How to List Open Files with lsof
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Introduction
lsof was created by Victor A. Abell and is a utility that lists open files. Everything in Linux can be considered a file. This means that lsof can gather information on the majority of activity on your Linode, including network interfaces and network connections. lsof by default outputs a list of all open files and the processes that opened them.
There are two main drawbacks of lsof. First, it can only display information about the local machine (localhost). And second, it requires administrative privileges to print all available data. Additionally, you usually do not execute lsof without any command line parameters because it outputs a large amount of data that can be difficult to parse. This happens because lsof natively lists all open files belonging to all active processes. For example, the output of wc(1) (a word count utility) when applied to lsof on a test instance shows the size of the output is extremely large:
sudo lsof | wc
    7332   68337 1058393Before You Begin
lsof without root privileges only returns the results available to the current user. If you are not familiar with the sudo command, see the
Users and Groups guide.On most major distributions, lsof comes pre-installed and you can begin using it immediately. If for any reason it is not found, you can install lsof using your preferred package manager.
Command Line Options
The lsof(8) binary supports a large number of command line options, including the following:
| Option | Description | 
|---|---|
| -hand-? | Both options present a help screen. Please note that you need to properly escape the ?character for-?to work. | 
| -a | This option tells lsofto logically ADD all provided options. | 
| -b | This option tells lsofto avoid kernel functions that might block the returning of results. This is a very specialized option. | 
| -l | If converting a user ID to a login name is working improperly or slowly, you can disable it using the -lparameter. | 
| –P | The -Poption prevents the conversion of port numbers to port names for network files. | 
| -u list | The -uoption allows you to define a list of login names or user ID numbers whose files are returned. The-uoption supports the^character for excluding the matches from the output. | 
| -c list | The -coption selects the listing of files for processes executing the commands that begin with the characters in thelist. This supports regular expressions, and also supports the^character for excluding the matches from the output. | 
| -p list | The -poption allows you to select the files for the processes whose process IDs are in thelist. The-poption supports the^character for excluding the matches from the output. | 
| -g list | The -goption allows you to select the files for the processes whose optional process group IDs are in thelist. The-goption supports the^character for excluding the matches from the output. | 
| -s | The -soption allows you to select the network protocols and states that interest you. The-soption supports the^character for excluding the matches from the output. The correct form isPROCOTCOL:STATE. Possible protocols areUDPandTCP. Some possible TCP states are:CLOSED,SYN-SENT,SYN-RECEIVED,ESTABLISHED,CLOSE-WAIT,LAST-ACK,FIN-WAIT-1,FIN-WAIT-2,CLOSING, andTIME-WAIT. Possible UDP states areUnboundandIdle. | 
| +d s | The +doption tellslsofto search for all open instances of directorysand the files and directories it contains at its top level. | 
| +D directory | The +Doption tellslsofto search for all open instances of directorydirectoryand all the files and directories it contains to its complete depth. | 
| -d list | The -doption specifies thelistof file descriptors to include or exclude from the output.-d 1,^2means include file descriptor1and exclude file descriptor2. | 
| -i4 | This option is used for displaying IPv4 data only. | 
| -i6 | This option is used for displaying IPv6 data only. | 
| -i | The -ioption without any values tellslsofto display network connections only. | 
| -i ADDRESS | The -ioption with a value limits the displayed information to match that value. Some example values areTCP:25for displaying TCP data that listens to port number 25,@google.comfor displaying information related togoogle.com,:25for displaying information related to port number25,:POP3for displaying information related to the port number that is associated toPOP3in the/etc/servicesfile, etc. You can also combine hostnames and IP Addresses with port numbers and protocols. | 
