The lsof or “list open files” command in Linux is a powerful tool. In Linux and Unix everything behind the scenes are just files. This includes IP sockets, pipes, unix sockets, directories, devices, even inodes are just files. This means that lsof can actually tell you a lot of information of what is going on on your system.

lsof will display all open files on your system. With a few flags we can cut down on the big mess to filter only the important information. Here goes nothing!

1. Show All Opened Files From All Running Processes

This is the basic execution of the lsof command:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ lsof
gvfsd-bur 22768   erik    3u     unix 0xffff880001e99800       0t0   12060799 socket
gvfsd-bur 22768   erik    4r     FIFO                0,8       0t0   12060810 pipe
gvfsd-bur 22768   erik    5w     FIFO                0,8       0t0   12060810 pipe
gvfsd-bur 22768   erik    6u     unix 0xffff880077a81e00       0t0   12060825 socket
gvfsd-bur 22768   erik    8u     unix 0xffff880077a80600       0t0   12060824 socket
bash      23215   erik  rtd       DIR               8,21      4096          2 /
bash      23215   erik  txt       REG               8,21    934336    2588717 /bin/bash
bash      23215   erik  mem       REG               8,21     51712      16634 /lib/libnss_files-2.11.1.so
bash      23215   erik  mem       REG               8,21     43552      16636 /lib/libnss_nis-2.11.1.so
bash      23215   erik  mem       REG               8,21     97256      16631 /lib/libnsl-2.11.1.so
bash      23215   erik  mem       REG               8,21     35712      16632 /lib/libnss_compat-2.11.1.so
[Note: This is a small excerpt from the total output]


2. Show All Opened Internet Sockets

Using the -i flag lsof will list the internet sockets currently opened.

1
2
3
4
5
6
7
8
9
$ lsof -i
COMMAND   PID     USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
skype    2764 erik    9u  IPv4 10563613      0t0  UDP localhost:56145 
skype    2764 erik   10u  IPv4 13152415      0t0  TCP *:26672 (LISTEN)
skype    2764 erik   11u  IPv4 13152416      0t0  UDP *:26672 
skype    2764 erik   26u  IPv4 13153406      0t0  TCP debian.local:49074->xxx.xxx.xxx:15705 (ESTABLISHED)
ssh      7854 erik    3u  IPv4 11275572      0t0  TCP debian.local:54057->xxxx:ssh (ESTABLISHED)
vmware  14558 erik   68u  IPv4 12855556      0t0  TCP debian.local:42536->a69-192-83-51.deploy.akamaitechnologies.com:https (CLOSE_WAIT)
quassel 17865 erik   16u  IPv4 13153672      0t0  TCP debian.local:38230->xxx:ircd (ESTABLISHED)


3. List All Unix Domain Files

The flag -U will display unix domain sockets.

1
2
3
4
5
6
7
8
9
10
11
12
$ lsof -U
COMMAND     PID     USER   FD   TYPE             DEVICE SIZE/OFF     NODE NAME
skype      2764 erik    7u  unix 0xffff880077a80f00      0t0 10563585 socket
skype      2764 erik    8u  unix 0xffff8800a0d77300      0t0 10563595 socket
skype      2764 erik   12u  unix 0xffff880077a82a00      0t0 10564782 socket
vmware-tr  4325 erik    3u  unix 0xffff88000ca09e00      0t0  8263793 socket
gnome-key  4573 erik    8u  unix 0xffff880005814600      0t0    34601 /tmp/keyring-py3J4q/control
gnome-key  4573 erik    9u  unix 0xffff880005940600      0t0    34603 socket
gpg-agent  8205 erik    5u  unix 0xffff88005a71db00      0t0  7626186 /tmp/gpg-yfCguR/S.gpg-agent
dbus-laun  8208 erik    3u  unix 0xffff880005d90c00      0t0  7626188 socket
dbus-laun  8208 erik    5u  unix 0xffff880005d91800      0t0  7626202 socket
[Note: This is a small excerpt from the total output]


4. List Open Files Associated With Process ID

+p 1234 will display all open files associated with specific process ID.

