lsof use examples

lsof stands for List Open Files. more story about it in

http://en.wikipedia.org/wiki/Lsof

The whole manual you can get from any kind of unix/linux, I'm not going to focus on manual, rather, I'd like to have some examples:

Again, It is a command line utility which is used to list the information about the files that are opened by various processes.

1. Introduction to lsof

Simply typing lsof will provide a list of all open files belonging to all active processes.

# lsof

COMMAND  PID       USER   FD      TYPE     DEVICE  SIZE/OFF       NODE NAME
init       1       root  cwd       DIR        8,1      4096          2 /
init       1       root  txt       REG        8,1    124704     917562 /sbin/init
init       1       root    0u      CHR        1,3       0t0       4369 /dev/null
init       1       root    1u      CHR        1,3       0t0       4369 /dev/null
init       1       root    2u      CHR        1,3       0t0       4369 /dev/null
init       1       root    3r     FIFO        0,8       0t0       6323 pipe
...

By default One file per line is displayed. Most of the columns are self explanatory. We will explain the details about couple of cryptic columns (FD and TYPE).

FD – Represents the file descriptor. Some of the values of FDs are,

  • cwd – Current Working Directory
  • txt – Text file
  • mem – Memory mapped file
  • mmap – Memory mapped device
  • NUMBER – Represent the actual file descriptor. The character after the number i.e ’1u’, represents the mode in which the file is opened. r for read, w for write, u for read and write.

TYPE – Specifies the type of the file. Some of the values of TYPEs are,

  • REG – Regular File
  • DIR – Directory
  • FIFO – First In First Out
  • CHR – Character special file

For a complete list of FD & TYPE, refer man lsof.

2. List processes which opened a specific file

You can list only the processes which opened a specific file, by providing the filename as arguments.

# lsof /var/log/messages

COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
rsyslogd 32615 root 2w REG 253,0 16383 934322 //var/log/messages

3. List opened files under a directory

You can list the processes which opened files under a specified directory using ‘+D’ option. +D will recurse the sub directories also. If you don’t want lsof to recurse, then use ‘+d’ option.

# lsof +D /var/log/

COMMAND   PID   USER  FD   TYPE DEVICE SIZE/OFF   NODE NAME
rsyslogd  488 syslog   1w   REG    8,1     1151 268940 /var/log/syslog
rsyslogd  488 syslog   2w   REG    8,1     2405 269616 /var/log/auth.log
console-k 144   root   9w   REG    8,1    10871 269369 /var/log/ConsoleKit/history

4. List opened files based on process names starting with

You can list the files opened by process name starting with a string, using ‘-c’ option. You can give multiple -c switch on a single command line.

# lsof -c firefox

COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
firefox 10213 simon  txt    REG              253,0   107480    657031 /usr/lib64/firefox/firefox
firefox 10213 simon mem REG 253,0 177520 1048754 /lib64/libk5crypto.so.3.1
firefox 10213 simon mem REG 253,0 46368 1048744 /lib64/libkrb5support.so.0.1
firefox 10213 simon mem REG 253,0 944712 1048755 /lib64/libkrb5.so.3.3
firefox 10213 simon mem REG 253,0 280520 1072604 /lib64/libgssapi_krb5.so.2.2
firefox 10213 simon mem REG 253,0 383608 264161 /usr/lib64/libssl.so.1.0.0

5. List processes using a mount point

Sometime when we try to umount a directory, the system will say “Device or Resource Busy” error. So we need to find out what are all the processes using the mount point and kill those processes to umount the directory. By using lsof we can find those processes.

# lsof /data

The following will also work.

# lsof +D /data

6. List files opened by a specific user

In order to find the list of files opened by a specific users, use ‘-u’ option.

# lsof -u atlas001
COMMAND     PID     USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME
nxnode 5684 atlas001 cwd DIR 253,2 122880 28311553 /home/atlas001
nxnode 5684 atlas001 rtd DIR 253,0 4096 2 /
nxnode 5684 atlas001 txt REG 253,0 938768 2621467 /bin/bash
nxnode 5684 atlas001 mem REG 253,0 156872 1048676 /lib64/ld-2.12.so
nxnode 5684 atlas001 mem REG 253,0 1922152 1048678 /lib64/libc-2.12.so

Sometimes you may want to list files opened by all users, expect some 1 or 2. In that case you can use the ‘^’ to exclude only the particular user as follows

# lsof -u ^atlas001 -u ^simon
COMMAND    PID       USER   FD      TYPE     DEVICE  SIZE/OFF       NODE NAME
dbus-daem 31220      root    7u     unix 0xffff8802e64239c0      0t0   58360303 socket
rsyslogd 32615 root cwd DIR 253,0 4096 2 /
rsyslogd 32615 root rtd DIR 253,0 4096 2 /
rsyslogd 32615 root txt REG 253,0 391968 2110212 /sbin/rsyslogd
rsyslogd 32615 root mem REG 253,0 113952 1048813 /lib64/libresolv-2.12.so
rsyslogd 32615 root mem REG 253,0 27424 1048603 /lib64/libnss_dns-2.12.so

The above command listed all the files opened by all users, except user ‘atlas001’ and simon.

