Linux Command Line Tutorial #8 - the lsof command

What Will I Learn?

Write here briefly the details of what the user is going to learn in a bullet list.

• You will learn to use the lsof command to find what files are being used by the various programs on your system
• You will learn to filter output of the command to get data on specific applications, specific files/directories, and even specific network ports

Requirements

• A working Linux system
• Basic knowledge of the Linux command line.

Difficulty

• Basic

Tutorial Contents

What does the lsof command do?

As we know, files are a pretty important thing in a Linux/Unix system. Files are used not just for storing data, but also for application/program configuration. So with that, it's important to know what files a program is using. The lsof command helps us do that. The lsof command should come installed in most Linux systems, but if it isn't it's most assuredly available in your distribution's package manager.

1. Basic Usage

You can just use the lsof command to get a list of all open files. But the thing is, there are a lot of files opened on a Linux system. Every file is displayed on a line, so the output would be huge. Instead, we'll look at the total number of files opened by piping lsof into wc -l to get the number of lines in the output:

[h@laptop ~]$ lsof | wc -l
96148

So as you can see, my system has about 96000 files opened by all the processes currently running on the system.

Alternatively, to see a few of the files opened, we can pipe lsof into head to get the first 10 lines of output:

So there are a few important things here:

1. The first column actually shows the name of the command/program that's actually using the file
2. The 2nd column, titled PID shows the PID(Process ID) of the command. (You can use the PID to start,kill, or restrict processes(out of the scope of this post).)
3. The 3rd and 4th columns are blank because they only apply to Tasks(threads), and not to Processes.
4. The 5th column, titled USER shows the user account that started the process.
5. The 6th column, titled FD, shows the File Descriptor of the file being used. In this screenshot, we see 4 FDs - cwd - the directory from which the process was called, rtd - the root directory, txt- a text file(program or data), and mem - a memory mapped file.
6. The 7th column shows the type of file. DIR indicates directories, REG indicates regular files.
7. The 9th column shows the size of the file in bytes. For directories, the size is always 4KB.
8. The 10th column shows the inode of the file on the filesystem
9. The 11th column shows the actual path of the file.

2. Finding what processes are using a file/directory

You can find which processes are using a file or directory by simply passing that file as an argument. So for example, to find out a few of the processes that are using my home directory:

[h@laptop ~]$ lsof /home/h | head
COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
rslsync    1840    h  cwd    DIR    8,2     4096 4980738 /home/h
gdm-x-ses  1883    h  cwd    DIR    8,2     4096 4980738 /home/h
Xorg       1891    h  cwd    DIR    8,2     4096 4980738 /home/h
Xorg       1891    h  mem    CHR  226,0            18462 /dev/dri/card0
Xorg       1891    h   12u   CHR  226,0      0t0   18462 /dev/dri/card0
Xorg       1891    h   13u   CHR  226,0      0t0   18462 /dev/dri/card0
dbus-daem  2299    h  cwd    DIR    8,2     4096 4980738 /home/h
gnome-ses  2317    h  cwd    DIR    8,2     4096 4980738 /home/h
at-spi-bu  2449    h  cwd    DIR    8,2     4096 4980738 /home/h

3. Finding all the files that a process is using

You can find all the files that a process is using by using the -p command and passing the process id.

To find out the PID of a process, you can use the pgrep tool, like so:

[h@laptop ~]$ pgrep rslsync
1840

And if we put that into lsof:

[h@laptop ~]$ lsof -p 1840 | head
COMMAND  PID USER   FD      TYPE   DEVICE SIZE/OFF    NODE NAME
rslsync 1840    h  cwd       DIR   8,2     4096 4980738 /home/h
rslsync 1840    h  rtd       DIR   8,2     4096       2 /
rslsync 1840    h  txt       REG   8,2 16395864  824224 /usr/bin/rslsync
rslsync 1840    h  mem       REG   8,2    84016  788618 /usr/lib/libresolv-2.26.so
rslsync 1840    h  mem       REG   8,2    22352  788629 /usr/lib/libnss_dns-2.26.so
rslsync 1840    h  mem       REG   8,2   259088  813964 /usr/lib/libnss_resolve.so.2
rslsync 1840    h  mem       REG   8,2    72856  798841 /usr/lib/libnss_myhostname.so.2
rslsync 1840    h  mem       REG   8,2   263184  802821 /usr/lib/libnss_mymachines.so.2
rslsync 1840    h  mem       REG   8,2    46928  788628 /usr/lib/libnss_files-2.26.so

