lsof Command in Linux with Examples

August 4, 2022

Introduction

The lsof command stands for LiSt Open Files and shows open files and which process uses them. Since Linux sees every object as a file, such as devices, directories, etc., unidentified open files prevent users from modifying them.

Additionally, the sheer number of files makes it difficult to find malicious processes. The lsof command helps identify these processes so you can terminate them.

This article will explain how to use the lsof command in Linux with examples. 

lsof Command in Linux with Examples

Prerequisites

  • Access to the terminal.
  • Sudo group privileges.
  • Root privileges for some commands.

lsof Command Syntax

The lsof command syntax is:

lsof [options]

Note: For most commands, run lsof with sudo to avoid "permission denied" errors.

lsof Command Options

The lsof command has many of options. The table below includes arguments that are used most often:

OptionDescription
lsof                              Lists all open files.
-bSuppresses kernel blocks.
/ [file system] /Shows open files in a particular file system.
/dev/tty*Displays files associated with the terminal.
-u [username]Prints all files opened by a user.
-u ^[username]Prints all files opened by everyone except a specific user.
-c [process]Lists all files accessed by a particular process.
-p [process ID]Shows all open files associated with a specific process ID.
-p ^[process ID]Shows files opened by all other PIDs.
-RLists parent process IDs.
+D [directory path]Prints all open files in a directory.
-iDisplays all files accessed by network connections.  
-i [IP version number]Filters files based on their IP.
- i [udp or tcp]Filters open files based on the connection type (TCP or UDP).
-i :[port number]Finds processes running on a specific port.
-i :[port range]Finds processes running on specific port ranges.
-t [file name]Lists IDs of processes that have accessed a particular file.
# kill -9 'lsof -t -u [user]'Kills all user processes.
-d memShows all memory-mapped files.
[path] | grep deletedPrints locked deleted files.
manOpens the man page.

lsof Command Examples

lsof incorporates different arguments allowing users to manage system and network administration activities. Outlined below are the most common lsof use cases.

List All Files

When run without any options, lsof lists all files opened by any process:

sudo lsof
Isof Command Terminal Output

The lsof command outputs a lot of details. Therefore, always pipe lsof with less to display the output one page at a time.

sudo lsof | less
Isof Command Option Less Terminal Output

To navigate to the bottom of the list, hit Enter or down arrow. Exit the list with Q.

The lsof output consists of different columns. However, not all columns apply to every type of file. The header looks like this:

lsof Header

The default columns in the lsof output are:

  • COMMAND - Refers to the command associated with the process that opened the file. 
  • PID - The process identification number of the process running the file.
  • TID - Represents a task identification number for the respective process. It is blank if a process, not a task, has opened the file.
  • TASKCMD - Refers to the command name in the first column. However, TASKCMD can differ when a task changes its command name.
  • USER - Names the user executing the process. The column contains the User ID or name.
  • FD - Is the file descriptor the process uses to associate with the file.
  • TYPE - Shows the type of file and its identification number.
  • DEVICE - Prints device numbers related to the file.
  • SIZE/OFF - Represents the value or the file taken during the runtime (size or offset).
  • NODE - The local file's node number or inode number of the directory/parent directory.
  • NAME - Shows the path or link to the file.

Conceal Kernel Blocks

The default lsof output also includes files that are opened by the kernel. To suppress kernel blocks, run lsof with the -b flag:

sudo lsof -b
lsof -b Terminal Output

Display Files of a Specific Filesystem

Use the lsof command to show open files in a particular file system:

sudo lsof / [file system] /

For example, to see all open files in the sys directory, run:

sudo lsof / sys/
lsof sys Terminal Output

Print Terminal Files

List all open files connected to the terminal by targeting the dev directory with lsof:

lsof /dev/tty*
lsof dev tty Terminal Output

Show All Files Accessed by a User

Use lsof with a -u flag to display files opened by a specific user:

sudo lsof -u [username]

For example:

lsof -u saraz
sudo Isof -u Username Command Terminal Output

The command lists files opened by saraz.

To print all files opened by everyone except a specific user, run:

sudo lsof -u ^[username]

For instance:

lsof -u ^saraz
Isof -u ^ Username Terminal Output

The output shows files controlled by users other than saraz.

Display Files Used by a Process

The -c flag opens all files used by a process:

sudo lsof -c [process]

For example, to list files opened by the wpa_suppl process, run:

sudo lsof -c wpa_suppl
sudo Isof -c process wpa_suppl Terminal Output

Another option is to use only a part of the program name:

sudo lsof -c wpa
sudo Isof -c process wpa Terminal Output

lsof returns all programs starting with the term wpa, which includes wpa_suppl.

Moreover, the -c option gives the same output as piping lsof with grep:

sudo lsof | grep wpa_suppl
sudo Isof grep Terminal Output

Print Files Opened by a Specific PID

Use the -p option to filter specific files by the Process ID number (PID). For example, the output below shows all files with PID 635.

sudo lsof -p 635
Isof -p pid Command Terminal Output

On the other hand, add a caret ^ symbol to print files opened by all other processes:

sudo lsof -p ^635
sudo Isof -p ^ PID Command Terminal Output

Additionally, combining lsof with the -R flag adds the Parent Process Identification Number (PPID) to the output.

