There are a number of processes running in the system all the time, accessing different files of the system. These files could be disk files, scripts, network sockets, devices, named pipes, and others. Using “lsof”, it’s possible to perform a lot of things, like debugging. It’s also quite useful for system admins to figure out what files are being accessed by what processes. One of the most useful scenarios I’ve found is when you’re about to unmount a filesystem but it’s still being accessed.
Without further ado, let’s get started with “lsof”! I’m assuming that your current UNIX/Linux system already has “lsof” installed.
This reports the full path of the command, in this case, “lsof”.
This will report in-depth version information of “lsof”, including the build date of the binary, compiler version, compiler flags and others.
Basic “lsof” usage
Run “lsof” by itself.
This reports a BIG list of all the files that are being accessed by the system at the moment of running the command.
While all the fields are self-explanatory, mostly get confused about the “FD” and “TYPE” columns and their values. Let’s check them out.
FD: Abbreviation of “File Descriptor”. It comes up with the following values.
- cwd: Current working directory
- rtd: Root directory
- txt: Program text (data, code, and others)
- mem: Memory-mapped file
- err: FD information error
- mmap: Memory-mapped device
- ltx: Shared library text (data and code)
- m86: DOS Merge mapped file
There are also other values you’ll notice in the column, like “1u” followed by u, r, w, etc. value. What do those mean?
- r: Read access
- w: Write access
- u: Read and write access
- – : Unknown mode and it contains a lock character
- ‘ ‘: Mode is unknown and there’s no lock character
TYPE: Describes the file type and its identification. The values are as follows.
- DIR: Directory
- CHR: Character-special file
- REG: Regular file
- FIFO: First in, first out
User-specific opened files
Linux is a brilliant multi-user platform. Multiple users can access the system at the same time and perform operations that they have permission for.
To check out the files that are being accessed by a certain user, run the following command.
However, for checking out the users with higher rank, “lsof” will need “superuser” privilege.
How about checking out all the commands and files a certain user is accessing? Run the following one.
Again, for users with higher rank, “lsof” will need the “superuser” privilege.
Port-specific running processes
For finding out all the processes that are currently using a certain port, call “lsof” with the “-i” flag followed by the protocol and port information.
For example, to check out all the programs currently accessing port 80 over TCP/IP protocol, run the following command.
This method can also be used to show all the processes that are using ports within a certain range, for example, 1 to 1000. The command structure is similar to before with a little magic at the port number part.
Here are 2 examples showing the processes that are currently using the IPv4 and IPv6 protocols.
Listing network connections
The following command will report all the network connections from the current system.
Excluding with ^
Yes, we can exclude specific user, port, FD and others using the character “^”. All you have to do is use it with caution so that you don’t mess up the entire output.
In this example, let’s exclude all the processes from the user “root”.
There are other ways of using this excluding mechanism with “lsof”, for example, with the flags like “-c”, “-d” etc. Not all flags support this mechanism. That’s why I recommend trying out a demo with this method with any flag before implementing it into some scripts.
PID is an important property of any running process on the system. It allows finer pinpointing to a certain process. The process name isn’t quite helpful in lots of situations as the same binary can create copies of itself and perform different task in parallel.
If you don’t know how to get the PID of a process, just use “ps” to list all the running processes and filter the output using “grep” with the process name and/or commands.
Now, perform the filtering using “grep”.
Now, check out what files that PID is accessing.
Listing open files for a specific device
The functionality of “lsof” isn’t just limited to these functions. You can also filter the result of “lsof” by device basis as well. For this purpose, the command will look something like this.
This command is super useful to find out all the running processes with their owner info accessing a particular filesystem. If you’re having trouble unmounting a filesystem, this is the best way to go.
List opened files under a directory
Similar to the previous example, just pass the directory path to “lsof” to find out if any process is accessing it.
Note: “lsof” will check the directory recursively, so it can take time.
Bonus: terminate all user activity
Be extremely cautious with this part as it can simply mess up with everything a user is doing. The following command will kill all the running processes of a user.
The features of “lsof” don’t just stop here. The ones mentioned here are the ones that we will need the most on a day to day basis. There are plenty other functionalities of “lsof” that can come in handy (in specific cases, of course).
For all the available features and their usage, check out the man and info pages of “lsof”.