 sshd 1196 root mem REG 253,0 15688 57530 /usr/lib64/libkeyutils.so.1.5 sshd 1196 root mem REG 253,0 67104 113316 /usr/lib64/libkrb5support.so.0.1 sshd 1196 root mem REG 253,0 11392 1388 /usr/lib64/libfreebl3.so sshd 1196 root mem REG 253,0 251792 1378 /usr/lib64/libnspr4.so sshd 1196 root mem REG 253,0 20040 33477 /usr/lib64/libplc4.so sshd 1196 root mem REG 253,0 15744 33478 /usr/lib64/libplds4.so sshd 1196 root mem REG 253,0 198968 33480 /usr/lib64/libnssutil3.so
Example 28: How to Use Regular Expression to find all open files used by a process which ends with Specific keyword
Another very useful example of using regular expression with lsof command is to find all the processes which matches specific pattern at the end. In this example, we are trying to find all the processes which has shd
pattern at the end of the command name using lsof -c /shd$/
command.
[root@localhost ~]# lsof -c /shd$/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 1196 root cwd DIR 253,0 235 64 / sshd 1196 root rtd DIR 253,0 235 64 / sshd 1196 root txt REG 253,0 852856 234221 /usr/sbin/sshd sshd 1196 root mem REG 253,0 61560 219022 /usr/lib64/libnss_files-2.17.so sshd 1196 root mem REG 253,0 68192 57656 /usr/lib64/libbz2.so.1.0.6 sshd 1196 root mem REG 253,0 99952 1433 /usr/lib64/libelf-0.176.so sshd 1196 root mem REG 253,0 19896 57503 /usr/lib64/libattr.so.1.1.0 sshd 1196 root mem REG 253,0 15688 57530 /usr/lib64/libkeyutils.so.1.5 sshd 1196 root mem REG 253,0 67104 113316 /usr/lib64/libkrb5support.so.0.1 sshd 1196 root mem REG 253,0 11392 1388 /usr/lib64/libfreebl3.so sshd 1196 root mem REG 253,0 251792 1378 /usr/lib64/libnspr4.so sshd 1196 root mem REG 253,0 20040 33477 /usr/lib64/libplc4.so sshd 1196 root mem REG 253,0 15744 33478 /usr/lib64/libplds4.so sshd 1196 root mem REG 253,0 198968 33480 /usr/lib64/libnssutil3.so sshd 1196 root mem REG 253,0 1257728 17608 /usr/lib64/libnss3.so
Example 29: How to Kill all the open processes running with a Specific User
If you want to kill all the open files running with a specific user then you can use kill command with lsof command as shown below. In this example we are getting all the open files running with user postfix using lsof -t -u postfix
and feeding the output to kill command to kill all the processes.
[root@localhost ~]# kill -9 `lsof -t -u postfix`
Example 30: How to List Active SSH Connections using lsof command in Linux
If you want to List all the Active SSH Connections then you can simply filter out the ESTABLISHED keyword from lsof -i TCP
command output as shown below.
[root@localhost ~]# lsof -i TCP | grep ssh | grep ESTABLISHED sshd 7501 root 3u IPv4 42123 0t0 TCP server1.example.com:ssh->192.168.0.102:p2pq (ESTABLISHED)
Example 31: How to Check Total Number of TCP Connections using lsof command in Linux
If you want to count the total number of TCP connections then you can use awk tool with lsof command as shown below.
[root@localhost ~]# lsof -i | awk '{print $8}' | sort | uniq -c | grep 'TCP' 9 TCP
Example 32: How to Check Total Number of UDP Connections using lsof command in Linux
Similarly, if you want to count the total number of UDP Connections instead of TCP connections then you need to grep the UDP keyword from lsof command output as shown below.
[root@localhost ~]# lsof -i | awk '{print $8}' | sort | uniq -c | grep 'UDP' 8 UDP
Example 33: How to Check Total Number of UDP and TCP Connections using lsof command in Linux
If you want to check the total number of UDP and TCP Connections then you need to grep both TCP and UDP from the lsof command output as shown below.