| -t | The -toption tellslsofto display process identifiers without a header line. This is particularly useful for feeding the output oflsofto thekill(1)command or to a script. Notice that-tautomatically selects the-woption. | 
| -w | The -woption disables the suppression of warning messages. | 
| +w | The +woption enables the suppression of warning messages. | 
| -r TIME | The -roption causes thelsofcommand to repeat everyTIMEseconds until the command is manually terminated with an interrupt. | 
| +r TIME | The +rcommand, with the+prefix, acts the same as the-rcommand, but exits its loop when it fails to find any open files. | 
| -n | The -noption prevents network numbers from being converted to host names. | 
| -F CHARACTER | The -Fcommand instructslsofto produce output that is suitable as input for other programs. For a complete explanation, consult thelsofmanual entry. | 
| By default, the output of  lsofincludes the output of each one of its command line options, like a big logical expression with multiple OR logical operators between all the command line options. However, this default behavior can change with the use of the-aoption. | |
| For the full list of command line options supported by   | 
Anatomy of lsof Output
The following command uses the -i option to display all open UDP files/connections:
sudo lsof -i UDP
COMMAND   PID   USER    FD       TYPE  DEVICE   SIZE/OFF NODE   NAME
rpcbind   660   root    6u       IPv4  20296    0t0      UDP    *:sunrpc
rpcbind   660   root    7u       IPv4  20298    0t0      UDP    *:836
rpcbind   660   root    9u       IPv6  20300    0t0      UDP    *:sunrpc
rpcbind   660   root    10u      IPv6  20301    0t0      UDP    *:836
avahi-dae 669   avahi   12u      IPv4  20732    0t0      UDP    *:mdns
avahi-dae 669   avahi   13u      IPv6  20733    0t0      UDP    *:mdns
avahi-dae 669   avahi   14u      IPv4  20734    0t0      UDP    *:54087
avahi-dae 669   avahi   15u      IPv6  20735    0t0      UDP    *:48582
rsyslogd  675   root    6u       IPv4  20973    0t0      UDP    17-5-7-8.ip.linodeusercontent.com:syslog
dhclient  797   root    6u       IPv4  21828    0t0      UDP    *:bootpc
ntpd      848   ntp     16u      IPv6  22807    0t0      UDP    *:ntp
ntpd      848   ntp     17u      IPv4  22810    0t0      UDP    *:ntp
ntpd      848   ntp     18u      IPv4  22814    0t0      UDP    localhost:ntp
ntpd      848   ntp     19u      IPv4  22816    0t0      UDP    17-5-7-8.ip.linodeusercontent.com:ntp
ntpd      848   ntp     20u      IPv6  22818    0t0      UDP    localhost:ntp
ntpd      848   ntp     24u      IPv6  24916    0t0      UDP    [2a01:7e00::f03c:91ff:fe69:1381]:ntp
ntpd      848   ntp     25u      IPv6  24918    0t0      UDP    [fe80::f03c:91ff:fe69:1381]:ntpThe output of lsof has various columns.
- The COMMANDcolumn contains the first nine characters of the name of the UNIX command associated with the process.
- The PIDcolumn shows the process ID of the command.
- The USERcolumn displays the name of the user that owns the process.
- The TIDcolumn shows the task ID. A blankTIDindicates a process. Note that this column does not appear in the output of manylsofcommands.
- The FDcolumn stands for file descriptor. Its values can becwd,txt,mem, andmmap.
- The TYPEcolumn displays the type of the file: regular file, directory, socket, etc.
- The DEVICEcolumn contains the device numbers separated by commas.
- The value of the SIZE/OFFcolumn is the size of the file or the file offset in bytes. The value of theNODEcolumn is the node number of a local file.
- Lastly, the NAMEcolumn shows the name of the mount point and file system where the file is located, or the Internet address.
The Repeat Mode
Running lsof with the –r option puts lsof in repeat mode, re-running the command in a loop every few seconds. This mode is useful for monitoring for a process or a connection that might only exist for a short time. The -r command runs forever, so when you are finished you must manually terminate the command.
The +r option also puts lsof in repeat mode – the difference between -r and +r is that +r
automatically terminates lsof when a loop has no new output to print.
