lsof command stands for LiSt Open Files and shows open files and which process uses them. Since Linux sees every object as a file, such as devices, directories, etc., unidentified open files prevent users from modifying them.
Additionally, the sheer number of files makes it difficult to find malicious processes. The
lsof command helps identify these processes so you can terminate them.
This article will explain how to use the lsof command in Linux with examples.
- Access to the terminal.
- Sudo group privileges.
- Root privileges for some commands.
lsof Command Syntax
lsof command syntax is:
Note: For most commands, run
sudo to avoid "permission denied" errors.
lsof Command Options
lsof command has many of options. The table below includes arguments that are used most often:
|Lists all open files.|
|Suppresses kernel blocks.|
|Shows open files in a particular file system.|
|Displays files associated with the terminal.|
|Prints all files opened by a user.|
|Prints all files opened by everyone except a specific user.|
|Lists all files accessed by a particular process.|
|Shows all open files associated with a specific process ID.|
|Shows files opened by all other PIDs.|
|Lists parent process IDs.|
|Prints all open files in a directory.|
|Displays all files accessed by network connections.|
|Filters files based on their IP.|
|Filters open files based on the connection type (TCP or UDP).|
|Finds processes running on a specific port.|
|Finds processes running on specific port ranges.|
|-t ||Lists IDs of processes that have accessed a particular file.|
|Kills all user processes.|
|Shows all memory-mapped files.|
|Prints locked deleted files.|
|Opens the man page.|
lsof Command Examples
lsof incorporates different arguments allowing users to manage system and network administration activities. Outlined below are the most common
lsof use cases.
List All Files
When run without any options,
lsof lists all files opened by any process:
lsof command outputs a lot of details. Therefore, always pipe
less to display the output one page at a time.
sudo lsof | less
To navigate to the bottom of the list, hit Enter or down arrow. Exit the list with Q.
lsof output consists of different columns. However, not all columns apply to every type of file. The header looks like this:
The default columns in the
lsof output are:
- COMMAND - Refers to the command associated with the process that opened the file.
- PID - The process identification number of the process running the file.
- TID - Represents a task identification number for the respective process. It is blank if a process, not a task, has opened the file.
- TASKCMD - Refers to the command name in the first column. However, TASKCMD can differ when a task changes its command name.
- USER - Names the user executing the process. The column contains the User ID or name.
- FD - Is the file descriptor the process uses to associate with the file.
- TYPE - Shows the type of file and its identification number.
- DEVICE - Prints device numbers related to the file.
- SIZE/OFF - Represents the value or the file taken during the runtime (size or offset).
- NODE - The local file's node number or inode number of the directory/parent directory.
- NAME - Shows the path or link to the file.
Conceal Kernel Blocks
lsof output also includes files that are opened by the kernel. To suppress kernel blocks, run
lsof with the
sudo lsof -b
Display Files of a Specific Filesystem
lsof command to show open files in a particular file system:
sudo lsof / [file system] /
For example, to see all open files in the
sys directory, run:
sudo lsof / sys/
Print Terminal Files
List all open files connected to the terminal by targeting the
dev directory with
Show All Files Accessed by a User
lsof with a
-u flag to display files opened by a specific user:
sudo lsof -u [username]
lsof -u saraz
The command lists files opened by saraz.
To print all files opened by everyone except a specific user, run:
sudo lsof -u ^[username]
lsof -u ^saraz
The output shows files controlled by users other than saraz.
Display Files Used by a Process
-c flag opens all files used by a process:
sudo lsof -c [process]
For example, to list files opened by the
wpa_suppl process, run:
sudo lsof -c wpa_suppl
Another option is to use only a part of the program name:
sudo lsof -c wpa
lsof returns all programs starting with the term
wpa, which includes wpa_suppl.
-c option gives the same output as piping
lsof with grep:
sudo lsof | grep wpa_suppl
Print Files Opened by a Specific PID
-p option to filter specific files by the Process ID number (PID). For example, the output below shows all files with PID 635.
sudo lsof -p 635
On the other hand, add a caret
^ symbol to print files opened by all other processes:
sudo lsof -p ^635
lsof with the
-R flag adds the Parent Process Identification Number (PPID) to the output.
To get PPID info for a specific PID, execute:
sudo lsof -p [PID] -R
For example, to get the PPID for the 635 PID, type:
sudo lsof -p 635 -R
The output shows the PPID column added to the header.
Show Files Under a Directory
To see all files that have been opened under a directory, use the following command:
sudo lsof +D [directory path]
This option also recurses the sub directories. To avoid recursing, use the
Show Files Accessed by Network Connections
-i flag with
lsof to check which files are opened by a network connection. Execute this command:
sudo lsof -i
The example above prints files open by a network connection, regardless of the connection type.
-i flag adds a lot of versatility to
lsof, allowing users to filter files based on different criteria. Use
lsof -i [options] to:
- Filter files based on their IP with:
sudo lsof -i [IP version number]
For example, run this command to display only IPv4 files:
sudo lsof -i 4
On the contrary, print only IPv6 files with:
sudo lsof -i 6
- See only files that use tcp or udp connection by providing the protocol type:
sudo lsof -i [udp or tcp]
- Find processes running on a specific port. This option is useful to check which file is preventing another app from binding to a specific port. Execute the command with the port number or service name from the name column:
sudo lsof -i :[port number/name]
- Print all files open on specific port ranges.
For instance, to list open Files of UDP Port ranges 1-1024, run:
List IDs of Processes Holding Open Files
To see PIDs for processes that have opened a particular file, use
-t and provide the file name.
lsof -t [file name]
Kill All User’s Processes
-t flag also kills all processes by a specific user. For example, to kill all processes by user notsara, execute this command as root:
# kill -9 'lsof -t -u notsara'
Print All Memory-Mapped Files
lsof prints which processes have memory-mapped files. To show these processes, run:
lsof -d mem
Display Locked Deleted Files
A process sometimes keeps big files locked even after they have been deleted, consuming disk space.
Lsof to find files that are deleted in Linux but are still locked by one or more processes.
For example, find deleted files from the root directory using a slash (
/) as a path symbol:
sudo lsof [path] | grep deleted
Combine Multiple Options
lsof command allows multiple search items on the command line. Use AND and OR logic to combine different arguments to get specific results. Below are most common examples.
- List files open by a particular user or process with:
sudo lsof -u [username] -c [process]
The output prints both files opened by the user saraz and those used by the process snapd.
- Display only files that match the first search term and the second search term with the logical operator
sudo lsof -u [username] -c [process] -a
In this case,
lsof shows only files opened by the user saraz and the bash process.
- Find all network connections of a user:
sudo lsof -i -u [username] -a
lsof command print all activity of the user root.
Learn More About lsof
lsof command has more options than any other Linux command. The
man page is almost 2000 lines long and offers a lot of information.
To explore the command's possibilities, run:
This tutorial shows you how to use the