[root@localhost ~]# lsof -i | awk '{print $8}' | sort | uniq -c | grep 'TCP\|UDP' 9 TCP 8 UDP
Example 34: How to Monitor TCP Network Connections using lsof command in Linux
There is a very useful option called repeat mode which can be used with lsof command to monitor TCP Network Connections in Linux. You can use -r
option to specify the number of seconds after which lsof command output will refresh. In this example, we are trying to monitor TCP Network Connections by refreshing lsof command output after every 3 seconds using lsof -r 3 -i TCP
command.
[root@localhost ~]# lsof -r 3 -i TCP COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 756 rpc 8u IPv4 17071 0t0 TCP *:sunrpc (LISTEN) rpcbind 756 rpc 11u IPv6 17074 0t0 TCP *:sunrpc (LISTEN) sshd 1196 root 3u IPv4 20091 0t0 TCP *:ssh (LISTEN) sshd 1196 root 4u IPv6 20100 0t0 TCP *:ssh (LISTEN) vsftpd 1201 root 4u IPv6 19612 0t0 TCP *:ftp (LISTEN) dnsmasq 1445 nobody 6u IPv4 21398 0t0 TCP localhost:domain (LISTEN) master 1602 root 13u IPv4 21668 0t0 TCP localhost:smtp (LISTEN) master 1602 root 14u IPv6 21669 0t0 TCP localhost:smtp (LISTEN) sshd 7501 root 3u IPv4 42123 0t0 TCP server1.example.com:ssh->192.168.0.102:p2pq (ESTABLISHED) ======= COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 756 rpc 8u IPv4 17071 0t0 TCP *:sunrpc (LISTEN) rpcbind 756 rpc 11u IPv6 17074 0t0 TCP *:sunrpc (LISTEN) sshd 1196 root 3u IPv4 20091 0t0 TCP *:ssh (LISTEN) sshd 1196 root 4u IPv6 20100 0t0 TCP *:ssh (LISTEN) vsftpd 1201 root 4u IPv6 19612 0t0 TCP *:ftp (LISTEN) dnsmasq 1445 nobody 6u IPv4 21398 0t0 TCP localhost:domain (LISTEN) master 1602 root 13u IPv4 21668 0t0 TCP localhost:smtp (LISTEN) master 1602 root 14u IPv6 21669 0t0 TCP localhost:smtp (LISTEN) sshd 7501 root 3u IPv4 42123 0t0 TCP server1.example.com:ssh->192.168.0.102:p2pq (ESTABLISHED) =======
-r : puts lsof in repeat mode. More on lsof command Man Page.
Example 35: How to inhibits the conversion of network numbers to host names using lsof command in Linux
You can also inhibits the conversion of network numbers to host names by using -n
option with lsof command in Linux as shown below.
[root@localhost ~]# lsof -i -n COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 756 rpc 6u IPv4 17003 0t0 UDP *:sunrpc rpcbind 756 rpc 7u IPv4 17070 0t0 UDP *:922 rpcbind 756 rpc 8u IPv4 17071 0t0 TCP *:sunrpc (LISTEN) rpcbind 756 rpc 9u IPv6 17072 0t0 UDP *:sunrpc rpcbind 756 rpc 10u IPv6 17073 0t0 UDP *:922 rpcbind 756 rpc 11u IPv6 17074 0t0 TCP *:sunrpc (LISTEN) chronyd 768 chrony 5u IPv4 17195 0t0 UDP 127.0.0.1:323 chronyd 768 chrony 6u IPv6 17196 0t0 UDP [::1]:323 sshd 1196 root 3u IPv4 20091 0t0 TCP *:ssh (LISTEN) sshd 1196 root 4u IPv6 20100 0t0 TCP *:ssh (LISTEN) vsftpd 1201 root 4u IPv6 19612 0t0 TCP *:ftp (LISTEN) dnsmasq 1445 nobody 3u IPv4 21394 0t0 UDP *:bootps
-n : inhibits the conversion of network numbers to host names for network files. More on lsof command Man Page.
