16.6 C
Jaipur
Wednesday, December 1, 2021

lsof Command in Linux (10 Examples)

Must read

In Linux, everything is considered as files and organized inside directories. lsof (List of Open File) displays a list of files that are opened. It mainly helps to find out the information about the process which opened the files. Apart from files, it can list a directory, a block special file, a shared library, a character special file, a regular pipe, a named pipe, an internet socket, a UNIX domain socket, and many others.

In this tutorial, we learn about lsof command in Linux using easy-to-understand examples.

lsof command

lsof command by default is available in most Linux distributions. Very commonly lsof command is used when we are not able to unmount a disk, then the lsof command helps to find the open file and its process causing it.

Syntax:

lsof [options] [names]

The above syntax will list all the files that have been opened by all the processes in the system. The lsof has various columns.

COMMAND     PID   TID TASKCMD               USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME

The name of the UNIX command associated with the process is stored in the COMMAND column.

The PID displays the process ID of the command.

The USER displays the name of the user associated with the following process.

The TID shows the task ID.

The FD is a file descriptor that includes abbreviations like cwd (Current Working Directory), txt (Text Files), mem (Memory-mapped file), rtd (root directory), and many others.

TYPE is an abbreviation for a specific file type, such as REG (Regular file), DIR (Directory), CHR (Character special file), and so on.

The DEVICE contains the device numbers.

The SIZE/OFF contains the file size or file offset in bytes.

The NODE column value represents the node number of a local file.

The NAME displays the name of the file’s mount point and file system, as well as the Internet address.

The following is a list of some of the most common uses of the lsof command.

1. List all open files

To quickly get a list of open files, type lsof. It lists all of the files that have been opened by the system’s various processes.

$ sudo lsof 

Output:

COMMAND     PID   TID TASKCMD               USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME
 systemd       1                             root  cwd       DIR                8,0      4096          2 /
 systemd       1                             root  rtd       DIR                8,0      4096          2 /
 systemd       1                             root  txt       REG                8,0   1620224       7820 /usr/lib/systemd/systemd
 systemd       1                             root  mem       REG                8,0   1369352       7450 /usr/lib/x86_64-linux-gnu/libm-2.31.so
 systemd       1                             root  mem       REG                8,0    178528       7600 /usr/lib/x86_64-linux-gnu/libudev.so.1.6.17
 systemd       1                             root  mem       REG                8,0   1575112       3451 /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
 systemd       1                             root  mem       REG                8,0    137584        779 /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.28.0
 systemd       1                             root  mem       REG                8,0     67912       1542 /usr/lib/x86_64-linux-gnu/libjson-c.so.4.0.0
 systemd       1                             root  mem       REG                8,0     34872       3342 /usr/lib/x86_64-linux-gnu/libargon2.so.1
 systemd       1                             root  mem       REG                8,0    431472       3357 /usr/lib/x86_64-linux-gnu/libdevmapper.so.1.02.1
 systemd       1                             root  mem       REG                8,0     30936       1036 /usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
 systemd       1                             root  DEL       REG                8,0                 1553 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
 systemd       1                             root  mem       REG                8,0     27064         75 /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
 systemd       1                             root  mem       REG                8,0     18816       7444 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
 systemd       1                             root  mem       REG                8,0    584392       1639 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.9.0
 systemd       1                             root  mem       REG                8,0    157224      12782 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so

2. List open files by username

In a system, there may be a multi-user environment, with each user having different requirements and using files and devices accordingly. lsof has a command that can be used to find a list of specific files that are opened by specific use.

You can also specify multiple users at the same time. You have the option of writing the syntax separated by a comma or using two flags.

If you wish to get a list of all open files except for a certain user, use the lsof command with -u option.

To list open files by username

$ sudo lsof -u [username]

For example:

$ lsof -u kali

Output:


