Introduction to lsof
Today I’m going to introduce you to the exciting world of lsof.
As you will see, it’s a nifty little tool that has various uses, and it has so many switches that you need both a – and a + to use all the options available! As the description of the command says in its man-page:
lsof – list open files
So, let’s get started.
Network
List network connections
$ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ssh 868 jorge 3u IPv4 12710 0t0 TCP j-laptop.fbarr.lan:55908->login.redpill-linpro.com:ssh (ESTABLISHED)
chrome 967 jorge 114u IPv4 372589 0t0 TCP j-laptop.fbarr.lan:44756->edge-star-ecmp-04-ams2.facebook.com:https (ESTABLISHED)
...
List TCP/UDP connections
$ lsof -i TCP
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chrome 967 jorge 203u IPv4 403952 0t0 TCP j-laptop.fbarr.lan:35942->173.192.82.194-static.reverse.softlayer.com:http (ESTABLISHED)
ssh 868 jorge 3u IPv4 12710 0t0 TCP j-laptop.fbarr.lan:55908->login.acme.com:ssh (ESTABLISHED)
Simply replace TCP with UDP to see UDP connections.
List connections related to a port
$ lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ssh 1742 jorge 3u IPv4 448777 0t0 TCP j-laptop.fbarr.lan:36484->j-desktop.fbarr.lan:22 (ESTABLISHED)
ssh 5409 jorge 3u IPv4 73369 0t0 TCP j-laptop.fbarr.lan:45986->j-server.fbarr.lan:22 (ESTABLISHED)
List connections related to a host
$ lsof -i @192.168.1.1
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chrome 967 jorge 143u IPv4 526978 0t0 TCP j-laptop.fbarr.lan:38571->calcifer.fbarr.lan:https (ESTABLISHED)
..and port:
$ lsof -i @192.168.1.1:443
chrome 967 jorge 143u IPv4 526978 0t0 TCP j-laptop.fbarr.lan:38571->calcifer.fbarr.lan:https (ESTABLISHED)
It’s also possible to provide a port-range:
$ lsof -i :443-1000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chrome 4598 jorge 64u IPv4 68058 0t0 TCP j-laptop.fbarr.lan:35515->do-20.lastpass.com:https (ESTABLISHED)
chrome 4598 jorge 98u IPv6 5251212 0t0 TCP j-laptop.fbarr.lan:43729->lb-in-x5e.1e100.net:https (ESTABLISHED)
List connections with status LISTEN
$ sudo lsof -i | grep LISTEN
sshd 11903 root 3u IPv4 549183 0t0 TCP *:ssh (LISTEN)
sshd 11903 root 4u IPv6 549185 0t0 TCP *:ssh (LISTEN)
Replace LISTEN with ESTABLISHED, and various other options, to grab what you’re looking for.
List IPv4/IPv6 connections
$ lsof -i 4
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chrome 4598 jorge 64u IPv4 68058 0t0 TCP j-desktop.fbarr.lan:35515->do-20.lastpass.com:https (ESTABLISHED)
mutt 14654 jorge 3u IPv4 41678 0t0 TCP j-desktop.fbarr.lan:57323->87.144.18.114:imaps (ESTABLISHED)
$ lsof -i 6
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chrome 4598 jorge 127u IPv6 5278504 0t0 TCP j-desktop.fbarr.lan:42348->lb-in-x5d.1e100.net:https (ESTABLISHED)
chrome 4598 jorge 182u IPv6 132082 0t0 TCP j-desktop.fbarr.lan:59281->arn02s06-in-x0e.1e100.net:https (ESTABLISHED)
Users, processes and files
lsof not only is useful for network-related tasks, but works excellent for users, processes and files.
List open files of user
$ lsof -u jorge
...
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
lsof 26305 jorge txt REG 8,3 146236 294089 /usr/bin/lsof
lsof 26305 jorge mem REG 8,3 46816 276251 /usr/lib/libnss_files-2.18.so
lsof 26305 jorge mem REG 8,3 1607632 294020 /usr/lib/locale/locale-archive
...
List processes by PID
List processes by name
$ lsof -n -c urxvt
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
urxvtd 1749 jorge txt REG 8,1 1299408 3431669 /usr/bin/urxvtd
urxvtd 1749 jorge mem REG 8,1 51808 3411196 /usr/lib/libnss_files-2.18.so
List connections to a file
$ sudo lsof /var/log/Xorg.0.log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
X 400 root 0w REG 8,1 30052 7602187 /var/log/Xorg.0.log
HUP a process
Kill all of a user’s processes
List all open files without a link
These files have been deleted, but one or several processes are keeping the files open. Though it might appear that the files are deleted from the filesystem, both the files and the blocks are being preserved.
These are just a few of the things you can do with lsof. I hope this tutorial has made you a little bit smarter!