Skip to main content

How to utilize the lsof command

Ricardo Aguilar
  • Updated

Introduction

This article provides various examples of how to utilize the lsof command.

 

Procedure

You can list processes that opened a specific file by typing the following:

 

[cptech@server ~]cPs# lsof /var/log/messages
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 1085 root 1w REG 252,1 3094324 12626 /var/log/messages
lfd 13386 root 6r REG 252,1 3094324 12626 /var/log/messages

 

 

List open files associated with a process that contains a certain string

You can list open files that are associated with a process that contains a certain string by issuing a "-c" option:

 

[cptech@server ~]cPs# lsof -c rsyslog
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 1085 root cwd DIR 252,1 4096 2 /
rsyslogd 1085 root rtd DIR 252,1 4096 2 /
rsyslogd 1085 root txt REG 252,1 391360 7828 /sbin/rsyslogd
rsyslogd 1085 root mem REG 252,1 27232 7807 /lib64/rsyslog/imklog.so
rsyslogd 1085 root mem REG 252,1 339960 7813 /lib64/rsyslog/imuxsock.so
rsyslogd 1085 root DEL REG 252,1 134151 /lib64/libresolv-2.12.so
rsyslogd 1085 root DEL REG 252,1 134139 /lib64/libnss_dns-2.12.so
rsyslogd 1085 root DEL REG 252,1 134141 /lib64/libnss_files-2.12.so
rsyslogd 1085 root mem REG 252,1 26984 7814 /lib64/rsyslog/lmnet.so

 

List all open files associated with a process id

You can list all open files associated with a process id by typing the following:

lsof -p $process_id

For example:

[cptech@server ~]cPs# lsof -p 1788
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
clamd 1788 root cwd DIR 252,1 4096 2 /
clamd 1788 root rtd DIR 252,1 4096 2 /
clamd 1788 root txt REG 252,1 166870 265956 /usr/local/cpanel/3rdparty/bin/clamd
clamd 1788 root mem REG 252,1 178346 538021 /usr/local/cpanel/3rdparty/lib64/libclamunrar.so.6.1.25
clamd 1788 root mem REG 252,1 29888 538026 /usr/local/cpanel/3rdparty/lib64/libclamunrar_iface.so.6.1.25
clamd 1788 root mem REG 252,1 122040 134669 /lib64/libselinux.so.1

 

List network activity

You can view network activity with the "-i" option:

[cptech@server ~]cPs# lsof -i |grep exim
exim 1796 mailnull 3u IPv6 8715992 0t0 TCP *:smtp (LISTEN)
exim 1796 mailnull 4u IPv4 8715993 0t0 TCP *:smtp (LISTEN)
exim 1796 mailnull 5u IPv6 8715994 0t0 TCP *:urd (LISTEN)
exim 1796 mailnull 6u IPv4 8715995 0t0 TCP *:urd (LISTEN)
exim 1796 mailnull 7u IPv6 8715996 0t0 TCP *:submission (LISTEN)
exim 1796 mailnull 8u IPv4 8715997 0t0 TCP *:submission (LISTEN)

 

Listing files based on thier IPv4 address

You can list files based on their IPv4 address by typing the following:

[cptech@server ~]# lsof -i 4 |egrep 'whostm|sshd'
sshd 11375 root 3r IPv4 56276133 0t0 TCP pluto.domain.tld:ssh->198.51.100.2:60135 (ESTABLISHED)
whostmgrd 11790 root 25u IPv4 56427280 0t0 TCP pluto.domain.tld:eli->198.51.100.2:60271 (ESTABLISHED)
[cptech@server ~]#

 

List process that are listening on a certain port

You can list processes that are listening on a certain port by typing the following:

[cptech@server ~]cPs# lsof -i :26
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
exim 30890 mailnull 9u IPv6 9260569 0t0 TCP *:26 (LISTEN)
exim 30890 mailnull 10u IPv4 9260570 0t0 TCP *:26 (LISTEN)

 

List process that a particular user has open

You can type the following to see what a user has open:

[cptech@server ~]cPs# lsof -u user_name
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
php 1460 user_name cwd DIR 252,2 0 27263646 /home/user_name/public_html/wp-content/themes
php 1460 user_name rtd DIR 252,2 4096 2 /
php 1460 user_name txt REG 252,2 31221407 30677274 /usr/bin/php
php 1460 user_name mem REG 252,2 157032 7340079 /lib64/ld-2.12.so
php 1460 user_name mem REG 252,2 1926760 7340671 /lib64/libc-2.12.so
php 1460 user_name mem REG 252,2 145896 7340678 /lib64/libpthread-2.12.so
php 1460 user_name mem REG 252,2 22536 7340673 /lib64/libdl-2.12.so
php 1460 user_name mem REG 252,2 47112 7340683 /lib64/librt-2.12.so
php 1460 user_name mem REG 252,2 599392 7340688 /lib64/libm-2.12.so

 

List opened files under a directory

Use the "+D" option to list the processes which has opened files under a particular directory. The "+D" option will recursively search the subdirectories as well. If you don’t want to initiate a recursive check, then you may use the "+d" option.

[cptech@server ~]cPs# lsof +D /var/log/
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog
rsyslogd 488 syslog 2w REG 8,1 2405 269616 /var/log/auth.log

Related articles