Commands

7 Examples of lsof command in Linux

This article teaches you how to list opened files by a user or a process by using the lsof command in Linux.

Abhishek Prakash
Abhishek Prakash

Table of Contents

I guess at some point of time you have wondered if there is a way to show opened files by a process or a user. The good thing is that the answer to that question is lsof command.

You probably already know that ls command is short for ‘list’. lsof stands for ‘List Open Files’. And that’s exactly what it does, listing open files by processes, users and process IDs.

Let me show you some of the most common usage of the lsof command.

lsof command examples

If you use lsof command without any options and arguments, it will list all opened files by all the processes in the system.

lsof

The output should be like this:

COMMAND     PID   TID             USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME

systemd       1                   root  cwd       DIR              252,1      4096          2 /

systemd       1                   root  rtd       DIR              252,1      4096          2 /

systemd       1                   root  txt       REG              252,1   1595792      17384 /lib/systemd/systemd

systemd       1                   root  mem       REG              252,1   1700792       2077 /lib/x86_64-linux-gnu/libm-2.27.so

The output is mostly self explanatory but you may still wonder about FD and TYPE columns.

FD means file descriptor. Some of the common values for FD are:

  • cwd – Current Working Directory
  • txt – Text files
  • mem – Memory mapped file
  • mmap – Memory mapped device
  • NUMBER – The actual file descriptor. It also has information about which file permission it is opened in.

TYPE is a no-brainer. It specifies the file type. Here are some examples:

  • REG – Regular file
  • DIR – Directory
  • CHR – Character special file
  • FIFO – First In First Out

Trust me. You wouldn’t want to run the lsof command without any arguments.

Why do I say this? Because it will start flooding your screen with thousands of results.

If I run the lsof command on an Ubuntu server and count the number of lines with wc command, here’s the result.

lsof | wc -l
11432

Yes! That’s right. There are over eleven thousand files opened by various processes in the system.

Don’t worry. lsof command is very helpful in debugging because you can see what processes open what files and which file is opened by which process.

If you are not logged in as root, the output of lsof command would be very limited. It is a good idea to use sudo if you are logged in as a non-root user.

1. List all the process that have opened a file

This is simple. You just need to specify the path to the file.

lsof <path_to_file>

2. List all the files opened by user

This comes handy in a multi-user environment. You can list all the files opened by a certain user in the following manner:

lsof -u <user_name>

You can also specify more than one user like this:

lsof -u user1, user2

or like this:

lsof -u user1 -u user2

3. List all opened files in a directory

If you are wondering which of the files have been opened in a certain directory, you can use lsof command with +D option.

lsof +D <path_to_directory>

The search is recursive. So it will list all the opened files in the mentioned directory and all of its sub-directories.

4. List all opened files by a process

You need to know the process id (pid) in this case. If you know the process id, you can use the -p option of the lsof command to find the files opened by it.

lsof -p <pid>

You can specify multiple process ids as well.

lsof -p pid1, pid2, pid3

5. List all files opened by a command

This is specially helpful in debugging. Suppose you want to see what files are used by http daemon, you just need to specify the command name (httpd in our example).

lsof -c <command>

6. Find opened by a user and a command or a process

You can combine options like user and command and a process using the –a option. Think of it as the AND operator. This gives you an additional filter while trying to narrow down on your search.

lsof -a -u user_name -c command_name

7. List network connections and ports with lsof command

You can also use lsof command to find open ports or for finding which process is using a port.

You can file all kind of open ports with the -i option:

lsof -i

The output may look like this:

lsof -i
 COMMAND     PID            USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
 sshd        920            root    3u  IPv4    20507      0t0  TCP *:ssh (LISTEN)
 sshd        920            root    4u  IPv6    20535      0t0  TCP *:ssh (LISTEN)
 docker-pr  1163            root    4u  IPv6    21687      0t0  TCP *:https (LISTEN)
 docker-pr  1175            root    4u  IPv6    21717      0t0  TCP *:http (LISTEN)
 sshd       7528            root    3u  IPv4 39506588      0t0  TCP testing:ssh->212.91.91.19:58904 (ESTABLISHED)
 systemd-r 10993 systemd-resolve   12u  IPv4 20901990      0t0  UDP localhost:domain 
 systemd-r 10993 systemd-resolve   13u  IPv4 20901991      0t0  TCP localhost:domain (LISTEN)

You can also specify the network connection type. For example, to list all the opened TCP ports, you can use:

lsof -i tcp

To find which process is using a specific port, you can provide the port number:

lsof -i :<port_number>

Bonus Tip: Using negation operator with lsof

You can use the negation operator to exclude a user or process while using lsof command.

For example, you want to list all the files opened by a user other than root, use it in this manner:

lsof -u ^root

lsof command becomes even more useful when you use it with the grep command.

I hope you learned something new with this article. If you have questions or suggestions, please leave a comment below.



Join the conversation.