COMMAND    PID USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME
systemd   1082 kali  cwd       DIR                8,1     36864          2 /
systemd   1082 kali  rtd       DIR                8,1     36864          2 /
systemd   1082 kali  txt       REG                8,1   1591392    1445828 /usr/lib/systemd/systemd
systemd   1082 kali  mem       REG                8,1   1325424    1442465 /usr/lib/x86_64-linux-gnu/libm-2.30.so
systemd   1082 kali  mem       REG                8,1    174272    1442049 /usr/lib/x86_64-linux-gnu/libudev.so.1.6.17
systemd   1082 kali  mem       REG                8,1   1574952    1444070 /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
systemd   1082 kali  mem       REG                8,1    137424    1442738 /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.28.0
systemd   1082 kali  mem       REG                8,1     67752    1445649 /usr/lib/x86_64-linux-gnu/libjson-c.so.4.0.0
systemd   1082 kali  mem       REG                8,1     34904    1445648 /usr/lib/x86_64-linux-gnu/libargon2.so.1
systemd   1082 kali  mem       REG                8,1    432688    1443266 /usr/lib/x86_64-linux-gnu/libdevmapper.so.1.02.1
systemd   1082 kali  mem       REG                8,1     30776    1442077 /usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
systemd   1082 kali  mem       REG                8,1   3076960    1448872 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
systemd   1082 kali  mem       REG                8,1     26976    1442133 /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
systemd   1082 kali  mem       REG                8,1     14592    1442464 /usr/lib/x86_64-linux-gnu/libdl-2.30.so
systemd   1082 kali  mem       REG                8,1    584360    1442207 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.9.0
systemd   1082 kali  mem       REG                8,1    146912    1442480 /usr/lib/x86_64-linux-gnu/libpthread-2.30.so

For Multiple Users

$ sudo lsof -u [username1] -u [username2]    

OR

$ sudo lsof -u [username1], [username2]

List Open files except for certain user

$ sudo lsof -u ^[username]

For Example:

$ sudo lsof -u ^root

Output:

COMMAND    PID  TID TASKCMD         USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME
dbus-daem  542                messagebus  cwd       DIR                8,1     36864          2 /
dbus-daem  542                messagebus  rtd       DIR                8,1     36864          2 /
dbus-daem  542                messagebus  txt       REG                8,1    240680    1451146 /usr/bin/dbus-daemon
dbus-daem  542                messagebus  mem       REG                8,1    231544    1452845 /usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
dbus-daem  542                messagebus  mem       REG                8,1     51696    1442474 /usr/lib/x86_64-linux-gnu/libnss_files-2.30.so
dbus-daem  542                messagebus  mem       REG                8,1    137424    1442738 /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.28.0
dbus-daem  542                messagebus  mem       REG                8,1     14592    1442464 /usr/lib/x86_64-linux-gnu/libdl-2.30.so
dbus-daem  542                messagebus  mem       REG                8,1    584360    1442207 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.9.0
dbus-daem  542                messagebus  mem       REG                8,1   1163960    1442750 /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.5
dbus-daem  542                messagebus  mem       REG                8,1    133464    1442773 /usr/lib/x86_64-linux-gnu/liblz4.so.1.9.2
dbus-daem  542                messagebus  mem       REG                8,1    162496    1442179 /usr/lib/x86_64-linux-gnu/liblzma.so.5.2.4
dbus-daem  542                messagebus  mem       REG                8,1     39912    1442482 /usr/lib/x86_64-linux-gnu/librt-2.30.so
dbus-daem  542                messagebus  mem       REG                8,1   1831600    1441818 /usr/lib/x86_64-linux-gnu/libc-2.30.so
dbus-daem  542                messagebus  mem       REG                8,1    146912    1442480 /usr/lib/x86_64-linux-gnu/libpthread-2.30.so
dbus-daem  542                messagebus  mem       REG                8,1     76480    1445645 /usr/lib/x86_64-linux-gnu/libapparmor.so.1.6.2
dbus-daem  542                messagebus  mem       REG                8,1     26976    1442133 /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0

To list only the process id use the -t option.

$ sudo lsof -t -u sonar

This will be helpful in case you need to kill all processes related to a specific use. For example

$ sudo kill -9 lsof -t -u sonar

3. List open files by process

lsof can also be used to list files opened by a specific process by writing the -c option followed by the process name.

Syntax:

$ sudo lsof -c [process-name]

For example:

$ sudo lsof -c ssh

Output:

