lsof: command usage example

Lsof is used to list open files. Lsof follows Unix philosophy closely. It does just one task and it does it perfectly — it lists information about opened files in a running system. An open file can be a regular file, a directory, a block device, a pipe file, a symbolic link, a socket stream, etc.

How to can we use use lsof to do trouble shooting? I will show some typical examples in this post.

# lsof /path/to/file1 /path/to/file2

Find all open files in a directory recursively.

# lsof +D /usr/lib


List all open files by a user. You can use comma separated values to list files opened by multiple users.

# lsof -u john

Find all open files by program’s name.

# lsof -c nginx

List all open files by a user AND process.

# lsof -a -u john -c bash

List all open files by all users EXCEPT root. The ^ character before root username negates the match.

# lsof -u ^root

List all open files by the process with PIDs. This selects processes with PIDs 4450,1980,231.

# lsof -p 4450,1980,231

List all TCP network connections. Or UDP sockets if specify udp instead.

# lsof -i tcp

Find who’s using a specific UDP port.

# lsof -i udp:53


Find all network activity by user. Here the -a option combines -u and -i to produce listing of network file usage by user hacker.

# lsof -a -u hacker -i

List all NFS (Network File System) files. This option is easy to remember because -N is NFS.

# lsof -N

List all Unix domain socket files. List all files for processes with a specific group id.

# lsof -U

List all files associated with specific file descriptors. This lists all files that have been opened as file descriptor 2.

# lsof -d 2

You may also specify ranges of file descriptors, this would list all files with file descriptors 0, 1 and 2:

# lsof -d 0-2

There are also many special values, such as mem, that lists memory-mapped files. (Or txt for programs loaded in memory and executing):

# lsof -d mem


Output PIDs of processes using some resource.

# lsof -t -i

The -t option outputs only PIDs of processes. Used together with -i it outputs PIDs of all processes with network connections. It’s easy to kill all processes that use network:

# kill -9 `lsof -t -i`


The -r option makes lsof repeatedly list files until interrupted. Argument 1 means repeat the listing every 1 second. This option is best combined with a narrower query such as monitoring user network file activity:

# lsof -r 1 -u john -i -a

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.