When lsof is in repeat mode, it prints new output every t seconds (a loop); the default value
of t is 15 seconds, which you can change by typing an integer value after -r or +r.
The following command tells lsof to display all UDP connections every 10 seconds:
sudo lsof -r 10 -i UDP
Choosing Between IPv4 and IPv6
lsof lists both IPv4 and IPv6 connections by default, but you can choose the kind of connections you want to display. The following command displays IPv4 connections only:
sudo lsof -i4
Therefore, the next command displays all TCP connections of the IPv4 protocol:
sudo lsof -i4 -a -i TCP
An equivalent command to the above is the following command that uses grep:
sudo lsof -i4 | grep TCP
On the other hand, the following command displays IPv6 connections only:
sudo lsof -i6
Therefore, the next command displays all UDP connections of the IPv6 protocol:
sudo lsof -i6 | grep UDP
avahi-dae    669    avahi    13u    IPv6    20733    0t0    UDP    *:mdns
avahi-dae    669    avahi    15u    IPv6    20735    0t0    UDP    *:48582
ntpd         848    ntp      16u    IPv6    22807    0t0    UDP    *:ntp
ntpd         848    ntp      20u    IPv6    22818    0t0    UDP    localhost:ntp
ntpd         848    ntp      24u    IPv6    24916    0t0    UDP    [2a01:7e00::f03c:91ff:fe69:1381]:ntp
ntpd         848    ntp      25u    IPv6    24918    0t0    UDP    [fe80::f03c:91ff:fe69:1381]:ntpLogically ADD All Options
In this section of the guide you learn how to logically ADD the existing options using the -a flag. This provides you enhanced filtering capabilities. Take the following command as an example:
sudo lsof -Pni -u www-data
The above command prints out all network connections (-i), suppressing network number conversion (-n) and the conversion of port numbers to port names (-P). It also prints out all files pertaining to the www-data user, without combining the two options into one logical statement.
The following command combines these two options with the -a logical AND option and finds all open sockets belonging to the www-data user:
lsof -Pni -a -u www-data
COMMAND    PID        USER            FD    TYPE    DEVICE      SIZE/OFF    NODE    NAME
apache2    6385      www-data    4u    IPv6    8626153    0t0              TCP      *:80 (LISTEN)
apache2    6385      www-data    6u    IPv6    8626157    0t0              TCP      *:443 (LISTEN)
apache2    6386      www-data    4u    IPv6    8626153    0t0              TCP      *:80 (LISTEN)
apache2    6386      www-data    6u    IPv6    8626157    0t0              TCP      *:443 (LISTEN)
apache2    6387      www-data    4u    IPv6    8626153    0t0              TCP      *:80 (LISTEN)
apache2    6387      www-data    6u    IPv6    8626157    0t0              TCP      *:443 (LISTEN)
apache2    24567     www-data    4u    IPv6    8626153    0t0              TCP      *:80 (LISTEN)
apache2    24567     www-data    6u    IPv6    8626157    0t0              TCP      *:443 (LISTEN)
apache2    24570     www-data    4u    IPv6    8626153    0t0              TCP      *:80 (LISTEN)
apache2    24570     www-data    6u    IPv6    8626157    0t0              TCP      *:443 (LISTEN)
apache2    24585     www-data    4u    IPv6    8626153    0t0              TCP      *:80 (LISTEN)
apache2    24585     www-data    6u    IPv6    8626157    0t0              TCP      *:443 (LISTEN)
apache2    25431     www-data    4u    IPv6    8626153    0t0              TCP      *:80 (LISTEN)
apache2    25431     www-data    6u    IPv6    8626157    0t0              TCP      *:443 (LISTEN)
apache2    27827     www-data    4u    IPv6    8626153    0t0              TCP      *:80 (LISTEN)
apache2    27827     www-data    6u    IPv6    8626157    0t0              TCP      *:443 (LISTEN)
apache2    27828     www-data    4u    IPv6    8626153    0t0              TCP      *:80 (LISTEN)
apache2    27828     www-data    6u    IPv6    8626157    0t0              TCP      *:443 (LISTEN)
apache2    27829     www-data    4u    IPv6    8626153    0t0              TCP      *:80 (LISTEN)
apache2    27829     www-data    6u    IPv6    8626157    0t0              TCP      *:443 (LISTEN)-a option wherever you like as lsof still detects the relevant options.Using Regular Expressions
lsof has support for regular expressions. Regular expressions begin and end with a forward slash (/) character. The ^ character denotes the beginning of a line whereas $ denotes the end of the line. Each dot (.) character represents a single character in the output.
