The lsof command is a versatile tool in the Linux environment, providing crucial insights into file and network usage by processes. Whether you’re troubleshooting file system issues, monitoring network activity, conducting security audits, or managing user sessions, lsof offers a range of options to assist you. Understanding and effectively utilizing lsof can significantly enhance your ability to manage and troubleshoot your Linux systems.
Incorporate these lsof commands into your toolkit, and you’ll be well-equipped to handle a variety of system administration tasks with greater ease and efficiency.
The lsof command in Linux stands for “List Open Files,” a powerful utility that provides information about files that are opened by various processes. This command is invaluable for system administrators and developers to diagnose issues related to files, sockets, and processes. This guide will delve into each of the lsof commands presented in the image, providing detailed explanations and examples.
List Open Files
1. lsof
Description: Lists all files opened by any process.
Example:
lsof
This command will display a list of all files currently opened by all running processes. The output includes the process ID (PID), user, file descriptor, type, device, size, and the file name.
2. lsof -p 1000
Description: Lists files opened by a process with PID 1000.
Example:
lsof -p 1000
If you want to see which files are opened by a process with PID 1000, this command will show detailed information about those files.
3. lsof -p ^1000
Description: Lists files opened by any other process than PID 1000.
Example:
lsof -p ^1000
This command lists all files opened by processes excluding the one with PID 1000. It’s useful for isolating files opened by a specific process and seeing what remains.
4. lsof -u <username>
Description: Lists files opened by specific user-owned processes.
Example:
lsof -u username
Replace <username> with the actual username to get a list of files opened by processes owned by that user.
5. lsof -u^root
Description: Lists files opened by all non-root users.
Example:
lsof -u^root
This command is useful for identifying files opened by regular users, excluding those opened by the root user.
6. lsof <directory>
Description: Shows what processes are using a specific directory.
Example:
lsof /home/user
This will display all processes that are using files within the /home/user directory.
7. lsof <filename>
Description: Lists all processes that have opened a specific file.
Example:
lsof /var/log/syslog
This command is useful for determining which processes are accessing the /var/log/syslog file.
8. lsof +D /tmp
Description: Lists all files that have been opened under /tmp.
Example:
lsof +D /tmp
Use this command to see all files within the /tmp directory that are currently open by any process.
9. lsof +L1
Description: Lists files deleted but still held open by running processes.
Example:
lsof +L1
This can help in identifying files that are consuming disk space despite being deleted, as they are still held open by some processes.
10. lsof -c <command>
Description: Lists open files by processes executing a specific command.
Example:
lsof -c ssh
This will list all files opened by processes running the ssh command.
11. lsof -d mem
Description: Lists all memory-mapped files.
Example:
lsof -d mem
This command provides a list of files that are memory-mapped, which can be useful for diagnosing memory-related issues.
List Network Connections and Sockets
1. lsof -i
Description: Lists all open network connections.
Example:
lsof -i
This command will show all network connections opened by any process, including both TCP and UDP connections.
2. lsof -i :80
Description: Lists open TCP/UDP connections with port 80.
Example:
lsof -i :80
Use this command to see all processes that have opened network connections on port 80, typically used by HTTP.
3. lsof -i tcp:1-1024
Description: Lists open TCP connections with a given port range.
Example:
lsof -i tcp:1-1024
This will list all open TCP connections within the port range 1-1024.
4. lsof -i -n
Description: Lists open network connections with no reverse DNS lookup.
Example:
lsof -i -n
This command is useful for speed, as it skips reverse DNS lookups for IP addresses, listing the connections as they are.
5. lsof -i -n -P
Description: Lists open network connections with no port name conversion.
Example:
lsof -i -n -P
This command will show open network connections without converting port numbers to port names.
6. lsof -i6
Description: Lists open IPv6 network connections.
Example:
lsof -i6
Use this command to list all open network connections using the IPv6 protocol.
Other Usages
1. lsof -U
Description: Lists open Unix domain sockets.
Example:
lsof -U
This command provides a list of open Unix domain sockets, which are used for inter-process communication (IPC) within the same host.
2. lsof /dev/tty1
Description: Lists commands/processes associated with /dev/tty1.
Example:
lsof /dev/tty1
This command will show all processes using the /dev/tty1 terminal.
3. kill -9 $(lsof -t -u <username>)
Description: Kills all activities of a specific user.
Example:
kill -9 $(lsof -t -u username)
Replace <username> with the actual username to terminate all processes owned by that user forcefully. This can be useful for managing user sessions or dealing with runaway processes.
Detailed Examples and Use Cases
Diagnosing File System Issues
When a file system is showing as full but deleting files does not free up space, the lsof +L1 command can help identify files that have been deleted but are still held open by processes. This situation often occurs with log files.
lsof +L1
Monitoring Network Activity
To monitor network activity and identify which processes are using network ports, you can use the lsof -i command. This is particularly useful for diagnosing issues with services like web servers or databases.
lsof -i
Security Audits
For security audits, you can use lsof to find out which files are being accessed by specific users or processes. For example, to see all files opened by the user john, you can use:
lsof -u john
Managing User Sessions
If a user’s processes are consuming too many resources, you can list and kill all their processes with a combination of lsof and kill commands.
kill -9 $(lsof -t -u john)
Investigating Network Ports
To see which process is using a specific network port (e.g., port 8080), you can use:
lsof -i :8080
Checking Open Files in a Directory
To check which processes are using files within a specific directory (e.g., /var/www), you can use:
lsof +D /var/www
Finding Memory-Mapped Files
Memory-mapped files are files that are mapped into the address space of a process. This can be checked using:
lsof -d mem