COMMAND    PID USER   FD   TYPE             DEVICE SIZE/OFF    NODE NAME
ssh-agent 1217 kali  cwd    DIR                8,1    36864       2 /
ssh-agent 1217 kali  rtd    DIR                8,1    36864       2 /
ssh-agent 1217 kali  txt    REG                8,1   342152 1453090 /usr/bin/ssh-agent
ssh-agent 1217 kali  mem    REG                8,1   146912 1442480 /usr/lib/x86_64-linux-gnu/libpthread-2.30.so
ssh-agent 1217 kali  mem    REG                8,1    14592 1442464 /usr/lib/x86_64-linux-gnu/libdl-2.30.so
ssh-agent 1217 kali  mem    REG                8,1  1831600 1441818 /usr/lib/x86_64-linux-gnu/libc-2.30.so
ssh-agent 1217 kali  mem    REG                8,1  3076960 1448872 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
ssh-agent 1217 kali  mem    REG                8,1   169720 1441813 /usr/lib/x86_64-linux-gnu/ld-2.30.so
ssh-agent 1217 kali    0u   CHR                1,3      0t0    2051 /dev/null
ssh-agent 1217 kali    1u   CHR                1,3      0t0    2051 /dev/null
ssh-agent 1217 kali    2u   CHR                1,3      0t0    2051 /dev/null
ssh-agent 1217 kali    3u  unix 0x00000000ae65ddbe      0t0   23977 /tmp/ssh-CG3EFJaD5iRt/agent.1126 type=STREAM

4. List open files by filename

We can specify the filename as an argument to list all the processes that have opened a specific file.

Syntax:

$ sudo lsof [filename] 

Example:

$ sudo lsof /var/log/messages

Output:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
rsyslogd 552 root   12w   REG    8,1   703405 4991786 /var/log/messages

5. List open files by Process ID

Each file is assigned a process ID. A single process may open a large number of files. We can use the lsof command to list all the open files for a given Process ID.

We can also use a single command to list all open files from a set of PIDs.

We can get a list of the files opened by a specific process ID. Similarly, we can use a command to get a list of files that are not opened by a specific process ID.

A system contains a large number of processes, each of which has files open for use. A process may have many child processes, and this process is also known as the parent process. The lsof command is used with the -R option to get a list of files opened by the parent process ID.

To list open files with Process ID

Syntax:

$ sudo lsof -p [Process ID]

For Example:

$ sudo lsof -p 2

Output:

COMMAND  PID USER   FD      TYPE DEVICE SIZE/OFF NODE NAME
kthreadd   2 root  cwd       DIR    8,1    36864    2 /
kthreadd   2 root  rtd       DIR    8,1    36864    2 /
kthreadd   2 root  txt   unknown                      /proc/2/exe

To list open files for multiple process ID

Syntax:

$ sudo lsof -p [Process ID 1], [Process ID 2]

For Example:

$ sudo lsof -p 2,3

Output:

COMMAND  PID USER   FD      TYPE DEVICE SIZE/OFF NODE NAME
kthreadd   2 root  cwd       DIR    8,1    36864    2 /
kthreadd   2 root  rtd       DIR    8,1    36864    2 /
kthreadd   2 root  txt   unknown                      /proc/2/exe
rcu_gp     3 root  cwd       DIR    8,1    36864    2 /
rcu_gp     3 root  rtd       DIR    8,1    36864    2 /
rcu_gp     3 root  txt   unknown                      /proc/3/exe

To list open files except for one process ID

Syntax:

$ sudo lsof -p ^[Process ID]

For Example:

$ sudo lsof -p ^1

Output:

COMMAND    PID  TID TASKCMD         USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME
kthreadd     2                      root  cwd       DIR                8,1     36864          2 /
kthreadd     2                      root  rtd       DIR                8,1     36864          2 /
kthreadd     2                      root  txt   unknown                                         /proc/2/exe
rcu_gp       3                      root  cwd       DIR                8,1     36864          2 /
rcu_gp       3                      root  rtd       DIR                8,1     36864          2 /
rcu_gp       3                      root  txt   unknown                                         /proc/3/exe
rcu_par_g    4                      root  cwd       DIR                8,1     36864          2 /
rcu_par_g    4                      root  rtd       DIR                8,1     36864          2 /
rcu_par_g    4                      root  txt   unknown                                         /proc/4/exe
kworker/0    6                      root  cwd       DIR                8,1     36864          2 /
kworker/0    6                      root  rtd       DIR                8,1     36864          2 /
kworker/0    6                      root  txt   unknown                                         /proc/6/exe
mm_percpu    8                      root  cwd       DIR                8,1     36864          2 /
mm_percpu    8                      root  rtd       DIR                8,1     36864          2 /
mm_percpu    8                      root  txt   unknown                                         /proc/8/exe
ksoftirqd    9                      root  cwd       DIR                8,1     36864          2 /
ksoftirqd    9                      root  rtd       DIR                8,1     36864          2 /
ksoftirqd    9                      root  txt   unknown                                         /proc/9/exe
rcu_sched   10                      root  cwd       DIR                8,1     36864          2 /