Another interesting thing about lsof, is that you also get "files" like this one:

rslsync 1840    h    7u     IPv4   27208      0t0     TCP *:26887 (LISTEN)
rslsync 1840    h    8u     IPv6   27209      0t0     TCP *:26887 (LISTEN)
rslsync 1840    h    9u     IPv4   27210      0t0     UDP *:26887 
rslsync 1840    h   10u     IPv6   27211      0t0     UDP *:26887 

rslsync is an online backup program, which means it listens on several ports for online requests. Since on Linux, ports are like a file, you also get to see all the ports a process is accessing.

You can also combine the 2 commands:

lsof -p `pgrep rslsync`

4. Finding all the files that a user has opened

You can use the -u flag to get all the files that a specific user has opened. So using that, and grep, we can find all the files that Firefox has opened with my user account:

[h@laptop ~]$ lsof -u h | grep firefox | head
firefox    4736    h  cwd       DIR  8,2     4096 4980738 /home/h
firefox    4736    h  rtd       DIR  8,2     4096       2 /
firefox    4736    h  txt       REG  8,2   200296  826228 /usr/lib/firefox/firefox
firefox    4736    h  DEL       REG  0,23          281912 /dev/shm/org.chromium.7bIgxD
firefox    4736    h  DEL       REG  0,23          280972 /dev/shm/org.chromium.rxfnUc
firefox    4736    h  mem       REG  8,2    31408  818702 /usr/lib/libnotify.so.4.0.0
firefox    4736    h  DEL       REG  0,5            40032 /memfd:pulseaudio
firefox    4736    h  DEL       REG  0,5            23792 /memfd:pulseaudio
firefox    4736    h  DEL       REG  0,5            38451 /memfd:pulseaudio
firefox    4736    h  mem       REG  8,2    22264 1442361 /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-jpeg.so

5. Finding all processes that are listening on a port or protocol

As mentioned earlier, the lsof command also shows you the network ports that a process is listening on. You can actually filter output based on that too, with the -i command. The syntax is:

lsof -i protocol:port

For example, the program rslsync listens for HTTP connections on port 8888. To list any process that is listening on port 8888, we can do this:

[h@laptop ~]$ lsof -i :8888
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
rslsync 1840    h   11u  IPv4 297027      0t0  TCP *:ddi-tcp-1 (LISTEN)
rslsync 1840    h   52u  IPv4 304556      0t0  TCP localhost:ddi-tcp-1->localhost:60184 (ESTABLISHED)
rslsync 1840    h   55u  IPv4 305437      0t0  TCP localhost:ddi-tcp-1->localhost:60190 (ESTABLISHED)
rslsync 1840    h   56u  IPv4 305440      0t0  TCP localhost:ddi-tcp-1->localhost:60192 (ESTABLISHED)
firefox 4736    h   63u  IPv4 304555      0t0  TCP localhost:60184->localhost:ddi-tcp-1 (ESTABLISHED)
firefox 4736    h   90u  IPv4 306233      0t0  TCP localhost:60190->localhost:ddi-tcp-1 (ESTABLISHED)
firefox 4736    h  108u  IPv4 305439      0t0  TCP localhost:60192->localhost:ddi-tcp-1 (ESTABLISHED)

Curriculum

• Part 7
• Part 6
• Part 5

---

Thanks for reading this tutorial. If you liked it, please upvote and resteem.

Sources

• Header Image

@harshallele

---

Posted on Utopian.io - Rewarding Open Source Contributors

---