To get PPID info for a specific PID, execute:

sudo lsof -p [PID] -R

For example, to get the PPID for the 635 PID, type:

sudo lsof -p 635 -R
Isof -p PID -R Terminal Output

The output shows the PPID column added to the header.

Show Files Under a Directory

To see all files that have been opened under a directory, use the following command:

sudo lsof +D [directory path]
sudo lsof +D Directory Path

This option also recurses the sub directories. To avoid recursing, use the +d flag.

Show Files Accessed by Network Connections

Use the -i flag with lsof to check which files are opened by a network connection. Execute this command:

sudo lsof -i
sudo lsof -i Termial Output

The example above prints files open by a network connection, regardless of the connection type.

The -i flag adds a lot of versatility to lsof, allowing users to filter files based on different criteria. Use lsof -i [options] to:

  1. Filter files based on their IP with:
sudo lsof -i [IP version number]

For example, run this command to display only IPv4 files:

sudo lsof -i 4
sudo lsof -i 4 Termial Output

On the contrary, print only IPv6 files with:

sudo lsof -i  6
sudo lsof -i 6 termial output
  1. See only files that use tcp or udp connection by providing the protocol type:
sudo lsof -i [udp or tcp]
sudo lsof -i udp tcp Terminal Output
  1. Find processes running on a specific port. This option is useful to check which file is preventing another app from binding to a specific port. Execute the command with the port number or service name from the name column:
sudo lsof -i :[port number/name]
sudo lsof -i  Port Number or Name Terminal Output
  1. Print all files open on specific port ranges.

For instance, to list open Files of UDP Port ranges 1-1024, run:

sudo lsof -i UDP 1-1024 Terminal Output

List IDs of Processes Holding Open Files

To see PIDs for processes that have opened a particular file, use -t and provide the file name.

lsof -t [file name]
lsof -t Terminal Output

Kill All User’s Processes

The -t flag also kills all processes by a specific user. For example, to kill all processes by user notsara, execute this command as root:

# kill -9 'lsof -t -u notsara'
The lsof Command Kill User Processes

Print All Memory-Mapped Files

lsof prints which processes have memory-mapped files. To show these processes, run:

 lsof -d mem
lsof -d mem Terminal Output

Display Locked Deleted Files

A process sometimes keeps big files locked even after they have been deleted, consuming disk space.
Use Lsof to find files that are deleted in Linux but are still locked by one or more processes.
For example, find deleted files from the root directory using a slash (/) as a path symbol:

sudo lsof [path] | grep deleted
sudo lsof path grep deleted Terminal Output

Combine Multiple Options

The lsof command allows multiple search items on the command line. Use AND and OR logic to combine different arguments to get specific results. Below are most common examples.

  1. List files open by a particular user or process with:
sudo lsof -u [username] -c [process]
sudo lsof -u saraz -c snapd Terminal Output

The output prints both files opened by the user saraz and those used by the process snapd.

  1. Display only files that match the first search term and the second search term with the logical operator -a (and):
sudo lsof -u [username] -c [process] -a
sudo lsof -u user -c process -a Terminal Output

In this case, lsof shows only files opened by the user saraz and the bash process.

  1. Find all network connections of a user:
sudo lsof -i -u [username] -a
sudo lsof -i -u user -a Terminal Output

The -i and -a flags with the lsof command print all activity of the user root.

Learn More About lsof

The lsof command has more options than any other Linux command. The man page is almost 2000 lines long and offers a lot of information.

To explore the command's possibilities, run:

man lsof
lsof Man Page

Conclusion

This tutorial shows you how to use the lsof command for troubleshooting potential security and system problems with practical examples.

Next, learn how to copy files and directories in Linux and compare two files using the Linux diff command.

Was this article helpful?
YesNo
Sara Zivanov
Sara Zivanov is a technical writer at phoenixNAP who is passionate about making high-tech concepts accessible to everyone. Her experience as a content writer and her background in Engineering and Project Management allows her to streamline complex processes and make them user-friendly through her content.
Next you should read
How to Create a File in Linux Using Terminal/Command Line
June 27, 2019

Creating a file in Linux might seem straightforward, but there are some surprising and...
Read more
How To Check If File or Directory Exists in Bash
August 30, 2019

Searching for specific files or directories can be time-consuming. You can use a bash command or script to streamline...
Read more
How to Rename Files in Linux
October 13, 2021

There are several ways to rename files in Linux, including using the GUI and terminal commands. This tutorial shows you how to rename files using the mv and rename commands...
Read more
How to Move Directories in Linux
September 8, 2021

This helpful tutorial shows you how to move directories in Linux using the GUI or the built-in mv command. Learn practical...
Read more
  • © 2022 Copyright phoenixNAP | Global IT Services. All Rights Reserved.