The following lsof command finds all commands that have precisely five characters:
lsof -c /^.....$/
COMMAND    PID    USER    FD     TYPE          DEVICE    SIZE/OFF    NODE    NAME
netns      18     root    cwd    DIR           8,0          4096     2        /
netns      18     root    rtd    DIR           8,0          4096     2        /
netns      18     root    txt    unknown                                      /proc/18/exe
jfsIO      210    root    cwd    DIR           8,0          4096     2        /
jfsIO      210    root    rtd    DIR           8,0          4096     2        /
jfsIO      210    root    txt    unknown                                      /proc/210/exe
kstrp      461    root    cwd    DIR           8,0          4096     2        /
kstrp      461    root    rtd    DIR           8,0          4096     2        /
kstrp      461    root    txt    unknown                                      /proc/461/exeOutput For Other Programs
Using the -F option, lsof generates output that is suitable for processing by scripts written in programming languages such as awk, perl and python.
The following command displays each field of the lsof output in a separate line:
sudo lsof -n -i4 -a -i TCP:ssh -F
p812
g812
R1
csshd
u0
Lroot
f3
au
l
tIPv4
.
.
.Providing various arguments to the -F option allows you to generate less output. Notice that the process ID and the file descriptor are always printed in the output. As an example, the following command only prints the process ID, which is preceded by the p character, the file descriptor, which is preceded by the f character, and the protocol name of each entry, which is preceded by the P character:
sudo lsof -n -i4 -a -i TCP:ssh -FP
p812
f3
PTCP
p22352
f3
PTCP
p22361
f3
PTCP-F, you should visit the manual page of lsof.Additional Examples
Show All Open TCP Files
Similar to the aforementioned UDP command, the following command displays all open TCP files/connections:
sudo lsof -i TCP
COMMAND      PID      USER      FD     TYPE    DEVICE    SIZE/OFF  NODE  NAME
sshd         812      root      3u     IPv4    23674     0t0       TCP   *:ssh (LISTEN)
sshd         812      root      4u     IPv6    23686     0t0       TCP   *:ssh (LISTEN)
mysqld       1003     mysql     17u    IPv4    24217     0t0       TCP   localhost:mysql (LISTEN)
master       1245     root      13u    IPv4    24480     0t0       TCP   *:smtp (LISTEN)
sshd         22352    root      3u     IPv4    8613370   0t0       TCP   17-5-7-8.ip.linodeusercontent.com:ssh->ppp-2-8-23-19.home.otenet.gr:60032 (ESTABLISHED)
sshd         22361    mtsouk    3u     IPv4    8613370   0t0       TCP   17-5-7-8.ip.linodeusercontent.com:ssh->ppp-2-8-23-19.home.otenet.gr:60032 (ESTABLISHED)
apache2      24565    root      4u     IPv6    8626153   0t0       TCP   *:http (LISTEN)
apache2      24565    root      6u     IPv6    8626157   0t0       TCP   *:https (LISTEN)
apache2      24567    www-data  4u     IPv6    8626153   0t0       TCP   *:http (LISTEN)
apache2      24567    www-data  6u     IPv6    8626157   0t0       TCP   *:https (LISTEN)
apache2      24568    www-data  4u     IPv6    8626153   0t0       TCP   *:http (LISTEN)
apache2      24568    www-data  6u     IPv6    8626157   0t0       TCP   *:https (LISTEN)
apache2      24569    www-data  4u     IPv6    8626153   0t0       TCP   *:http (LISTEN)
apache2      24569    www-data  6u     IPv6    8626157   0t0       TCP   *:https (LISTEN)
apache2      24570    www-data  4u     IPv6    8626153   0t0       TCP   *:http (LISTEN)
