lsof use examples
lsof stands for List Open Files. more story about it in
The whole manual you can get from any kind of unix/linux, I'm not going to focus on manual, rather, I'd like to have some examples:
Again, It is a command line utility which is used to list the information about the files that are opened by various processes.
Simply typing lsof will provide a list of all open files belonging to all active processes.
# lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 8,1 4096 2 / init 1 root txt REG 8,1 124704 917562 /sbin/init init 1 root 0u CHR 1,3 0t0 4369 /dev/null init 1 root 1u CHR 1,3 0t0 4369 /dev/null init 1 root 2u CHR 1,3 0t0 4369 /dev/null init 1 root 3r FIFO 0,8 0t0 6323 pipe ...
By default One file per line is displayed. Most of the columns are self explanatory. We will explain the details about couple of cryptic columns (FD and TYPE).
FD – Represents the file descriptor. Some of the values of FDs are,
TYPE – Specifies the type of the file. Some of the values of TYPEs are,
For a complete list of FD & TYPE, refer man lsof.
You can list only the processes which opened a specific file, by providing the filename as arguments.
# lsof /var/log/messages COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
You can list the processes which opened files under a specified directory using ‘+D’ option. +D will recurse the sub directories also. If you don’t want lsof to recurse, then use ‘+d’ option.
# lsof +D /var/log/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog rsyslogd 488 syslog 2w REG 8,1 2405 269616 /var/log/auth.log console-k 144 root 9w REG 8,1 10871 269369 /var/log/ConsoleKit/history
You can list the files opened by process name starting with a string, using ‘-c’ option. You can give multiple -c switch on a single command line.
# lsof -c firefox COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME firefox 10213 simon txt REG 253,0 107480 657031 /usr/lib64/firefox/firefox
Sometime when we try to umount a directory, the system will say “Device or Resource Busy” error. So we need to find out what are all the processes using the mount point and kill those processes to umount the directory. By using lsof we can find those processes.
# lsof /data
The following will also work.
# lsof +D /data
In order to find the list of files opened by a specific users, use ‘-u’ option.
# lsof -u atlas001 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Sometimes you may want to list files opened by all users, expect some 1 or 2. In that case you can use the ‘^’ to exclude only the particular user as follows
# lsof -u ^atlas001 -u ^simon COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME dbus-daem 31220 root 7u unix 0xffff8802e64239c0 0t0 58360303 socket
The above command listed all the files opened by all users, except user ‘atlas001’ and simon.
You can list all the files opened by a specific process using ‘-p’ option. It will be helpful sometimes to get more information about a specific process.
# lsof -p 10123 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
When you want to kill all the processes which has files opened by a specific user, you can use ‘-t’ option to list output only the process id of the process, and pass it to kill as follows
# kill -9 `lsof -t -u atlas001`
The above command will kill all process belonging to user ‘lakshmanan’, which has files opened.
Similarly you can also use ‘-t’ in many ways. For example, to list process id of a process which opened /var/log/syslog can be done by
# lsof -t /var/log/syslog 489
Talking about kill, did you know that there are 4 Ways to Kill a Process?
By default when you use more than one list option in lsof, they will be ORed. For example,
# lsof -u atlas001 -c firefox
The above command uses two list options, ‘-u’ and ‘-c’. So the command will list process belongs to user ‘lakshmanan’ as well as process name starts with ‘init’.
But when you want to list a process belongs to user ‘lakshmanan’ and the process name starts with ‘init’, you can use ‘-a’ option.
# lsof -u atlas001 -c forefix -a
The above command will not output anything, because there is no such process named ‘init’ belonging to user ‘lakshmanan’.
lsof also support Repeat mode. It will first list files based on the given parameters, and delay for specified seconds and again list files based on the given parameters. It can be interrupted by a signal.
Repeat mode can be enabled by using ‘-r’ or ‘+r’. If ‘+r’ is used then, the repeat mode will end when no open files are found. ‘-r’ will continue to list,delay,list until a interrupt is given irrespective of files are opened or not.
Each cycle output will be separated by using ‘=======’. You also also specify the time delay as ‘-r’ | ‘+r’.
# lsof -u atlas001 -c firefox -a -r5
In the above output, for the first 5 seconds, there is no output. After that a script named “inita.sh” is started, and it list the output.
Network connections are also files. So we can find information about them by using lsof.
You can list all the network connections opened by using ‘-i’ option.
# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME avahi-dae 515 avahi 13u IPv4 6848 0t0 UDP *:mdns avahi-dae 515 avahi 16u IPv6 6851 0t0 UDP *:52060 cupsd 1075 root 5u IPv6 22512 0t0 TCP ip6-localhost:ipp (LISTEN)
You can also use ‘-i4′ or ‘-i6′ to list only ‘IPV4′ or ‘IPV6‘ respectively.
You can list all the network files which is being used by a process as follows
# lsof -i -a -p 234
You can also use the following
# lsof -i -a -c ssh
The above command will list the network files opened by the processes starting with ssh.
You can list the processes which are listening on a particular port by using ‘-i’ with ‘:’ as follows
# lsof -i :25 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME exim4 2541 Debian-exim 3u IPv4 8677 TCP localhost:smtp (LISTEN)
You can list all the TCP or UDP connections by specifying the protocol using ‘-i’.
# lsof -i tcp; lsof -i udp;
You can list all the NFS files by using ‘-N’ option. The following lsof command will list all NFS files used by user ‘lakshmanan’.
# lsof -N -u atlas001 -a