How to Use the Linux lsof Command

Shell prompt on LinuxFatmawati Achmad Zaenuri / Shutterstock.com

If everything in Linux is a file, there must be more than just files on your hard disk. This tutorial will show you how to use lsof to view all other devices and processes that are managed as files.

On Linux, everything is a file

The often quoted phrase that everything under Linux is a file is somehow true. A file is a collection of bytes. When they are read in a program or sent to a printer, they seem to generate a stream of bytes. When they are written, they accept a stream of bytes.

Many other system components support or generate byte streams, such as keyboards, socket connections, printers, and communication processes. Because they accept, generate or accept and generate streams of bytes, these devices can be managed – at a very low level – as if it 's been files.

This design has simplified the implementation of the Unix operating system. This meant that a small set of managers, tools and API could be created to handle a wide range of different resources.

The data and program files that reside on your hard drive are old file system files. We can use the ls command to list them and find some details about them.

How do we know about all the other processes and devices handled as it's files? We use the lsof command. This lists the open files in the system. That is, it lists everything that is treated as a file.

RELATED: What does "everything is a file" mean in Linux?

The lsof command

Most of the processes or devices that lsof can report belong to or have been started by root. You will need to use the sudo command with lsof.

And as this list will be very long, we will make it less.

sudo lsof | less

lsof in a terminal window

Before the lsof output appears, GNOME users can see a warning message in the terminal window.

lsof: WARNING: impossible to stat () fuse.gvfsd-fuse file system / run / user / 1000 / gvfs
The output information may be incomplete.

lsof tries to process all mounted filesystems. This warning message is issued because lsof has encountered a problem. GNOME virtual file system (GVFS). This is a special case of file system in the user space (FUSE). It acts as a bridge between GNOME, its APIs and the kernel. Nobody – not even root – can access any of these file systems, except the owner who mounted it (in this case, GNOME). You can ignore this warning.

The output of lsof is very wide. The leftmost columns are:

the leftmost columns of the lsof output in a terminal window

The rightmost columns are:

the rightmost columns of the lsof output in a terminal window

The columns of lsof

Not all columns apply to all open file types. It is normal for some of them to be empty.

Command: The name of the command associated with the process that opened the file.
PID: Identification number of the process that opened the file.
TID: Identification number of the task (thread). An empty column means that it is not a task; it's a process.
User: The user ID or name of the user to which the process belongs, or the user ID or login ID of the person who owns the directory in / proc where lsof finds information about the process.
FD: Displays the file descriptor of the file. The file descriptors are described below.
Type: The type of node associated with the file. The types of notes are described below.
Device: Contains the device numbers, separated by commas, for a special character file, special block, normal, directory or NFS file, or a kernel reference address that identifies the file. It can also indicate the base address or device name of an AX.25 Linux socket device.
Size / Off: Specifies the size of the file or the offset of the file in bytes.
Node: Displays the node number of a local file or the inode number of an NFS file in the server's host or Internet protocol type. It can display STR for a stream or the IRQ number or inode of an AX.25 Linux socket device.
Name: Displays the name of the mount point and the file system on which the file resides.

The FD column

The file descriptor in the FD column can be one of many options; the manual page list them all.

The FD column entry can be composed of three parts: a file descriptor, a mode character, and a lock character. Some common file descriptors are:

cwd: current working directory.
err: FD information error (see NAME column).
ltx: shared library text (code and data).
m86: merged DOS merge file.
mem: file mapped in memory.
mmap: device mapped in memory.
pd: parent directory.
rtd: root directory.
txt: program text (code and data)
A number representing a file descriptor.

The fashion character can be one of the following:

r: read access.
w: write access.
u: read and write access.
'': A space character, if the mode is unknown and there is no lock character.
-: Unknown mode and there is a lock character.

The lock character can be one of the following:

r: Read lock on part of the file.
A: Lock the entire file.
w: locks part of the file.
W: Lock the entire file.
u: Read and write a lock of any length.
U: Type of unknown lock.
& # 39 ;: A character of space. No lock.

TYPE column

There is more than 70 entries which could appear in the TYPE column. Here are some common entries you will see:

REG: standard system file.
DIR: directory.
FIFO: first in first out.
CHR: Special character file.
BLK: Block the special file.
INET: Internet connection.
unix: UNIX domain socket

See the processes that opened a file

To see the processes that opened a certain file, provide the file name as a parameter to lsof. For example, to see the processes that opened the kern.log file, use this command:

sudo lsof /var/log/kern.log

sudo lsof /var/log/kern.log in a terminal window

lsof responds by displaying the unique rsyslogd process that was started by the syslog user.

lsof output in a terminal window

See all open files from a directory

To see open files from a directory and the processes that opened them, pass the directory to lsof as a parameter. You must use the option + D (directory).