apache2      24570    www-data  6u     IPv6    8626157   0t0       TCP   *:https (LISTEN)
apache2      24571    www-data  4u     IPv6    8626153   0t0       TCP   *:http (LISTEN)
apache2      24571    www-data  6u     IPv6    8626157   0t0       TCP   *:https (LISTEN)Listing All ESTABLISHED Connections
Internet Connections
If you process the output of lsof with some traditional UNIX command line tools, like
grep and awk, you can list all active network connections:
sudo lsof -i -n -P | grep ESTABLISHED | awk '{print $1, $9}' | sort -u
sshd 109.74.193.253:22->2.86.23.29:60032lsof -i -n -P command can be also written as lsof -i -nP or alternatively as lsof -nPi – writing it as lsof -inP would generate a syntax error because lsof thinks that np is a parameter to -i.SSH Connections
The following command finds all established SSH connections to the local machine:
sudo lsof | grep sshd | grep ESTABLISHED
253.17-5-7-8.ip.linodeusercontent.com:ssh->ppp-2-86-23-29.home.otenet.gr:60032 (ESTABLISHED)
sshd    22361    mtsouk    3u    IPv4    8613370    0t0    TCP 17-5-7-8.ip.linodeusercontent.com:ssh->ppp-2-86-23-29.home.otenet.gr:60032 (ESTABLISHED)The following command produces the same output as the previous command, but does so more quickly because the -i TCP option limits the amount of information lsof prints. That means grep has less data
to process:
sudo lsof -i TCP | grep ssh | grep ESTABLISHED
Alternatively, you can execute the following command to find all established SSH connections:
sudo lsof -nP -iTCP -sTCP:ESTABLISHED | grep SSH
Showing Processes that are Listening to a Particular Port
The following command shows all network connections that listen to port number 22 (ssh) using either UDP or TCP:
sudo lsof -i :22
COMMAND    PID      USER      FD    TYPE    DEVICE     SIZE/OFF    NODE    NAME
sshd       812      root      3u    IPv4    23674      0t0         TCP     *:ssh (LISTEN)
sshd       812      root      4u    IPv6    23686      0t0         TCP     *:ssh (LISTEN)
sshd       22352    root      3u    IPv4    8613370    0t0         TCP     17-5-7-8.ip.linodeusercontent.com:ssh->ppp-2-86-23-29.home.otenet.gr:60032 (ESTABLISHED)
sshd       22361    mtsouk    3u    IPv4    8613370    0t0         TCP     17-5-7-8.ip.linodeusercontent.com:ssh->ppp-2-86-23-29.home.otenet.gr:60032 (ESTABLISHED)Determine Which Program Listens to a TCP port
One of the most frequent uses of lsof is determining which program listens to a given TCP port. The following command prints TCP processes that are in the LISTEN state by using the -s option to provide a protocol and protocol state:
sudo lsof -nP -i TCP -s TCP:LISTEN
COMMAND    PID      USER        FD     TYPE    DEVICE     SIZE/OFF    NODE    NAME
sshd       812      root        3u     IPv4    23674      0t0         TCP     *:22 (LISTEN)
sshd       812      root        4u     IPv6    23686      0t0         TCP     *:22 (LISTEN)
mysqld     1003     mysql       17u    IPv4    24217      0t0         TCP     127.0.0.1:3306 (LISTEN)
master     1245     root        13u    IPv4    24480      0t0         TCP     *:25 (LISTEN)
apache2    24565    root        4u     IPv6    8626153    0t0         TCP     *:80 (LISTEN)
apache2    24565    root        6u     IPv6    8626157    0t0         TCP     *:443 (LISTEN)
apache2    24567    www-data    4u     IPv6    8626153    0t0         TCP     *:80 (LISTEN)
apache2    24567    www-data    6u     IPv6    8626157    0t0         TCP     *:443 (LISTEN)
apache2    24568    www-data    4u     IPv6    8626153    0t0         TCP     *:80 (LISTEN)