List parent process IDs

Syntax:

$ sudo lsof -R

Output:

COMMAND    PID  TID TASKCMD   PPID       USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME
systemd      1                   0       root  cwd       DIR                8,1     36864          2 /
systemd      1                   0       root  rtd       DIR                8,1     36864          2 /
systemd      1                   0       root  txt       REG                8,1   1591392    1445828 /usr/lib/systemd/systemd
systemd      1                   0       root  mem       REG                8,1   1325424    1442465 /usr/lib/x86_64-linux-gnu/libm-2.30.so
systemd      1                   0       root  mem       REG                8,1    174272    1442049 /usr/lib/x86_64-linux-gnu/libudev.so.1.6.17
systemd      1                   0       root  mem       REG                8,1   1574952    1444070 /usr/lib/x86_64-linux-gnu/libunistring.so.2.1.0
systemd      1                   0       root  mem       REG                8,1    137424    1442738 /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.28.0
systemd      1                   0       root  mem       REG                8,1     67752    1445649 /usr/lib/x86_64-linux-gnu/libjson-c.so.4.0.0
systemd      1                   0       root  mem       REG                8,1     34904    1445648 /usr/lib/x86_64-linux-gnu/libargon2.so.1
systemd      1                   0       root  mem       REG                8,1    432688    1443266 /usr/lib/x86_64-linux-gnu/libdevmapper.so.1.02.1
systemd      1                   0       root  mem       REG                8,1     30776    1442077 /usr/lib/x86_64-linux-gnu/libuuid.so.1.3.0
systemd      1                   0       root  mem       REG                8,1   3076960    1448872 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
systemd      1                   0       root  mem       REG                8,1     26976    1442133 /usr/lib/x86_64-linux-gnu/libcap-ng.so.0.0.0
systemd      1                   0       root  mem       REG                8,1     14592    1442464 /usr/lib/x86_64-linux-gnu/libdl-2.30.so
systemd      1                   0       root  mem       REG                8,1    584360    1442207 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.9.0
systemd      1                   0       root  mem       REG                8,1    146912    1442480 /usr/lib/x86_64-linux-gnu/libpthread-2.30.so

6. List open files containing Directory

To list the processes that are opened files in a specific directory, we can use the lsof command. In a system, there are both files and directories, so a directory can open multiple files in addition to regular files.

This lsof command with +d displays a list of open files in the provided directory, however, it does not go into subdirectories.

Syntax:

$ sudo lsof +d [directory path]

For Example:

$ sudo lsof +d /var/log

Output:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
vmtoolsd 538 root    3w   REG    8,1     1675 4981063 /var/log/vmware-vmsvc-root.log
rsyslogd 548 root    7w   REG    8,1  1043642 4980888 /var/log/syslog
rsyslogd 548 root    8w   REG    8,1   121011 4991608 /var/log/user.log
rsyslogd 548 root    9w   REG    8,1   566940 4991786 /var/log/messages
rsyslogd 548 root   10w   REG    8,1   688277 4991537 /var/log/daemon.log
rsyslogd 548 root   11w   REG    8,1   484810 4991568 /var/log/kern.log
rsyslogd 548 root   12w   REG    8,1    54259 4991661 /var/log/debug
rsyslogd 548 root   13w   REG    8,1    69570 4991597 /var/log/auth.log
Xorg     615 root    4w   REG    8,1    32941 4981203 /var/log/Xorg.0.log

The +D option commands lsof to search the whole depth of the directory for all open instances as well as all the files and directories it contains.

Syntax:

$ sudo lsof +D [directory path]

For Example:

$ sudo lsof +D /var/log

Output:

