lsof Command in Linux with Examples

October 23, 2024

Home » SysAdmin » lsof Command in Linux with Examples

Introduction

lsof (LiSt Open Files) is a Linux command that shows open files and processes accessing them. Every object in Linux (e.g., devices, directories) is treated as a file. This makes finding malicious or unwanted processes difficult, especially if a process holds a file open and prevents modification.

The lsof command helps identify a process and allows users to manage or kill processes as needed.

This article will explain how to use the lsof command in Linux through practical examples.

Prerequisites

Access to the terminal.
Sudo group privileges.

What Is lsof Command Used For?

The lsof command shows all open files and the processes using those files. Apart from showing which process is using which file, there are many practical uses for the command, such as:

Determining why a file is locked and cannot be edited.
Viewing active network connections and ports.
Finding unknown processes and files.
Managing system resources and discovering deleted files locked by processes.

Continue reading to see the command's syntax, options, and hands-on examples that showcase these uses.

lsof Command Syntax

The lsof command syntax is:

lsof [options] [file/directory/PID]

Without any options, the command lists all open files.

Note: Most options require running lsof with sudo to avoid "permission denied" errors.

lsof Command Options

The lsof command has many different options. The table below includes arguments that are used often:

Option	Description
`-b`	Avoids kernel functions that might block the command.
`-u [username]`	Prints all files opened by a user.
`-c [string]`	Lists all files accessed by a particular process.
`-p [PID]`	Shows all open files associated with a specific process ID.
`-R`	Lists parent process IDs.
`+D [directory]`	Prints all open files in a directory recursively.
`-i`	Displays all files accessed by network connections.
`-i [4/6]`	Finds processes on a specific port number, service name, or port range.
`-i [udp/tcp]`	Filters open files based on the connection type (TCP or UDP).
`-i :[port_number/service_name/range]`	Finds processes running on a specific port number, service name, or port range.
`-t [file]`	Lists IDs of processes that have accessed a particular file.
`-d mem`	Shows all memory-mapped files.

lsof Command Examples

lsof incorporates different arguments, allowing users to manage system and network administration activities.

The output consists of different columns. The default columns in the lsof output are:

COMMAND. The command associated with the process that opened the file.
PID. The process identification number of the process running the file.
TID. The task identification number for the respective process. It is blank if a process has opened the file instead of a task.
TASKCMD. The command name from the first column. It can differ when a task changes its command name.
USER. The user executing the process. The column contains the User ID or username.
FD. The file descriptor the process uses to associate with the file.
TYPE. The file type and its identification number.
DEVICE. The device numbers related to the file.
SIZE/OFF. The value of the file taken during the runtime (size or offset).
NODE. The local file's node number or inode number of the directory/parent directory.
NAME. The path or link to the file.

Note: Not all columns apply to every file. Some columns may be blank in the output.

List All Files

When run without any options, lsof lists all files opened by any process:

sudo lsof

The command outputs a lot of details. Pipe lsof with the less command (or more command) to show one page at a time:

sudo lsof | less

To navigate to the bottom of the list, hit Enter or the down arrow key. Exit the list with q.

Conceal Kernel Blocks

Some kernel functions block the lsof command. Run lsof with the -b flag to avoid these functions:

sudo lsof -b | more

sudo lsof -b | more terminal output avoiding

The option runs lsof and avoids these functions. As a result, the readlink kernel function is ignored, and symbolic links are not resolved in the output.

Display Files of a Specific Filesystem

Use the lsof command to show open files in a particular filesystem. For example, to see all open files in the /sys directory, run:

sudo lsof /sys

The command does not include open files in the filesystem's subdirectories.

Print Terminal Files

List all open files connected to terminal devices by targeting the /dev directory with lsof using the following pattern:

sudo lsof /dev/tty*

The command lists all terminal devices that match the specified pattern.

Show All Files Accessed by a User

Use lsof with the -u flag to display files opened by a specific user:

sudo lsof -u [username]

For example:

sudo lsof -u kb

The command lists files opened by kb.

To print all opened files by everyone except a specific user, add the caret sign (^) before the username:

sudo lsof -u ^[username]

For instance:

sudo lsof -u ^root

sudo lsof -u ^root | more terminal output

The output shows files controlled by users other than root.