apache2    24568    www-data    6u     IPv6    8626157    0t0         TCP     *:443 (LISTEN)
apache2    24569    www-data    4u     IPv6    8626153    0t0         TCP     *:80 (LISTEN)
apache2    24569    www-data    6u     IPv6    8626157    0t0         TCP     *:443 (LISTEN)
apache2    24570    www-data    4u     IPv6    8626153    0t0         TCP     *:80 (LISTEN)
apache2    24570    www-data    6u     IPv6    8626157    0t0         TCP     *:443 (LISTEN)
apache2    24571    www-data    4u     IPv6    8626153    0t0         TCP     *:80 (LISTEN)
apache2    24571    www-data    6u     IPv6    8626157    0t0         TCP     *:443 (LISTEN)
apache2    24585    www-data    4u     IPv6    8626153    0t0         TCP     *:80 (LISTEN)
apache2    24585    www-data    6u     IPv6    8626157    0t0         TCP     *:443 (LISTEN)Other possible states of a TCP connection are CLOSED, SYN-SENT, SYN-RECEIVED, ESTABLISHED, CLOSE-WAIT, LAST-ACK, FIN-WAIT-1, FIN-WAIT-2, CLOSING, and TIME-WAIT.
Finding Information on a Given Protocol
The next lsof command shows open UDP files that use the NTP (Network Time Protocol) port only:
sudo lsof -i UDP:ntp
COMMAND    PID    USER    FD     TYPE    DEVICE    SIZE/OFF    NODE    NAME
ntpd       848    ntp     16u    IPv6    22807     0t0         UDP     *:ntp
ntpd       848    ntp     17u    IPv4    22810     0t0         UDP     *:ntp
ntpd       848    ntp     18u    IPv4    22814     0t0         UDP     localhost:ntp
ntpd       848    ntp     19u    IPv4    22816     0t0         UDP     17-5-7-8.ip.linodeusercontent.com:ntp
ntpd       848    ntp     20u    IPv6    22818     0t0         UDP     localhost:ntp
ntpd       848    ntp     24u    IPv6    24916     0t0         UDP     [2a01:7e00::f03c:91ff:fe69:1381]:ntp
ntpd       848    ntp     25u    IPv6    24918     0t0         UDP     [fe80::f03c:91ff:fe69:1381]:ntpThe output displays connections that use either IPv4 or IPv6. If you want to display the connections that use IPv4 only, you can run the following command:
sudo lsof -i4 -a -i UDP:ntp
COMMAND    PID    USER    FD     TYPE    DEVICE    SIZE/OFF    NODE    NAME
ntpd       848    ntp     17u    IPv4    22810     0t0         UDP     *:ntp
ntpd       848    ntp     18u    IPv4    22814     0t0         UDP     localhost:ntp
ntpd       848    ntp     19u    IPv4    22816     0t0         UDP     17-5-7-8.ip.linodeusercontent.com:ntpDisabling DNS and port Number Resolving
lsof uses the data found in the /etc/services file to map a port number to a service. You can disable this functionality by using the –P option as follows:
lsof -P -i UDP:ntp -a -i4
COMMAND    PID    USER    FD     TYPE    DEVICE    SIZE/OFF    NODE    NAME
ntpd       848    ntp     17u    IPv4    22810     0t0         UDP     *:123
ntpd       848    ntp     18u    IPv4    22814     0t0         UDP     localhost:123
ntpd       848    ntp     19u    IPv4    22816     0t0         UDP     17-5-7-8.ip.linodeusercontent.com:123In a similar way, you can disable DNS resolving using the -n option:
lsof -P -i UDP:ntp -a -i4 -n
COMMAND    PID    USER    FD     TYPE    DEVICE    SIZE/OFF    NODE    NAME
ntpd       848    ntp     17u    IPv4    22810     0t0         UDP     *:123
ntpd       848    ntp     18u    IPv4    22814     0t0         UDP     127.0.0.1:123
ntpd       848    ntp     19u    IPv4    22816     0t0         UDP     109.74.193.253:123The -n option can be particularly useful when you have a problem with your DNS servers or when you are interested in the actual IP address.
