lsof command in Linux/Unix

lsof command

Today I came across ISOF command in one interview, the interviewer of this interview is a tricky guy and a great Linux/nix guru. He asked me many questions which I can’t answer, in that lsof command is one. This command impressed me, and this is one of the most powerful commands I ever come across till this point in Linux in respect of monitoring. So I did some research on this command and came across numerous examples for making network/system admin work bit more simple and meaning full.

What is the lsof command?

lsof is nothing but LiSt Open Files, which will show all the open files by

1) a process in the system.

2) a user.

3) a command.

4) a network service.

5) a regular file.

6) a directory.

7) a block file.

8) a character file.

9) an executing text reference.

10) a library.

11) stream or

12) network file (Internet socket, NFS file or UNIX domain socket.).

This is

Where will we use this lsof command?

In many situations such as when troubleshooting network related issues, file related issues, and process related issue.

USAGE 1: To see all the open files in the system without filtering which lists all open files belonging to all active processes.

#lsof

Output:

COMMAND     PID  USER   FD      TYPE             DEVICE   SIZE/OFF    NODE NAME
loginwind   118 sanne  cwd       DIR                1,4       1224       2 /
loginwind   118 sanne  txt       REG                1,4    1202160 4799952 /System/xyz
loginwind   118 sanne  txt       REG                1,4   25923264 4795181 /usr/bin/ddd

I have to explain the output of above command.

Related concept:   How To Log DNS Server Activity?

Column 1: The command column in lsof command

Lists the command which we are running. This will give you a complete idea which command is responsible for that open file.

Column 2: The   PID column in lsof command

This column list the PID(process identification) of the process which is using that file. This is a kind of number given by kernel

Column 3: The user column in lsof command

List the user who is using this file. This user can be system user or regular user. In the above example, Sanne is the user who opened files.

Example: List all the files opened by particular user

Column 4: The file descriptor  column in lsof command

which is nothing but a way to open the file.

USAGE 2: Sometimes we will face an issue like, some service will not bind to a port and cannot start the service, this is due to some process already using that port(though the process died). So we have to see which process is using this port and kill that process if required. This will eliminate restarting the server. Suppose we want to start FTP server which will not start due to above problem.

#lsof -i TCP:ftp

Here -i is used for specifying Internet. The TCP:ftp will show which process is using this TCP port. If you want to see which process is using UDP port, just replace TCP with UDP.

Related concept:   Check if a machine runs on 64 bit or 32 bit Processor/Linux OS?

USAGE 3: To see what files are opened when you execute a command

#lsof -c httpd

here -c is for specifying the command.

USAGE 4: To see which file opened for a device

#lsof /dev/hdc

USAGE 5: To see which process or user is accessing the file. with -f switch we can see which user and program are using the particular file. In below example, vim editor program is used by root user to open /etc/passwd file.

#lsof -f filename

Example:

[[email protected] Script]# lsof -f passwd
vim 14122 root 4u REG 253,0 12288 234655 /etc/.passwd.swp
[[email protected] Script]#

USAGE 6: To monitor network, what people are doing with what network services

#watch lsof -i

Note: watch is an excellent command to repeat a command execution on a regular interval please have a look at my other blog post about this watch command.

USAGE 7: To see all open INTERNET files

#lsof -i -U

USAGE 8: To see Ports either it’s TCP or UDP

#lsof -i TCP:22

For checking all the connection for ssh port

#lsof -i UDP:69

This is for tftp connections to the machine.

Related concept:   Network monitoring/info gathering tools in linux

USAGE 9: To watch all the files accessing by a user in live..?

#watch lsof –u user-name

Some sister commands for this command, are pstree, ps, and netstat. We will see about these in our coming posts.

NOTE: Some strange things I observed about this command is

1) Till this point I know that to use any commands options we have to use but for this command, there are both + and – options too.

2) In Linux, everything is considered as files even a network socket, the hardware device for some examples.

Please comment your thoughts regarding this post:-). Please give us your feedback here