7. List all open files by a specific process

You can list all the files opened by a specific process using ‘-p’ option. It will be helpful sometimes to get more information about a specific process.

# lsof -p 10123

COMMAND  PID       USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
COMMAND   PID  USER   FD   TYPE             DEVICE SIZE/OFF      NODE NAME
firefox 10213 simon cwd DIR 253,2 4096 41156609 /home/simon
firefox 10213 simon rtd DIR 253,0 4096 2 /
firefox 10213 simon txt REG 253,0 107480 657031 /usr/lib64/firefox/firefox
firefox 10213 simon mem REG 253,0 944712 1048755 /lib64/libkrb5.so.3.3
firefox 10213 simon mem REG 253,0 280520 1072604 /lib64/libgssapi_krb5.so.2.2
firefox 10213 simon mem REG 253,0 383608 264161 /usr/lib64/libssl.so.1.0.0
...

8. Kill all process that belongs to a particular user

When you want to kill all the processes which has files opened by a specific user, you can use ‘-t’ option to list output only the process id of the process, and pass it to kill as follows

# kill -9 `lsof -t -u atlas001`

The above command will kill all process belonging to user ‘lakshmanan’, which has files opened.

Similarly you can also use ‘-t’ in many ways. For example, to list process id of a process which opened /var/log/syslog can be done by

# lsof -t /var/log/syslog

489

Talking about kill, did you know that there are 4 Ways to Kill a Process?

9. Combine more list options using OR/AND

By default when you use more than one list option in lsof, they will be ORed. For example,

# lsof -u atlas001 -c firefox

The above command uses two list options, ‘-u’ and ‘-c’. So the command will list process belongs to user ‘lakshmanan’ as well as process name starts with ‘init’.

But when you want to list a process belongs to user ‘lakshmanan’ and the process name starts with ‘init’, you can use ‘-a’ option.

# lsof -u atlas001 -c forefix -a

The above command will not output anything, because there is no such process named ‘init’ belonging to user ‘lakshmanan’.

10. Execute lsof in repeat mode

lsof also support Repeat mode. It will first list files based on the given parameters, and delay for specified seconds and again list files based on the given parameters. It can be interrupted by a signal.

Repeat mode can be enabled by using ‘-r’ or ‘+r’. If ‘+r’ is used then, the repeat mode will end when no open files are found. ‘-r’ will continue to list,delay,list until a interrupt is given irrespective of files are opened or not.

Each cycle output will be separated by using ‘=======’. You also also specify the time delay as ‘-r’ | ‘+r’.

# lsof -u atlas001 -c firefox -a -r5

In the above output, for the first 5 seconds, there is no output. After that a script named “inita.sh” is started, and it list the output.

Finding Network Connection

Network connections are also files. So we can find information about them by using lsof.

11. List all network connections

You can list all the network connections opened by using ‘-i’ option.

# lsof -i

COMMAND    PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
avahi-dae  515 avahi   13u  IPv4   6848      0t0  UDP *:mdns
avahi-dae  515 avahi   16u  IPv6   6851      0t0  UDP *:52060
cupsd     1075  root    5u  IPv6  22512      0t0  TCP ip6-localhost:ipp (LISTEN)

You can also use ‘-i4′ or ‘-i6′ to list only ‘IPV4′ or ‘IPV6‘ respectively.

12. List all network files in use by a specific process

You can list all the network files which is being used by a process as follows

# lsof -i -a -p 234

You can also use the following

# lsof -i -a -c ssh

The above command will list the network files opened by the processes starting with ssh.

13. List processes which are listening on a particular port

You can list the processes which are listening on a particular port by using ‘-i’ with ‘:’ as follows

# lsof -i :25

COMMAND  PID        USER   FD   TYPE DEVICE SIZE NODE NAME
exim4   2541 Debian-exim    3u  IPv4   8677       TCP localhost:smtp (LISTEN)

14. List all TCP or UDP connections

You can list all the TCP or UDP connections by specifying the protocol using ‘-i’.

# lsof -i tcp; lsof -i udp;

15. List all Network File System ( NFS ) files

You can list all the NFS files by using ‘-N’ option. The following lsof command will list all NFS files used by user ‘lakshmanan’.

# lsof -N -u atlas001 -a