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
systemd-j 370 root  mem    REG    8,1  8388608 4981093 /var/log/journal/4418817cc7e741eda43c550102152982/user-1000.journal
systemd-j 370 root  mem    REG    8,1 16777216 4982013 /var/log/journal/4418817cc7e741eda43c550102152982/system.journal
systemd-j 370 root   22u   REG    8,1 16777216 4982013 /var/log/journal/4418817cc7e741eda43c550102152982/system.journal
systemd-j 370 root   27u   REG    8,1  8388608 4981093 /var/log/journal/4418817cc7e741eda43c550102152982/user-1000.journal
vmtoolsd  538 root    3w   REG    8,1     1675 4981063 /var/log/vmware-vmsvc-root.log
rsyslogd  548 root    7w   REG    8,1  1043544 4980888 /var/log/syslog
rsyslogd  548 root    8w   REG    8,1   121011 4991608 /var/log/user.log
rsyslogd  548 root    9w   REG    8,1   566940 4991786 /var/log/messages
rsyslogd  548 root   10w   REG    8,1   688277 4991537 /var/log/daemon.log
rsyslogd  548 root   11w   REG    8,1   484810 4991568 /var/log/kern.log
rsyslogd  548 root   12w   REG    8,1    54259 4991661 /var/log/debug
rsyslogd  548 root   13w   REG    8,1    69103 4991597 /var/log/auth.log
lightdm   594 root    6w   REG    8,1    35024 4981241 /var/log/lightdm/lightdm.log
unattende 611 root    3w   REG    8,1        0 4994179 /var/log/unattended-upgrades/unattended-upgrades-shutdown.log
Xorg      615 root    1w   REG    8,1      932 4981283 /var/log/lightdm/x-0.log
Xorg      615 root    2w   REG    8,1      932 4981283 /var/log/lightdm/x-0.log
Xorg      615 root    4w   REG    8,1    32941 4981203 /var/log/Xorg.0.log

7. List open files with network protocol

A system can be linked to various networks for various purposes. Everything in Linux is a file, we can examine the files that are opened by some network connection in the system.

List all the TCP connections

To list the open files in the TCP protocol, we can run the following command.

$ sudo lsof -i TCP 

Output:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chrome  1705 kali   36u  IPv4  34041      0t0  TCP kali:56530->sc-in-f188.1e100.net:5228 (ESTABLISHED)

List all the UDP connections

To list the open files in the UDP protocol, we can run the following command.

$ sudo lsof -i UDP 

Output:

COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
NetworkMa  543 root   23u  IPv4 370704      0t0  UDP kali:bootpc->_gateway:bootps 
chrome    1659 kali  188u  IPv4  31835      0t0  UDP 224.0.0.251:mdns 
chrome    1705 kali   33u  IPv4 389140      0t0  UDP kali:57224->maa05s21-in-f14.1e100.net:443 
chrome    1705 kali   34u  IPv4 404698      0t0  UDP kali:47806->maa03s37-in-f14.1e100.net:443 
fierce    6870 kali    3u  IPv6 349703      0t0  UDP *:36069 
fierce    6870 kali    4u  IPv6 349705      0t0  UDP *:44305 
fierce    6870 kali    5u  IPv6 349707      0t0  UDP *:34345 
fierce    8730 kali    3u  IPv4 404704      0t0  UDP *:41410 

8. List open files by port number

lsof has a command that specifically lists the open files on a given port number to list all the processes running on that port.

Syntax:

$ sudo lsof -i :[port number]

For example:

$ sudo lsof -i :443

Output:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
 chrome  1705 kali   29u  IPv4 421920      0t0  UDP kali:38514->maa03s36-in-f10.1e100.net:443 
 chrome  1705 kali   33u  IPv4 389140      0t0  UDP kali:57224->maa05s21-in-f14.1e100.net:443 
 chrome  1705 kali   34u  IPv4 416325      0t0  TCP kali:54158->maa05s26-in-f4.1e100.net:443 (ESTABLISHED)
 chrome  1705 kali   44u  IPv4 421960      0t0  TCP kali:55576->maa05s28-in-f14.1e100.net:443 (ESTABLISHED)
 chrome  1705 kali   45u  IPv4 409003      0t0  TCP kali:60958->server-13-227-178-85.bom51.r.cloudfront.net:443 (ESTABLISHED)
 chrome  1705 kali   49u  IPv4 416593      0t0  UDP kali:35535->maa05s26-in-f4.1e100.net:443 
 chrome  1705 kali   50u  IPv4 421943      0t0  TCP kali:58400->maa03s31-in-f3.1e100.net:443 (ESTABLISHED)
 chrome  1705 kali   51u  IPv4 421944      0t0  TCP kali:58402->maa03s31-in-f3.1e100.net:443 (ESTABLISHED)
 chrome  1705 kali   55u  IPv4 420583      0t0  TCP kali:38324->maa03s31-in-f2.1e100.net:https (ESTABLISHED)

To list open files for multiple ports number

The syntax to list open files on all or multiple ports.