Find Network Connections From or To an External Host
The following command finds all network connections coming from or going to ppp-2-86-23-29.home.example.com:
sudo lsof -i @ppp-2-86-23-29.home.example.com
sshd    22352    root      3u    IPv4 8613370    0t0    TCP    17-5-7-8.ip.linodeusercontent.com:ssh->ppp-2-86-23-29.home.example.com:60032 (ESTABLISHED)
sshd    22361    mtsouk    3u    IPv4 8613370    0t0    TCP    17-5-7-8.ip.linodeusercontent.com:ssh->ppp-2-86-23-29.home.example.com:60032 (ESTABLISHED)You can also specify the range of ports that interest you as follows:
sudo lsof -i @ppp-2-86-23-29.home.example.com:200-250
Determine Which Processes are Accessing a Given File
With lsof you can find the processes that are accessing a given file. For example, by running the lsof command on it’s own file you can determine the processes that are accessing it:
sudo lsof `which lsof`
lsof    25079    root    txt    REG    8,0    163136 5693 /usr/bin/lsof
lsof    25080    root    txt    REG    8,0    163136 5693 /usr/bin/lsofThere are two lines in the above output because the /usr/bin/lsof file is being accessed twice, by
both which(1) and lsof.
If you are only interested in the process ID of the processes that are accessing a file, you can use the -t option to suppress header lines:
sudo lsof -t `which lsof`
25157
25158A process ID can commonly be used for easily killing a process using the kill(1) command, however this is something that should only be executed with great care.
List Open Files Under a Given Directory
The +D lsof command displays all open files under a given directory, which in this case is /etc, as well as the name of the process that keeps a file or a directory open:
sudo lsof +D /etc
COMMAND      PID    USER     FD     TYPE    DEVICE    SIZE/OFF    NODE      NAME
avahi-dae    669    avahi    cwd    DIR     8,0       4096        745751    /etc/avahi
avahi-dae    669    avahi    rtd    DIR     8,0       4096        745751    /etc/avahiList Files that are Opened by a Specific User
Another option is to locate the files opened by any user, including web and database users.
The following command lists all open files opened by the www-data user:
sudo lsof -u www-data
COMMAND     PID     USER        FD     TYPE    DEVICE    SIZE/OFF    NODE    NAME
php5-fpm    1066    www-data    cwd    DIR     8,0       4096        2        /
php5-fpm    1066    www-data    rtd    DIR     8,0       4096        2        /
...The next variation finds all ESTABLISHED connections owned by the www-data user:
sudo lsof -u www-data | grep -i ESTABLISHED
apache2  24571    www-data    29u    IPv6    8675584    0t0    TCP    17-5-7-8.ip.linodeusercontent.com:https->ppp-2-86-23-29.home.otenet.gr:61383 (ESTABLISHED)
apache2  24585    www-data    29u    IPv6    8675583    0t0    TCP    17-5-7-8.ip.linodeusercontent.com:https->ppp-2-86-23-29.home.otenet.gr:61381 (ESTABLISHED)
apache2  27827    www-data    29u    IPv6    8675582    0t0    TCP    17-5-7-8.ip.linodeusercontent.com:https->ppp-2-86-23-29.home.otenet.gr:61382 (ESTABLISHED)Last, the next command finds all processes except the ones owned by www-data by using the ^ character:
sudo lsof -u ^www-data
COMMAND    PID    TID      USER    FD      TYPE    DEVICE    SIZE/OFF    NODE       NAME
systemd    1               root    cwd     DIR     8,0       4096        2          /
systemd    1               root    rtd     DIR     8,0       4096        2          /
systemd    1               root    txt     REG     8,0       1120992     1097764    /lib/systemd/systemd