Example 36 : How to inhibits the conversion of port numbers to port names for network files
Like inhibiting the conversion of network numbers, you can also inhibits the conversion of port numbers to port names using -P
option with lsof command in Linux as shown below.
[root@localhost ~]# lsof -i -Tqs -P COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 756 rpc 6u IPv4 17003 0t0 UDP *:111 (QR=0 QS=0) rpcbind 756 rpc 7u IPv4 17070 0t0 UDP *:922 (QR=0 QS=0) rpcbind 756 rpc 8u IPv4 17071 0t0 TCP *:111 (LISTEN QR=0 QS=0) rpcbind 756 rpc 9u IPv6 17072 0t0 UDP *:111 (QR=0 QS=0) rpcbind 756 rpc 10u IPv6 17073 0t0 UDP *:922 (QR=0 QS=0) rpcbind 756 rpc 11u IPv6 17074 0t0 TCP *:111 (LISTEN QR=0 QS=0) chronyd 768 chrony 5u IPv4 17195 0t0 UDP localhost:323 (QR=0 QS=0) chronyd 768 chrony 6u IPv6 17196 0t0 UDP localhost:323 (QR=0 QS=0) sshd 1196 root 3u IPv4 20091 0t0 TCP *:22 (LISTEN QR=0 QS=0) sshd 1196 root 4u IPv6 20100 0t0 TCP *:22 (LISTEN QR=0 QS=0) vsftpd 1201 root 4u IPv6 19612 0t0 TCP *:21 (LISTEN QR=0 QS=0) dnsmasq 1445 nobody 3u IPv4 21394 0t0 UDP *:67 (QR=0 QS=0)
-P : inhibits the conversion of port numbers to port names for network files. More on lsof command Man Page.
Example 37: How to find all the deleted files still holding the disk space
If you want to find all the deleted files which is still occupying the disk space then you can grep for deleted keyword from lsof command output as shown below. In this example, we are looking for deleted files related to directory /run
which is still occupying disk space using lsof /run | grep -i deleted
command.
[root@localhost ~]# lsof /run | grep -i deleted
Example 38: How to List all the Files opened by Users except root user
If you want to List all the files opened by all the users except root user then you need to use -u ^root
with lsof command in Linux as shown below.
[root@localhost ~]# lsof -u ^root COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME dbus-daem 754 dbus cwd DIR 253,0 235 64 / dbus-daem 754 dbus rtd DIR 253,0 235 64 / dbus-daem 754 dbus txt REG 253,0 223320 100840163 /usr/bin/dbus-daemon dbus-daem 754 dbus mem REG 253,0 61560 219022 /usr/lib64/libnss_files-2.17.so dbus-daem 754 dbus mem REG 253,0 68192 57656 /usr/lib64/libbz2.so.1.0.6 dbus-daem 754 dbus mem REG 253,0 90248 40171 /usr/lib64/libz.so.1.2.7 dbus-daem 754 dbus mem REG 253,0 99952 1433 /usr/lib64/libelf-0.176.so dbus-daem 754 dbus mem REG 253,0 19896 57503 /usr/lib64/libattr.so.1.1.0 dbus-daem 754 dbus mem REG 253,0 402384 57519 /usr/lib64/libpcre.so.1.2.0 dbus-daem 754 dbus mem REG 253,0 88776 1376 /usr/lib64/libgcc_s-4.8.5-20150702.so.1 dbus-daem 754 dbus mem REG 253,0 19248 147331 /usr/lib64/libdl-2.17.so dbus-daem 754 dbus mem REG 253,0 338672 187671 /usr/lib64/libdw-0.176.so dbus-daem 754 dbus mem REG 253,0 109976 1397 /usr/lib64/libresolv-2.17.so dbus-daem 754 dbus mem REG 253,0 19384 73064 /usr/lib64/libgpg-error.so.0.10.0 dbus-daem 754 dbus mem REG 253,0 535064 73080 /usr/lib64/libgcrypt.so.11.8.2
Example 39: How to check Some Specific Command Open files running with Specific User
In the above examples, you must have seen how we checked all open files running with specific user and also how to find all the open files related to specific command. Now we will see how to check a specific process running with a specific user. In this example, we are trying to check rpcbind process running with user rpc using lsof -a -u rpc -c rpcbind
command.
