This article is part of the article series "Unix Utilities You Should Know About."
<- previous article next article ->
Unix Utilities

This is the third post in the article series about Unix and Linux utilities that you should know about. In this post I will take you through the useful lsof tool. If netcat was called the Swiss Army Knife of Network Connections, then I'd call lsof the Swiss Army Knife of Unix debugging.

Lsof follows Unix philosophy closely. It does just one task and it does it perfectly -- it lists information about files opened by processes. An open file may be a regular file, a directory, a NFS file, a block special file, a character special file, a shared library, a regular pipe, a named pipe, a symbolic link, a socket stream, an Internet socket, a UNIX domain socket, and many others. Since almost everything in Unix is a file, you can imagine how incredibly useful lsof is!

See the first post on pipe viewer for the introduction to this article series. If you are interested in articles like this one, I suggest that you subscribe to my rss feed to receive my future posts automatically!

How to use lsof?

In this article I will try to present lsof based on as many use cases as I can think of. Let's start with the simplest (that you probably already know) and proceed to more complicated ones.

List all open files.

# lsof

Running lsof without any arguments lists all open files by all processes.

Find who's using a file.

# lsof /path/to/file

With an argument of a path to a file, lsof lists all the processes, which are using the file in some way.

You may also specify several files, which lists all the processes, which are using all the files:

# lsof /path/to/file1 /path/to/file2

Find all open files in a directory recursively.

# lsof +D /usr/lib

With the +D argument lsof finds all files in the specified directory and all the subdirectories.

Note that it's slower than the usual version with grep:

# lsof | grep '/usr/lib'

It's slower because +D first finds all the files and only then does the output.

List all open files by a user.

# lsof -u pkrumins

The -u option (think user) limits output of files opened only by user pkrumins.

You can use comma separated list of values to list files open by several users:

# lsof -u rms,root

This will list all the files that are open by users rms and root.

Another way to do the same is by using the -u option twice:

# lsof -u rms -u root

Find all open files by program's name.

# lsof -c apache

The -c option selects the listing of files for processes whose name begins with apache.

So instead of writing:

# lsof | grep foo

You can now write the shorter version:

# lsof -c foo

In fact, you can specify just the beginning part of the process name you're looking for:

# lsof -c apa

This will list all the open files by a processes whose starts with apa.

You can also specify several -c options to output open files by several processes:

# lsof -c apache -c python

This will list all open files by apache and python.

List all open files by a user OR process.

# lsof -u pkrumins -c apache

Lsof options can be combined. The default is to OR between options. It means it will combine outputs of -u pkrumins and -c apache producing a listing of all open files by pkrumins and all open files by apache.

List all open files by a user AND process.

# lsof -a -u pkrumins -c bash

Notice the -a option. It combines the options with AND. The output listing is files opened by bash, which is run under pkrumins user.

List all open files by all users EXCEPT root.

# lsof -u ^root

Notice the ^ character before root username. It negates the match and causes lsof print all open files by all users who are not root.

List all open files by the process with PID.

# lsof -p 1

The -p option (think PID) filters out open files by program's id.

Remember that you can select multiple PIDs by either comma separating the list or using multiple -p arguments:

# lsof -p 450,980,333

This selects processes with PIDs 450, 980 and 333.

List all open files by all the processes EXCEPT process with PID.

# lsof -p ^1

Here the negation operator ^ is used again. It inverts the list and does not include process with PID 1.

List all network connections.

# lsof -i

Lsof with -i option lists all processes with open Internet sockets (TCP and UDP).

List all TCP network connections.

# lsof -i tcp

The -i argument can take several options, one of them is tcp. The tcp option forces lsof to list only processes with TCP sockets.

List all UDP network connections.

# lsof -i udp

The udp option causes lsof to list processes with UDP sockets.

Find who's using a port.

# lsof -i :25

The :25 option to -i makes lsof find processes using TCP or UDP port 25.

You may also use service port name (found in /etc/services) rather than port number:

# lsof -i :smtp

Find who's using a specific UDP port.

# lsof -i udp:53

Similarly, to find who's using a TCP port, use:

# lsof -i tcp:80

Find all network activity by user.

# lsof -a -u hacker -i

Here the -a option combines -u and -i to produce listing of network file usage by user hacker.

List all NFS (Network File System) files.

# lsof -N

This option is easy to remember because -N is NFS.

List all Unix domain socket files.

# lsof -U

This option is also easy to remember because -U is Unix.

List all files for processes with a specific group id.

# lsof -g 1234

Process groups are used to logically group processes. This example finds all files opened by processes with PGID 1234.

List all files associated with specific file descriptors.

# lsof -d 2

This lists all files that have been opened as file descriptor 2.

You may also specify ranges of file descriptors:

# lsof -d 0-2

This would list all files with file descriptors 0, 1 and 2.

There are also many special values, such as mem, that lists memory-mapped files:

# lsof -d mem

Or txt for programs loaded in memory and executing:

# lsof -d txt

Output PIDs of processes using some resource.

