Lsof is used to list open files. Lsof follows Unix philosophy closely. It does just one task and it does it perfectly — it lists information about opened files in a running system. An open file can be a regular file, a directory, a block device, a pipe file, a symbolic link, a socket stream, etc.
How to can we use use lsof to do trouble shooting? I will show some typical examples in this post.
# lsof /path/to/file1 /path/to/file2
Find all open files in a directory recursively.
# lsof +D /usr/lib
List all open files by a user. You can use comma separated values to list files opened by multiple users.
# lsof -u john
Find all open files by program’s name.
# lsof -c nginx
List all open files by a user AND process.
# lsof -a -u john -c bash
List all open files by all users EXCEPT root. The ^ character before root username negates the match.
# lsof -u ^root
List all open files by the process with PIDs. This selects processes with PIDs 4450,1980,231.
# lsof -p 4450,1980,231
List all TCP network connections. Or UDP sockets if specify udp instead.
# lsof -i tcp
Find who’s using a specific UDP port.
# lsof -i udp:53
Find all network activity by user. Here the -a option combines -u and -i to produce listing of network file usage by user hacker.
# lsof -a -u hacker -i
List all NFS (Network File System) files. This option is easy to remember because -N is NFS.
# lsof -N
List all Unix domain socket files. List all files for processes with a specific group id.
# lsof -U
List all files associated with specific file descriptors. This lists all files that have been opened as file descriptor 2.
# lsof -d 2
You may also specify ranges of file descriptors, this would list all files with file descriptors 0, 1 and 2:
# lsof -d 0-2
There are also many special values, such as mem, that lists memory-mapped files. (Or txt for programs loaded in memory and executing):
# lsof -d mem
Output PIDs of processes using some resource.
# lsof -t -i
The -t option outputs only PIDs of processes. Used together with -i it outputs PIDs of all processes with network connections. It’s easy to kill all processes that use network:
# kill -9 `lsof -t -i`
The -r option makes lsof repeatedly list files until interrupted. Argument 1 means repeat the listing every 1 second. This option is best combined with a narrower query such as monitoring user network file activity:
# lsof -r 1 -u john -i -a