Display Files Used by a Process

The -c flag opens all files used by a process whose name starts with the provided string:

sudo lsof -c [string]

For example, to list files opened by the wpa_suppl process, run:

sudo lsof -c wpa_suppl

The -c option gives the same output as piping lsof with the grep command:

sudo lsof | grep wpa_suppl

sudo lsof grep wpa_suppl terminal output

However, the grep command does not show the column names, and the string may be in a different column.

Print Files Opened by a Specific PID

Use the -p option to filter specific files by the Process ID number (PID). For example, the command below shows all files with PID 407:

sudo lsof -p 407

Combine lsof -p with the -R flag to add the Parent Process Identification Number (PPID) to the output. To get PPID info for a specific PID, use:

sudo lsof -p [PID] -R

For example, to get the PPID for the 407 PID, type:

sudo lsof -p 407 -R

The output shows the PPID column added to the header after the PID column.

Show Files Under a Directory

To see all files that have been opened inside a specific directory, use the following command:

sudo lsof +D [directory]

For example:

sudo lsof +D /run/systemd

sudo lsof +D /run/systemd terminal output

This option also shows files in the subdirectories recursively.

Show Files Accessed by Network Connections

Use the -i flag with lsof to check which files are opened by a network connection:

sudo lsof -i

The example above prints files open by a network connection, regardless of the connection type.

The -i flag adds a lot of versatility to lsof, allowing users to filter files based on different networking criteria. For example:

Filter files based on their IP version with:

sudo lsof -i [4/6]

See files that use TCP or UDP connection by providing the protocol type:

sudo lsof -i [udp/tcp]

Find processes running on a specific port number or name. Execute the command with the port number or service name from the name column:

sudo lsof -i :[port_number/name]

sudo lsof -i port number or service name terminal output

Note: This option is helpful for checking which file prevents another app from binding to a specific port. Linux also has other networking commands to check for open ports.

Print all files open on specific port ranges:

sudo lsof -i :[range]

List IDs of Processes Holding Open Files

To see PIDs for processes that have opened a particular file, use -t and provide the file name.

lsof -t [file_name]

sudo lsof -t /usr/bin/lsof terminal output

The command shows all PIDs of processes currently using the provided file.

Kill All User's Processes

The -t flag also kills all processes by a specific user. For example, to kill all processes run by the postgres user:

sudo kill -9 $(sudo lsof -t -u postgres)

sudo kill -9 $(sudo lsof -t -u postgres) terminal output

The command finds and terminates all listed processes.

Print All Memory-Mapped Files

The lsof command prints the file descriptor, which enables locating processes with memory-mapped files. To show these processes, run:

lsof -d mem | more

The file descriptor column shows only those with the mem type.

Display Locked Deleted Files

A process sometimes keeps files locked even after they have been deleted, consuming disk space.
Use lsof to find locked and deleted files in Linux.

For example, to find deleted files starting in the root directory (/), run:

sudo lsof / | grep deleted

sudo lsof / | grep deleted terminal output

Restart the process or close the files to free up disk space.

Combine Multiple Options

The lsof command allows multiple search items on the command line. Use AND and OR logical operators to combine different arguments. Below are some examples:

List files open by a particular user or process:

sudo lsof -u [username] -c [process]

Display files that match both the first search term (user) and the second search term (process):

sudo lsof -u [username] -c [process] -a

Find all network connections and filter the results for a specific user:

sudo lsof -i -u [username] -a

Learn More About lsof

The lsof command has many options compared to other Linux commands. To explore the command's possibilities, use the man command:

man lsof

Conclusion

This guide showed how to use the lsof command to troubleshoot potential security and system problems with practical examples.

Next, learn how to copy files and directories in Linux and compare two files using the Linux diff command.

Was this article helpful?

YesNo

X (Twitter) Facebook LinkedIn Email

Milica Dancuk

Milica Dancuk is a technical writer at phoenixNAP with a passion for programming. With a background in Electrical Engineering and Computing, coupled with her teaching experience, she excels at simplifying complex technical concepts in her writing.

Next you should read