...If the user name you are trying to use does not exist, you get an error message similar to the following:
sudo lsof -u doesNotExist
lsof: can't get UID for doesNotExist
lsof 4.89
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-E] [+|-e s] [+|-f[gG]]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
 [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Use the ``-h'' option to get more help information.Kill All Processes Owned by a User
The following command kills all of the processes owned by the www-data user:
lsof with the kill(1) command. Do not try to test similar commands on a live server unless you are absolutely certain you will not experience issues. For testing purposes you can use a disposable Docker image or something similar.sudo kill -9 `lsof -t -u www-data`
Find All Network Activity from a Given User
The following command lists all network activity by a user named mtsouk:
lsof -a -u mtsouk -i
COMMAND    PID      USER      FD    TYPE    DEVICE     SIZE/OFF    NODE    NAME
sshd       22361    mtsouk    3u    IPv4    8613370    0t0         TCP     17-5-7-8.ip.linodeusercontent.com:ssh->ppp-2-86-23-29.home.otenet.gr:60032 (ESTABLISHED)On the other hand, the following command lists all network activity from processes not owned by the root or the www-data user:
lsof -a -u ^root -i -u ^www-data
avahi-dae    669      avahi      12u    IPv4    20732        0t0    UDP    *:mdns
avahi-dae    669      avahi      13u    IPv6    20733        0t0    UDP    *:mdns
avahi-dae    669      avahi      14u    IPv4    20734        0t0    UDP    *:54087
avahi-dae    669      avahi      15u    IPv6    20735        0t0    UDP    *:48582
ntpd         848      ntp        16u    IPv6    22807        0t0    UDP    *:ntp
ntpd         848      ntp        17u    IPv4    22810        0t0    UDP    *:ntp
ntpd         848      ntp        18u    IPv4    22814        0t0    UDP    localhost:ntp
ntpd         848      ntp        19u    IPv4    22816        0t0    UDP    17-5-7-8.ip.linodeusercontent.com:ntp
ntpd         848      ntp        20u    IPv6    22818        0t0    UDP    localhost:ntp
ntpd         848      ntp        24u    IPv6    24916        0t0    UDP    [2a01:7e00::f03c:91ff:fe69:1381]:ntp
ntpd         848      ntp        25u    IPv6    24918        0t0    UDP    [fe80::f03c:91ff:fe69:1381]:ntp
mysqld       1003     mysql      17u    IPv4    24217        0t0    TCP    localhost:mysql (LISTEN)
sshd         22361    mtsouk     3u     IPv4    8613370      0t0    TCP    17-5-7-8.ip.linodeusercontent.com:ssh->ppp-2-86-23-29.home.otenet.gr:60032 (ESTABLISHED)Find the Total Number of TCP and UDP Connections
If you process the output of lsof with some traditional UNIX command line tools, like grep and awk,
you can calculate the total number of TCP and UDP connections:
sudo lsof -i | awk '{print $8}' | sort | uniq -c | grep 'TCP\|UDP'
28 TCP
13 UDPThe lsof –i command lists all Internet connections whereas awk extracts the 8th field, which is the value of the NODE column and sort sorts the output. Then, the uniq –c command counts how many times each line exists. Last, the grep –v 'TCP\|UDP' command displays the lines that contain the TCP or the UDP word in them.
Summary
lsof is a powerful diagnostic tool capable of a significant number of ways that you can combine its command line options to troubleshoot various issues administrators can find themselves facing. As this guide has only provided a few examples of how to use this tool, additional options can be combined for various effects that can be specifically suited to your needs.
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on