[root@localhost ~]# lsof -a -u rpc -c rpcbind COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rpcbind 756 rpc cwd DIR 253,0 235 64 / rpcbind 756 rpc rtd DIR 253,0 235 64 / rpcbind 756 rpc txt REG 253,0 61512 316334 /usr/sbin/rpcbind rpcbind 756 rpc mem REG 253,0 61560 219022 /usr/lib64/libnss_files-2.17.so rpcbind 756 rpc mem REG 253,0 68192 57656 /usr/lib64/libbz2.so.1.0.6 rpcbind 756 rpc mem REG 253,0 90248 40171 /usr/lib64/libz.so.1.2.7 rpcbind 756 rpc mem REG 253,0 99952 1433 /usr/lib64/libelf-0.176.so rpcbind 756 rpc mem REG 253,0 402384 57519 /usr/lib64/libpcre.so.1.2.0 rpcbind 756 rpc mem REG 253,0 19896 57503 /usr/lib64/libattr.so.1.1.0 rpcbind 756 rpc mem REG 253,0 15688 57530 /usr/lib64/libkeyutils.so.1.5 rpcbind 756 rpc mem REG 253,0 67104 113316 /usr/lib64/libkrb5support.so.0.1 rpcbind 756 rpc mem REG 253,0 88776 1376 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
Example 40: How to Check all the Options of lsof command
If you want to check all the other options that can be used with lsof command then you need to use lsof -h
command as shown below.
[root@localhost ~]# lsof -h lsof 4.87 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s] [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s] [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names] Defaults in parentheses; comma-separated set (s) items; dash-separated ranges. -?|-h list help -a AND selections (OR) -b avoid kernel blocks -c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s files -d s select by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY* -i select IPv[46] files -K list tasKs (threads) -l list UID numbers -n no host names -N select NFS files -o list file offset -O no overhead *RISKY* -P no port names -R list paRent PID -s list file size -t terse listing -T disable TCP/TPI info -U select Unix socket -v list version info -V verbose search +|-w Warnings (+) -X skip TCP&UDP* files -Z Z context [Z]
Example 41: How to check Man Page of lsof command in Linux/Unix
If you want to check the man page of lsof command then you need to use man lsof
command as shown below.
[root@localhost ~]# man lsof LSOF(8) System Manager's Manual LSOF(8) NAME lsof - list open files SYNOPSIS lsof [ -?abChlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-e s ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ -K k ] [ +|-L [l] ] [ +|-m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z] ] [ -- ] [names] DESCRIPTION Lsof revision 4.87 lists on its standard output file information about files opened by processes for the following UNIX dialects: Apple Darwin 9 and Mac OS X 10.[567] FreeBSD 4.9 and 6.4 for x86-based systems FreeBSD 8.2, 9.0 and 10.0 for AMD64-based systems Linux 2.1.72 and above for x86-based systems Solaris 9, 10 and 11
Popular Recommendations:-
How to Install PHP on Ubuntu 18.04
How to Install Ruby on Ubuntu 18.04 with Easy Steps
How to Install Ruby on CentOS/RedHat 7 in 5 Easy Steps
33 Practical Examples of ulimit command in Linux/Unix for Professionals
Install Node.js in 6 Easy Steps on Ubuntu 18.04
How to Install NVM for Node.js on Ubuntu 18.04
How to Limit CPU Limit of a Process Using CPULimit in Linux (RHEL/CentOS 7/8)
How to Install Rust Programming Language in Linux Using 6 Best Steps