# lsof -t -i

The -t option outputs only PIDs of processes. Used together with -i it outputs PIDs of all processes with network connections. It's easy to kill all processes that use network:

# kill -9 `lsof -t -i`

Repeat listing files.

# lsof -r 1

The -r option makes lsof repeatedly list files until interrupted. Argument 1 means repeat the listing every 1 second. This option is best combined with a narrower query such as monitoring user network file activity:

# lsof -r 1 -u john -i -a

How to install lsof?

Lsof comes preinstalled on many Unix systems. If your system doesn't have it, try to install it from the source.

BSD supplies its own utility that does similar things, it's called fstat.

For the full documentation of lsof see the man lsof page or type lsof -h for a small cheat sheet.

Have fun with lsof!

This article is part of the article series "Unix Utilities You Should Know About."
<- previous article next article ->


annhltr Permalink
December 23, 2009, 16:50

Note: That is a lower case L and not an upper case i.

December 23, 2009, 16:55

annhltr, yeah, like in command `LS`.

jack Permalink
December 23, 2009, 17:24

Thank you for this useful post.

A general hint on how you can make posts about unix commands more useful, particularly for beginners:

Show a snippet of the output of some of the lsof commands and then add some comments on how to read the output. E.g. understanding the network connections or traffic is not always straight forward.

Keep up the good work, and happy holidays to you.

December 23, 2009, 17:27

Thanks for the hint, Jack. Gonna update this article with output + comments on how to read the output.

Happy holidays!

Bryan Permalink
December 23, 2009, 18:02

For more serious debugging, see: strace

A working knowledge of C and common Unix syscalls helps.

December 23, 2009, 18:34

I also think comments on how to read the output would be nice.

I like your blog.

Bron Permalink
December 23, 2009, 21:48

You really should be mentioning "-n" somewhere in here, to stop it doing DNS lookups on any hostnames in sockets. Otherwise it can be quite slow.

December 23, 2009, 22:41

A note from the Metaphor Police: You cannot call something a "Swiss Army Knife" in one paragraph and say it "does just one task and it does it perfectly" in the next.

December 24, 2009, 14:23

Awesome resource. I use lsof a lot, but didn't know about all of these. Great writeup!

December 24, 2009, 14:54

Hi Matt! Thanks for the comment. It's great to have you on my blog! I have been following your blog for a year or so. You also have great content!

December 24, 2009, 19:59

Helpful post. Thanks

soliko Permalink
December 25, 2009, 08:01

this is your best series, please consider writing about strace and ltrace.

December 25, 2009, 16:11

"I have been following your blog for a year or so."

Please post the URL

kangu Permalink
December 26, 2009, 22:05

Very instructive! Another entry for strace would be very cool !

keep it up dude, you're doing great!

caglar Permalink
January 03, 2010, 07:23

Great work man.Thanks

April 13, 2010, 15:09

Please note that on Mac OS X, lsof only shows your own processes unless running as root with sudo

December 31, 2012, 15:30

Question regarding lsof run as a non-root user...

I have been trying to figure out how to do this...

Here is my scenario...

userA has a script in cron on the ftp server(ftpsrvr) that checks the following directories for zip files to scp from the DMZ ftp server(ftpsrvr) to an internal production server(prdsrvr) if the file is not open:

Run as root, the script works... But run as userA, the lsof command never sees an open file...

To make sure there wasn't something wrong with my script, I ran the command "lsof | grep zip" as root and I see the open file... I then run "lsof | grep zip" as userA and don't see the file...

userA is able to see the files and move them because of the following ACL commands:

setfacl -m u:userA:rwx /data/chroot/userB
setfacl -m u:userA:rwx /data/chroot/userC

Any suggestions?

January 17, 2013, 03:30

I had a need to reliably determine that the right Java Jar File was being picked up. Couldn't find the Info and so Harvested Linked-In and sent an email to one of my Developer \ System Architect guys. He quickly replied asking me to use lsof.

Used and loved it. And, so Googled to better understand all of its mightiness. And, I must add my voice to those who say you have done a good job.

Thanks for sharing with the community!

Raj Permalink
August 14, 2013, 02:27

I just found this and thank you for such helpful posting

Tony Sweeney Permalink
January 30, 2014, 17:43

The lsof command is available on all three BSD flavours via their various ports mechanisms. In fact I recall reading it was originally written on FreeBSD and then ported to other UNIXes, though I can no longer find that link. Version 2 was available on FreeBSD 1.0e in 1993. Linux support came three years later with Version 3. See the file RELEASE.SUMMARY_4.87 in the source distribution for confirmation.

Leave a new comment

(why do I need your e-mail?)

(Your twitter name, if you have one. (I'm @pkrumins, btw.))

Type the first letter of your name: (just to make sure you're a human)

Please preview the comment before submitting to make sure it's OK.