🖥️lsof
➡️This is a command-line reference manual for commands and command combinations that you don’t use often enough to remember it. This cheatsheet explains the lsof command with important options and switches using examples.
11 minute read
▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁
# ██╗ ███████╗ ██████╗ ███████╗
# ██║ ██╔════╝██╔═══██╗██╔════╝
# ██║ ███████╗██║ ██║█████╗
# ██║ ╚════██║██║ ██║██╔══╝
# ███████╗███████║╚██████╔╝██║
# ╚══════╝╚══════╝ ╚═════╝ ╚═╝
# List all IPv4 network files
sudo lsof -i4
# List all IPv6 network files
sudo lsof -i6
# List all open sockets
lsof -i
# List all listening ports
lsof -Pnl +M -i4
# Find which program is using the port 80
lsof -i TCP:80
# List all connections to a specific host
lsof [email protected]
# List all processes accessing a particular file/directory
lsof </path/to/file>
# List all files open for a particular user
lsof -u <username>
# List all files/network connections a command is using
lsof -c <command-name>
# List all files a process has open
lsof -p <pid>
# List all files open mounted at /mount/point.
# Particularly useful for finding which process(es) are using a
# mounted USB stick or CD/DVD.
lsof +f -- </mount/point>
# See this primer: http://www.danielmiessler.com/study/lsof/
# for a number of other useful lsof tips
#==============================#
# CMD LSOF
#==============================##==============================#
lsof -a -i -u xyz
# allen Internetsockets interessiert die von Prozessen mit UID xyz geöffnet
lsof -d cwd,^0,^1,^2
#
lsof -p $pid
#
lsof +D /var/lib/apt/lists
# Show what files or filehandles are open in the specified directory.
lsof -Pan -i tcp -i udp
# Show all programs listening TCP/UDP ports. You may want to run this with superuser privileges.
lsof -i TCP:80
# Show what processes are using port 80 either locally or remotely. Need to be root for unowned processes.
lsof -iTCP:80 -sTCP:LISTEN
# The below command outputs, name of process/service using a specific port 80. To better understand run the following command on port 80, it will list all services/processes running on port.
# How to get lsof command
#==========================#
# lsof command generally comes pre-installed in many UNIX system. If you are getting -bash: lsof: command not found an error while using lsof then it could be that lsof is not in your PATH. just check /usr/bin or /usr/sbin folder for this command. If you don't find there then you can install it from source or you can ask your UNIX admin to do that for you.
# 1) How to list all open files by all process
#----------------------------------------------#
lsof
# Simply running lsof without any argument print all opened file and process. This is not particularly useful but a good starting point.
# 2) How to list all process which has opened a file
#-----------------------------------------------------#
lsof /home/someuser/somefile
# will list all the process which has opened this file. you can see the command, PID, user and full file path to find out the process.
# 3) How to find all opened files by a user
#--------------------------------------------#
# You can use lsof -u command to list all opened file by a user as shown below
lsof -u username
# You can provide comma separated list of users to find list of open files by multiple users as shown below
lsof -u user1,user2,user3
# You can do the same by providing -u option multiple times :
lsof -u user1 -u user2
# Here is a summary of all 10 examples of lsof command in UNIX:
# lsof command example to find all process listening on a port
# 4) How to list all files opened by a particular command
#------------------------------------------------------------#
# You can use lsof -c option to provide name of command and list down all the files opened by that command, for example, to list all file opened by java process, you can do this :
lsof -c java
# This is better than using grep for filtering, as instead of writing lsof | grep java, you can just write lsof -c java.
# You can also find all files opened by apache which runs as httpd as shown below :
lsof -c httpd
# Just like multiple users, you can also combine multiple processes name to list down files hold by them e.g.
lsof -c java -c httpd
# 5) How to find all files opened by a particular user and command
#-------------------------------------------------------------------#
# You can combine users and process name in one lsof command to list down all the files opened by a particular process or a particular user as shown below :
lsof -u root -c java
# This will list all files opened or hold by root user + all files opened by the java process. See The Linux Command Line: A Complete Introduction, a Linux lsof command Example
# 6) How to find files opened by USER and process
#-------------------------------------------------#
# Like previous option, you can also combine user and process by using lsof option '-a'. This is like AND logical operator and will only list files, which matches both options e.g.
lsof -a -u root - c java
# will only list files opened by java process which is running under root user
# 7) lsof with negation operator
#----------------------------------#
# Similar to AND and OR operator used earlier, you can also use negation operator with lsof command e.g.
lsof - u ^root
# will list all files opened by all user except root
# 8) How to list all open files by a process using PID
#-----------------------------------------------------#
# As I told, I mostly use lsof command to find all files opened by a particular process. In order to do that sometimes, I usually use grep command to filter lsof output by PID, but you can also use lsof -p option to do the same, as shown below :
lsof -p 17783
# will list all files opened by the process with PID 17783.
# List users and processes, you can also supply multiple PIDs to find files opened by multiple processes e.g. :
lsof -p 17783,17754,17984
# will list all files opened by the process with PIDs 17783,17754,17984. You can also see the Practical Guide to Linux Commands, Editors, and Shell Programming 3rd Edition by Mark G. Sobell to learn more about how to find a process in UNIX.
