A Unix Utility You Should Know About: lsof

This is the third post in the article series about Unix and Linux utilities that you should know about. In this post I will take you through the usefullsof tool. If

Lsof follows Unix philosophy closely. It does just one task and it does it perfectly -- it lists information about files opened by processes. An open file may be a regular file, a directory, a NFS file, a block special file, a character special file, a shared

library, a regular pipe, a named pipe, a symbolic link, a socket stream, an Internet socket, a UNIX domain socket, and many others. Since almost everything in Unix is a file, you can imagine how incredibly useful lsof is!

In this article I will try to present lsof based on as many use cases as I can think of. Let's start with the simplest (that you probably already know) and proceed to more complicated ones.

Running <code>lsof</code> without any arguments lists all open files by all processes.

With an argument of a path to a file, lsof lists all the processes, which are using the file in some way.

You may also specify several files, which lists all the processes, which are using all the files:

With the <code>+D</code> argument lsof finds all files in the specified directory and all the subdirectories.

Note that it's slower than the usual version with <code>grep</code>:

It's slower because <code>+D</code> first finds all the files and only then does the output.

The <code>-u</code> option (think user) limits output of files opened only by userpkrumins.

You can use comma separated list of values to list files open by several users:

This will list all the files that are open by users rms and

root.

Another way to do the same is by using the <code>-u</code> option twice:

The <code>-c</code> option selects the listing of files for processes whose name begins withapache.

So instead of writing:

You can now write the shorter version:

In fact, you can specify just the beginning part of the process name you're looking for:

This will list all the open files by a processes whose starts with apa.

You can also specify several <code>-c</code> options to output open files by several processes:

This will list all open files by apache and python.

Lsof options can be combined. The default is to OR between options. It means it will combine outputs of<code>-u pkrumins</code> and

<code>-c apache</code> producing a listing of all open files bypkrumins and all open files by

apache.

Notice the <code>-a</code> option. It combines the options with AND. The output listing is files opened bybash, which is run under

pkrumins user.

Notice the <code>^</code> character before root username. It negates the match and causes lsof print all open files by all users who are not root.

The <code>-p</code> option (think PID) filters out open files by program's id.

Remember that you can select multiple PIDs by either comma separating the list or using multiple<code>-p</code> arguments:

This selects processes with PIDs 450, 980 and 333.

Here the negation operator <code>^</code> is used again. It inverts the list and does not include process with PID 1.

Lsof with <code>-i</code> option lists all processes with open Internet sockets (TCP and UDP).

The <code>-i</code> argument can take several options, one of them is <code>tcp</code>. The<code>tcp</code> option forces lsof to list only processes with TCP sockets.

The <code>udp</code> option causes lsof to list processes with UDP sockets.

The <code>:25</code> option to <code>-i</code> makes lsof find processes using TCP or UDP port 25.

You may also use service port name (found in <code>/etc/services</code>) rather than port number:

Similarly, to find who's using a TCP port, use:

Here the <code>-a</code> option combines <code>-u</code> and <code>-i</code> to produce listing of network file usage by userhacker.

This option is easy to remember because <code>-N</code> is NFS.

This option is also easy to remember because <code>-U</code> is Unix.

Process groups are used to logically group processes. This example finds all files opened by processes with PGID<code>1234</code>.

This lists all files that have been opened as file descriptor <code>2</code>.

You may also specify ranges of file descriptors:

This would list all files with file descriptors 0, 1 and 2.

There are also many special values, such as <code>mem</code>, that lists memory-mapped files:

Or <code>txt</code> for programs loaded in memory and executing:

The <code>-t</code> option outputs only PIDs of processes. Used together with <code>-i</code> it outputs PIDs of all processes with network connections. It's easy to kill all processes that use network:

The <code>-r</code> option makes lsof repeatedly list files until interrupted. Argument<code>1</code> means repeat the listing every 1 second. This option is best combined with a narrower query such as monitoring user network file activity:

BSD supplies its own utility that does similar things, it's called fstat.

Have fun with lsof!

<a href="http://www.catonmat.net/blog/unix-utilities-lsof/">http://www.catonmat.net/blog/unix-utilities-lsof/</a>