1
2
3
4
5
6
7
8
9
10
11
12
13
$ lsof +p 20428
COMMAND   PID     USER   FD   TYPE             DEVICE SIZE/OFF       NODE NAME
chrome  20428 erik  cwd    DIR               8,22    12288   11436033 /home/erik
chrome  20428 erik  rtd    DIR               8,21     4096          2 /
chrome  20428 erik  txt    REG               8,21 42049032    4424059 /opt/google/chrome/chrome
chrome  20428 erik  DEL    REG                0,4          1794015308 /SYSV00000000
chrome  20428 erik  DEL    REG                0,4          1793949771 /SYSV00000000
chrome  20428 erik  DEL    REG                0,4          1793785928 /SYSV00000000
chrome  20428 erik  DEL    REG                0,4          1793720391 /SYSV00000000
chrome  20428 erik  DEL    REG                0,4          1793589317 /SYSV00000000
chrome  20428 erik  DEL    REG                0,4          1793458243 /SYSV00000000
chrome  20428 erik  mem    REG               8,21   262448    4579377 /usr/lib/gtk-2.0/2.10.0/engines/libqtcurve.so
[Note: This is a small excerpt from the total output]


5. Show All Processes Opening Files In A Directory

The +D /dir/ flags will inform lsof to find all associated processes working with files under /dir/.

1
2
3
4
5
6
7
8
9
10
11
$ lsof +D /tmp/
COMMAND     PID     USER   FD   TYPE             DEVICE  SIZE/OFF     NODE NAME
vmware-tr  4325 erik   82uW  REG               8,21        12  2842640 /tmp/vmware-erik/tray-:0.0.pid
gnome-key  4573 erik    8u  unix 0xffff880005814600       0t0    34601 /tmp/keyring-py3J4q/control
gpg-agent  8205 erik    5u  unix 0xffff88005a71db00       0t0  7626186 /tmp/gpg-yfCguR/S.gpg-agent
kdeinit4   8247 erik    7u  unix 0xffff8800a80b0c00       0t0  7626278 /tmp/ksocket-erik/kdeinit4__0
kdeinit4   8247 erik   10u  unix 0xffff8800a80b0900       0t0  7626459 /tmp/ksocket-erik/kdeinit4__0
klauncher  8248 erik    8u  unix 0xffff88005a71d800       0t0  7626295 /tmp/ksocket-erik/klauncherMT8248.slave-socket
ksmserver  8307 erik   10u  unix 0xffff8800a11ef300       0t0  7626487 /tmp/.ICE-unix/8307
konsole    8347 erik   12u   REG               8,21    918836  2826347 /tmp/kde-erik/konsoleZT8347.tmp
[Note: This is a small excerpt from the total output]


6. Show All Files Opened By Processes Starting With The Letter

To display all files opened by processes starting with the letter c execute lsof with -c b for processes starting with b.

1
2
3
4
5
6
$ lsof -c b
COMMAND     PID     USER   FD      TYPE DEVICE SIZE/OFF     NODE NAME
bdi-defau    18     root  cwd   unknown                          /proc/18/cwd (readlink: Permission denied)
bash       1040     root NOFD                                    /proc/1040/fd (opendir: Permission denied)
bash       5115 erik  cwd       DIR   8,22    12288 11436033 /home/erik
[Note: This is a small excerpt from the total output]


7. Display Who Is Accessing A Device

To display who is accessing a device, directory, or binary. In this case I am outlining who is accessing the shared memory region.

1
2
3
4
5
6
7
8
$ lsof /dev/shm
COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
chrome  11698 erik  DEL    REG   0,16          13441748 /dev/shm/com.google.chrome.kDYqrU
chrome  11698 erik  DEL    REG   0,16          12708098 /dev/shm/com.google.chrome.XJBHfz
chrome  11698 erik  DEL    REG   0,16          13454087 /dev/shm/com.google.chrome.1z7tu1
chrome  11698 erik   39u   REG   0,16    85026 12708098 /dev/shm/com.google.chrome.XJBHfz (deleted)
chrome  11698 erik  109u   REG   0,16  1040420 13441748 /dev/shm/com.google.chrome.kDYqrU (deleted)
chrome  11698 erik  126u   REG   0,16    65536 13454087 /dev/shm/com.google.chrome.1z7tu1 (deleted)

2 Responses to 7 Examples To Master Linux lsof Command

  1. Tarun says:

    Can u give me a way through which i can call the lsof command in C and give a call to my c function through java……i know how to give a call through java but din’t know the code that i have to write in C function to execute the lsof command.

    • erik says:

      Hi Tarun, you can use the “popen” command to retrieve that data. I wrote an article about how to do that here: Shell Commands in C. So essentially you would call “lsof” and retrieve the data, perhaps even process it in C…either that or you can pass the output from “lsof” to your Java code. Are you using a JNI call to interface with C?

      The other option is to execute that system command right from Java. Check this out: Java System Command.

Leave a Reply

Your email address will not be published. Required fields are marked *


+ 2 = seven

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>