To see all open files in the / var / log / directory, use this command:

sudo lsof + D / var / log /

sudo lsof + D / var / log / in a terminal window

lsof responds with a list of all open files in this directory.

lsof output in a terminal window

To see all open files from the / home directory, use the following command:

sudo lsof + D / home

sudo lsof + D / home in a terminal window

Files opened from the / home directory are displayed. Note that with shorter descriptions in some columns, the entire list is narrower.

lsof outout in a terminal window

List of files opened by a process

To see the files opened by a particular process, use the -c (command) option. Note that you can provide multiple search terms at lsof at a time.

sudo lsof -c ssh -c init

sudo lsof -c ssh -c init in a terminal window

lsof provides a list of open files by one of the processes provided on the command line.

lsof output in a terminal window

See files opened by a user

To limit the display to files opened by a specific user, use the -u (user) option. In this example, we will examine files opened by processes owned or run on behalf of Mary.

sudo lsof -u mary

sudo lsof -u mary in a terminal window

All files listed have been opened on behalf of the user Mary. This includes files that have been opened by the desktop environment, for example, or simply as a result of Mary's connection.

lsof output in a terminal window

Excluding files opened by a user

To exclude files opened by a user, use the ^ operator. The exclusion of users from the list makes it easy to find information that interests you. You must use the -u option as before and add the ^ character to the beginning of the user name.

sudo lsof + D / home -u ^ mary

sudo lsof + D / home -u ^ mary in a terminal window

This time, the / home directory listing does not include any files opened by the user Mary.

lsof output in a terminal window

List of fields opened by a process

To list the files opened by a specific process, use the -p (process) option and specify the process ID as a parameter.

sudo lsof – p 4610

sudo lsof - p 4610 in a terminal window

All files opened by the process ID that you provided are listed for you.

lsof output in a terminal window

List of process IDs that opened a file

To view process IDs for processes that have opened a particular file, use the -t (terse) option and specify the file name on the command line.

sudo lsof -t /usr/share/mime/mime.cache

sudo lsof -t /usr/share/mime/mice.cache in a terminal window

The process IDs are displayed in a simple list.

lsof output in a terminal window

Use AND and OR searches

List the files opened by the user Mary, related to SSH processes. We know we can provide several search items on the command line. It should be simple.

sudo lsof -u mary -c ssh

sudo lsof -u mary -c ssh in a terminal window

Now let's see the result of lsof. This does not seem correct; there are entries in the output that have been started by root.

lsof output in a terminal window

This is not what we expected. What happened?

When you provide multiple search terms, lsof returns any file that matches the first search term or second search term, and so on. In other words, he does a search OR.

For lsof to perform an AND search, use the -a (and) option. This means that the only files listed will be those that match the first search term, the second search term, and so on.

Let's try again and use the -a option.

sudo lsof -u mary -c ssh -a

sudo lsof -u mary -c ssh -a in a terminal window

From now on, each file in the list is a file opened by or on behalf of Mary and associated with the SSH command.

lsof output in a terminal window

Automatic refresh of the display

We can use the option + | -r (repeat) to put lsof into repeat mode. The repeat option can be applied in two ways: + r or -r. We also need to add the number of seconds we want lsof to wait before refreshing the display.

Using the repeat option in one or the other format allows lsof to display the results as usual, but adds a dotted line to the bottom of the screen. It waits for the number of seconds indicated on the command line, then refreshes the display with a new set of results.

With the -r option, this will continue until you press Ctrl + C. With the + r format, this will continue until you have done so. more results to display or until you press Ctrl + C.

sudo lsof -u mary -c ssh -a -r5

sudo lsof -u mary -c ssh -a -r5 in a terminal window

Note the dotted line at the bottom of the list. This separates each new data display when the output is refreshed.

lsof output in a terminal window

Viewing files associated with Internet connections

The -i (Internet) option allows you to see files open by processes associated with network and Internet connections.

lsof -i

lsof -i in a terminal window

All files opened by network and Internet connections are displayed.

lsof output in a terminal window

View files associated with Internet connections by process ID

To see the files opened by Internet connections associated with a specific process ID, add the -p and -a options.

Here we are looking for open files over an Internet or network connection, through a process with an ID of 606.

sudo lsof -i -a -p 606

lsof -i in a terminal window

All files opened by process ID 606 associated with Internet or network connections are displayed.

lsof output in a terminal window

Viewing files associated with Internet connections and commands

We can use the -c (command) option to search for open files by specific processes. To find open files over Internet or network connections associated with the ssh process, use the following command:

lsof -i -a -c ssh

lsof -i -a -c ssh in a terminal window

All open files because of the ssh processes are listed in the output.

lsof output in a terminal window

Viewing files associated with Internet connections and ports

We can report on open files over the Internet or through network connections on a specific port. To do this, we use the character: followed by the port number.

Here we ask lsof to list files opened by network or Internet connections using port 22.

lsof -i: 22

lsof -i: 22 in a terminal window

All the files listed have been opened by the processes associated with port 22 (which is the default port for SSH connections).

lsof output in a terminal window

Viewing files associated with Internet connections and protocols

We can ask lsof to show open files by processes associated with network and Internet connections, using a specific protocol. We can choose between TCP, UDP and SMTP. Let's use TCP and see what we get.

sudo lsof -i tcp

sudo lsof -i tcp in a terminal window

The only files listed are those opened by processes using the TCP protocol.

lsof output in a terminal window

We did not touch the surface

It's a good foundation in some common use cases for LSOF, but it's much more than that. How much more can be judged by the fact that the manual page is over 2800 lines.

The lsof command can be used to further explore open file and pseudo-file strata. We provided a sketch map; the atlas is in the manual page.

Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.