Today I came across ISOF command in one interview, the interviewer of this interview is a tricky guy and a great Linux/nix guru. He asked me many questions which I can’t answer, in that lsof command is one. This command impressed me, and this is one of the most powerful commands I ever come across till this point in Linux in respect of monitoring. So I did some research on this command and came across numerous examples for making network/system admin work bit more simple and meaning full.
What is the lsof command?
lsof is nothing but LiSt Open Files, which will show all the open files by
1) a process in the system.
2) a user.
3) a command.
4) a network service.
5) a regular file.
6) a directory.
7) a block file.
8) a character file.
9) an executing text reference.
10) a library.
11) stream or
12) network file (Internet socket, NFS file or UNIX domain socket.).
Where will we use this lsof command?
In many situations such as when troubleshooting network related issues, file related issues, and process related issue.
USAGE 1: To see all the open files in the system without filtering which lists all open files belonging to all active processes.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME loginwind 118 sanne cwd DIR 1,4 1224 2 / loginwind 118 sanne txt REG 1,4 1202160 4799952 /System/xyz loginwind 118 sanne txt REG 1,4 25923264 4795181 /usr/bin/ddd
I have to explain the output of above command.
Column 1: The command column in lsof command
Lists the command which we are running. This will give you a complete idea which command is responsible for that open file.
Column 2: The PID column in lsof command
This column list the PID(process identification) of the process which is using that file. This is a kind of number given by kernel
Column 3: The user column in lsof command
List the user who is using this file. This user can be system user or regular user. In the above example, Sanne is the user who opened files.
Example: List all the files opened by particular user
Column 4: The file descriptor column in lsof command
which is nothing but a way to open the file.
USAGE 2: Sometimes we will face an issue like, some service will not bind to a port and cannot start the service, this is due to some process already using that port(though the process died). So we have to see which process is using this port and kill that process if required. This will eliminate restarting the server. Suppose we want to start FTP server which will not start due to above problem.
#lsof -i TCP:ftp
Here -i is used for specifying Internet. The TCP:ftp will show which process is using this TCP port. If you want to see which process is using UDP port, just replace TCP with UDP.
USAGE 3: To see what files are opened when you execute a command
#lsof -c httpd
here -c is for specifying the command.
USAGE 4: To see which file opened for a device
USAGE 5: To see which process or user is accessing the file. with -f switch we can see which user and program are using the particular file. In below example, vim editor program is used by root user to open /etc/passwd file.
#lsof -f filename
[[email protected] Script]# lsof -f passwd
vim 14122 root 4u REG 253,0 12288 234655 /etc/.passwd.swp
[[email protected] Script]#
USAGE 6: To monitor network, what people are doing with what network services
#watch lsof -i
Note: watch is an excellent command to repeat a command execution on a regular interval please have a look at my other blog post about this watch command.
USAGE 7: To see all open INTERNET files
#lsof -i -U
USAGE 8: To see Ports either it’s TCP or UDP
#lsof -i TCP:22
For checking all the connection for ssh port
#lsof -i UDP:69
This is for tftp connections to the machine.
USAGE 9: To watch all the files accessing by a user in live..?
#watch lsof –u user-name
Some sister commands for this command, are pstree, ps, and netstat. We will see about these in our coming posts.
NOTE: Some strange things I observed about this command is
1) Till this point I know that to use any commands options we have to use – but for this command, there are both + and – options too.
2) In Linux, everything is considered as files even a network socket, the hardware device for some examples.
Please comment your thoughts regarding this post:-). Please give us your feedback here