26.6 C
Jaipur
Sunday, June 20, 2021

Linux lsof Command Tutorial for Beginners (15 Examples)

Must read

The lsof command in Linux displays in its output information about files that are opened by processes. In this article, we will discuss the Linux lsof tool using 15 easy-to-understand examples. Please note that all examples mentioned in this tutorial have been tested on Ubuntu 20.04 LTS, but they will work on other Linux distributions too like Debian, Fedora, and CentOS.

About lsof Command

If you want to quickly see the name of files that have been opened by a particular process (or all processes), the lsof command lets you do that. An open file could be a regular file or a directory, a library, a special file or block device, a character special file, an executing text reference, or even a stream or a network file. You can also list processes by port number. If you are not logged in as the root user, then you might have to prepend ‘sudo’ to the commands.

Install Linux lsof command

Most Linux distributions come with lsof pre-installed. If it is not installed on your system yet, use the following commands:

On Ubuntu and Debian:

$ sudo apt install lsof

Ond CentOS and Fedora:

$ dnf install lsof

1. How to list all open files

To list all open files, run the lsof command without any arguments:

lsof

For example, Here is the screengrab of a part of the output the above command produced on my system:

The first column represents the process while the last column contains the file name. For details on all the columns, head to the command’s man page.

2. How to list files opened by processes belonging to a specific user

The tool also allows you to list files opened by processes belonging to a specific user. This feature can be accessed by using the -u command-line option.

lsof -u [user-name]

For example:

lsof -u administrator

How to list files opened by processes belonging to specific user

3. How to list files based on their Internet address

The tool lets you list files based on their Internet address. This can be done using the -i command-line option. For example, if you want, you can have IPv4 and IPv6 files displayed separately. For IPv4, run the following command:

lsof -i 4

For example:

How to list files based on their Internet address

Similarly, for IPv6, run the following command:

lsof -i 6

For example:

lsof -i 6

LSOF IPv6 listeners

4. How to list all files by application name

The -c command-line option allows you to get all files opened by program name.

$ lsof -c apache

You do not have to use the full program name as all programs that start with the word ‘apache’ are shown. So in our case, it will list all processes of the ‘apache2’ application.

Get open files by program name

The -c option is basically just a shortcut for the two commands:

$ lsof | grep apache

5. How to list files specific to a process

The tool also lets you display opened files based on process identification (PID) numbers. This can be done by using the -p command-line option. 

lsof -p [PID]

For example:

lsof -p 856

How to list files specific to a process

Moving on, you can also exclude specific PIDs in the output by adding the ^ symbol before them. To exclude a specific PID, you can run the following command:

lsof -p [^PID]

For example:

lsof -p ^1

How to list files specific to a process - result

As you can see in the above screenshot, the process with id 1 is excluded from the list.

6. How to list IDs of processes that have opened a particular file

The tool allows you to list IDs of processes that have opened a particular file. This can be done by using the -t command line option.

$ lsof -t [file-name]

For example:

$ lsof -t /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.9.0

How to list IDs of processes that have opened a particular file

7. How to list all open files in a directory

If you want, you can also make lsof search for all open instances of a directory (including all the files and directories it contains). This feature can be accessed using the +D command-line option.

$ lsof +D [directory-path]

For example:

$ lsof +D  /usr/lib/locale

How to limit lsof to a particular directory

8. How to list all Internet and x.25 (HP-UX) network files

This is possible by using the -i command-line option we described earlier. Just that you have to use it without any arguments.

$ lsof -i

How to list all Internet and x.25 (HP-UX) network files

9. Find out which program is using a port

The -i switch of the command allows you to find a process or application which listens to a specific port number. In the example below, I checked which program is using port 80.

$ lsof -i :80

Instead of the port number, you can use the service name as listed in the /etc/services file. Example to check which app listens on the HTTPS (443) port:

$ lsof -i :https

Result:

List processes by open port or service

The above examples will check both TCP and UDP. If you like to check for TCP or UDP only, prepend the word ‘tcp’ or ‘udp’. For example, which application is using port 25 TCP:

$ lsof -i tcp:25

or which app uses UDP port 53:

$ lsof -i udp:53

LSOD UDP Port 53

10. How to list open files based on port range

The utility also allows you to list open files based on a specific port or port range. For example, to display open files for port 1-1024, use the following command:

$ lsof -i :1-1024

How to list open files based on port range

11. How to list open files based on the type of connection (TCP or UDP)

The tool allows you to list files based on the type of connection. For example, for UDP specific files, use the following command:

$ lsof -i udp

How to list open files based on type of connection (TCP or UDP)

Similarly, you can make lsof display TCP-specific files.

12. How to make lsof list Parent PID of processes

There’s also an option that forces lsof to list the Parent Process IDentification (PPID) number in the output. The option in question is -R.

$ lsof -R

To get PPID info for a specific PID, you can run the following command:

$ lsof -p [PID] -R

For example:

$ lsof -p 3 -R

How to make lsof list Parent PID of processes

13. How to find network activity by user

By using a combination of the -i and -u command-line options, we can search for all network connections of a Linux user. This can be helpful if you inspect a system that might have been hacked. In this example, we check all network activity of the user www-data:

$ lsof -a -i -u www-data

Find network activity by user on Linux

14. List all memory-mapped files

This command lists all memory-mapped files on Linux.

$ lsof -d mem

Find memory mapped files

15. List all NFS files

The -N option shows you a list of all NFS (Network File System) files.

$lsof -N

Conclusion

Although lsof offers a plethora of options, the ones we’ve discussed here should be enough to get you started. Once you’re done practicing with these, head to the tool’s man page to learn more about it. Oh, and in case you have any doubts and queries, drop in a comment below.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -

Latest article