I guess at some point in time you have wondered if there is a way to show opened files by a process or a user. The good thing is that the answer to that question is lsof command.
You probably already know that ls command is short for ‘list’. lsof stands for ‘List Open Files’. And that’s exactly what it does, listing open files by processes, users, and process IDs.
Let me show you some of the most common usages of the lsof command.
lsof command examples
If you use lsof command without any options and arguments, it will list all opened files by all the processes in the system.
The output should be like this:
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 252,1 4096 2 / systemd 1 root rtd DIR 252,1 4096 2 / systemd 1 root txt REG 252,1 1595792 17384 /lib/systemd/systemd systemd 1 root mem REG 252,1 1700792 2077 /lib/x86_64-linux-gnu/libm-2.27.so
The output is mostly self-explanatory but you may still wonder about FD and TYPE columns.
FD means file descriptor. Some of the common values for FD are:
- cwd – Current Working Directory
- txt – Text files
- mem – Memory mapped file
- mmap – Memory mapped device
- NUMBER – The actual file descriptor. It also has information about which file permission it is opened in.
TYPE is a no-brainer. It specifies the file type. Here are some examples:
- REG – Regular file
- DIR – Directory
- CHR – Character special file
- FIFO – First In First Out
Trust me. You wouldn’t want to run the lsof command without any arguments.
Why do I say this? Because it will start flooding your screen with thousands of results.
If I run the lsof command on an Ubuntu server and count the number of lines with wc command, here’s the result.
lsof | wc -l 11432
Yes! That’s right. There are over eleven thousand files opened by various processes in the system.
Don’t worry. lsof command is very helpful in debugging because you can see what processes open what files and which file is opened by which process.
If you are not logged in as root, the output of lsof command would be very limited. It is a good idea to use sudo if you are logged in as a non-root user.
1. List all the processes that have opened a certain file
This is simple. You just need to specify the path to the file.
2. List all the files opened by user
This comes handy in a multi-user environment. You can list all the files opened by a certain user in the following manner:
lsof -u <user_name>
You can also specify more than one user like this:
lsof -u user1, user2
or like this:
lsof -u user1 -u user2
3. List all opened files in a directory
If you are wondering which of the files have been opened in a certain directory, you can use lsof command with +D option.
lsof +D <path_to_directory>
The search is recursive. So it will list all the opened files in the mentioned directory and all of its sub-directories.
4. List all opened files by a process
You need to know the process id (pid) in this case. If you know the process id, you can use the -p option of the lsof command to find the files opened by it.
lsof -p <pid>
You can specify multiple process ids as well.
lsof -p pid1, pid2, pid3
5. List all files opened by a command
This is specially helpful in debugging. Suppose you want to see what files are used by http daemon, you just need to specify the command name (httpd in our example).
lsof -c <command>
6. Find files opened by a user and a command or a process
You can combine options like user and command and a process using the –a option. Think of it as the AND operator. This gives you an additional filter while trying to narrow down on your search.
lsof -a -u user_name -c command_name
7. List network connections and ports with lsof command
You can also use lsof command to find open ports or to find which process is using a port.
You can file all kinds of open ports with the -i option:
The output may look like this:
lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 920 root 3u IPv4 20507 0t0 TCP *:ssh (LISTEN) sshd 920 root 4u IPv6 20535 0t0 TCP *:ssh (LISTEN) docker-pr 1163 root 4u IPv6 21687 0t0 TCP *:https (LISTEN) docker-pr 1175 root 4u IPv6 21717 0t0 TCP *:http (LISTEN) sshd 7528 root 3u IPv4 39506588 0t0 TCP testing:ssh->18.104.22.168:58904 (ESTABLISHED) systemd-r 10993 systemd-resolve 12u IPv4 20901990 0t0 UDP localhost:domain systemd-r 10993 systemd-resolve 13u IPv4 20901991 0t0 TCP localhost:domain (LISTEN)
You can also specify the network connection type. For example, to list all the opened TCP ports, you can use:
lsof -i tcp
To find which process is using a specific port, you can provide the port number:
lsof -i :<port_number>
Bonus Tip: Using the negation operator with lsof
You can use the negation operator to exclude a user or process while using lsof command.
For example, if you want to list all the files opened by a user other than root, use it in this manner:
lsof -u ^root
lsof command becomes even more useful when you use it with the grep command.
I hope you learned something new from this article. If you have questions or suggestions, please leave a comment below.