Syntax:

$ sudo lsof -i :[port number1],[port number2]

For Example:

$ sudo lsof -i :80,443

Output:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chrome  1705 kali   29u  IPv4 441892      0t0  UDP kali:40000->maa05s06-in-f3.1e100.net:443 
chrome  1705 kali   33u  IPv4 389140      0t0  UDP kali:57224->maa05s21-in-f14.1e100.net:443 
chrome  1705 kali   34u  IPv4 441368      0t0  TCP kali:49394->a23-58-45-163.deploy.static.akamaitechnologies.com:443 (ESTABLISHED)
chrome  1705 kali   37u  IPv4 427813      0t0  TCP kali:49434->maa05s17-in-f1.1e100.net:443 (ESTABLISHED)
chrome  1705 kali   40u  IPv4 447568      0t0  UDP kali:49476->maa05s13-in-f14.1e100.net:443 
chrome  1705 kali   43u  IPv4 437425      0t0  TCP kali:38810->e2a.google.com:443 (ESTABLISHED)
chrome  1705 kali   44u  IPv4 447569      0t0  TCP kali:57734->maa05s13-in-f14.1e100.net:443 (ESTABLISHED)
chrome  1705 kali   45u  IPv4 420836      0t0  TCP kali:38678->maa05s24-in-f3.1e100.net:443 (ESTABLISHED)
chrome  1705 kali   49u  IPv4 415475      0t0  TCP kali:49728->hem09s03-in-f3.1e100.net:https (ESTABLISHED)
chrome  1705 kali   51u  IPv4 441104      0t0  TCP kali:48426->maa03s37-in-f14.1e100.net:https (ESTABLISHED)
chrome  1705 kali   60u  IPv4 437671      0t0  TCP kali:46060->ec2-54-204-39-132.compute-1.amazonaws.com:https (CLOSE_WAIT)
chrome  1705 kali   62u  IPv4 437494      0t0  TCP kali:48204->maa03s34-in-f10.1e100.net:https (ESTABLISHED)
chrome  1705 kali   65u  IPv4 427420      0t0  TCP kali:35740->maa05s09-in-f14.1e100.net:https (ESTABLISHED)
chrome  1705 kali   68u  IPv4 437785      0t0  TCP kali:50946->ec2-18-139-212-90.ap-southeast-1.compute.amazonaws.com:https (ESTABLISHED)

You may also list open files of TCP or UDP by port ranges.

$ sudo lsof -i TCP:1-49151

9. List open files by IPv4/IPv6

There is an option in lsof to list both IPv4 or IPv6 network connections listing. 

To display IPv4 connections only.

$ sudo lsof -i4

Output:

COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
NetworkMa  543 root   23u  IPv4 407994      0t0  UDP kali:bootpc->_gateway:bootps 
chrome    1659 kali  188u  IPv4  31835      0t0  UDP 224.0.0.251:mdns 
chrome    1705 kali   33u  IPv4 451331      0t0  TCP kali:57550->164.26.241.35.bc.googleusercontent.com:https (ESTABLISHED)
chrome    1705 kali   36u  IPv4  34041      0t0  TCP kali:56530->sc-in-f188.1e100.net:5228 (ESTABLISHED)
chrome    1705 kali   40u  IPv4 451792      0t0  UDP kali:56361->maa05s21-in-f14.1e100.net:443 
chrome    1705 kali   44u  IPv4 455002      0t0  UDP kali:58557->maa05s13-in-f14.1e100.net:443 
chrome    1705 kali   47u  IPv4 454684      0t0  TCP kali:32880->server-13-227-178-85.bom51.r.cloudfront.net:https (ESTABLISHED)
fierce    9485 kali    3u  IPv4 455683      0t0  UDP *:36985 

The following syntax can be used to display IPv6 connections only.

Syntax:

$ sudo lsof -i6

Output:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
fierce  6870 kali    3u  IPv6 349703      0t0  UDP *:36069 
fierce  6870 kali    4u  IPv6 349705      0t0  UDP *:44305 
fierce  6870 kali    5u  IPv6 349707      0t0  UDP *:34345

10. Run lsof continuously

The repeat mode enables lsof to continually repeat with updates with specifies delays. Repeat mode can be enabled by using ‘-r’ or ‘+r’ option, where ‘+r’ will end when no open files are found and ‘-r’ will continue to list until a manual interrupt is initiated. Each delay cycle output will be separated by using ‘========’.

Syntax:

$ sudo lsof [options] -r/+r[time-interval]

For example:

$ sudo lsof -u sonar -r5

Conclusion

In this tutorial, we learned about lsof command and its uses with examples. lsof provides a number of options for customizing its output to meet your needs. It enables you to easily and quickly combine multiple arguments to obtain the required output.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisement -

Latest article