# How to use lsof command in UNIX and Linux
#==========================================#
# 9) How to list all network connection
#----------------------------------------#
# You can use lsof - i option to find all open network connections which is nothing but open internet sockets (TCP and UDP), for example
lsof -i
# You can further find all TPC connection by using tcp option as shown below :
lsof -i tcp
# Similarly, to find all open udp connections you can do :
lsof -i udp
# will list all process with open internet sockets.
# 10) How to find which process is using a port
#------------------------------------------------#
# Though you can do this with netstat command as well, you would be surprised to know that you can find all process using a particular TCP or UDP port using lsof command. For example :
lsof -i :19500
# will find the process which is using TCP or UDP port 19500
# You can even names defined in etc/services instead of port number e.g.
lsof -i :smtp
# will print process using the smtp port.
# You can also combine tcp and udp with port to do more specific search e.g. to find all process in UNIX which are uses tcp port number 19600 you can do following :
lsof -i tcp:19600
# and to find all process which is using UDP port 17600 you can use
lsof -i udp:17600
# That's all about 10 examples of lsof command in UNIX and Linux. As I said, it's incredibly useful to find the list of files opened by a particular process or to find all the process which holds a lock on a file. Since almost everything is a file in UNIX, you can use lsof to find out open socket, directory, symbolic link, internet socket and many others. You can also see lsof man page for full documentation and more options.
lsof -p 9105 | grep / | less
# Check what files pid 9105 has opened. I was checking to see if it opened a log file somewhere.
# What process is listening on port 1521?
lsof -P -i :1521 | grep LISTEN tnslsnr 11348 oracle 9u IPv4 158729213 0t0 TCP *:1521 (LISTEN)
# List open files
lsof -n
# Explanation: With the -n flag it will not try to resolve network numbers to host names for network files, making it run a bit faster.With the -c option you can select processes executing a matching command. And with the -t flag the output will be simply process ids without a header, suitable to use with kill. For example you can kill Google Chrome process gone crazy like this:
kill -HUP $(lsof -n -c /google/i -t)
# Here /google/i is a regular expression pattern with case insensitive matching.
# Linux shell processes discovery - to show processes which blocking files on file system (in the example filter by specific value)
lsof -n | awk '/sess_/'
lsof -i TCP:80
# Show what processes are using port 80 either locally or remotely. Need to be root for unowned processes.
lsof -Pan -i tcp -i udp
# show all listening TCP/UDP ports
# Show 10 Largest Open Files
lsof / | awk '{ if($7 > 1048576) print $7/1048576 "MB" " " $9 " " $1 }' | sort -n -u | tail
# Explanation: Show the largest 10 currently open files, the size of those files in Megabytes, and the name of the process holding the file open.
# Kill a process running on port 8080
lsof -i :8080 | awk 'NR > 1 {print $2}' | xargs --no-run-if-empty kill
# Explanation: lsof lists open files (ls-o-f, get it?). lsof -i :8080 lists open files on address ending in :8080. The output looks like this
# COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
# chrome 2619 qymspace 149u IPv4 71595 0t0 TCP localhost:53878->localhost:http-alt (CLOSE_WAIT)`
# We use awk 'NR > 1 {print $2}' to print the second column for lines except the first. The result is a list of PIDs, which we pipe to xargs kill to kill.
# Limitations: The --no-run-if-empty option of xargs is available in GNU implementations, and typically not available in BSD implementations. Without this option, the one-liner will raise an error if there are no matches (no PIDs to kill).
## Related one-liners
# Kill a process running on port 8080
lsof -i :8080 | awk '{print $2}' | tail -n 1 | xargs kill
# Explanation: lsof lists open files (ls-o-f, get it?). lsof -i :8080 lists open files on address ending in :8080. The output looks like this
# COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
# chrome 2619 qymspace 149u IPv4 71595 0t0 TCP localhost:53878->localhost:http-alt (CLOSE_WAIT)`
# We pipe this input through awk to print column 2 using the command awk '{print $2}' to produce the output:
# PID
# 2533
# To remote the word PID from this output we use tail -n 1 to grab the last row 2533, We can now pass this process id to the kill command to kill it.
lsof +D /tmp
# Show what files or filehandles are open in the /tmp directory (if it's not a separate partition). This can be slow sometimes.
lsof -i -nlP | awk '{print $9, $8, $1}' | sed 's/.*://' | sort -u
# Find wich ports you probably want to open in your firewall on a fresh installed machine
# Print the processes that are either listening on TCP port 443 and connecting to port 443 on a remote host. Thanks @blind_coder
lsof -i TCP:443
# Show whats going on restoring files from a spectrum protect backup - spectrum protect's dsmc command shows file names and total amount of restore. This command shows which files are actually open and their siz in GB and highlights the change to the previous output
watch -n60 -d 'lsof -w /filesysname|grep -v NAME|awk '\''{$7=int($7/1073741824) " GB"; print $7, $9}'\'''
# Sample output
# Every 60.0s: lsof -w /filesysname|grep -v NAME|awk '{$7=int($7/1073741824) " GB"; print $7, $9}'
# Mon Sep 2 13:44:08 2019
# 6 GB /filesysname/dev_workspaces/tcga/data/urls_tp_2/files/79c77220-5759-41cb-8b70-8fdcd68fa856/TCGA-CG-5727-01A-11D-1598_121011_SN208_0435_BD1E43ACXX_s_3_rg.sorted.bam
# 10 GB /filesysname/dev_workspaces/tcga/data/urls_tp_2/files/85ca0eb9-8ca8-4f11-80e1-04c6d139c6f5/TCGA-BR-6801-01A-11D-1880_121220_SN1222_0164_BC1HJ3ACXX_s_5_rg.sorted.bam
# list current processes writing to hard drive
lsof | grep -e "[[:digit:]]\+w"
#==============================##==============================#
# CMD LSOF #
#==============================##==============================#
Cheatsheets are an excellent complement to other information sources like Linux man-pages, Linux help, or How-To’s and tutorials, as they provide compact and easily accessible information. While man-pages and detailed tutorials often contain comprehensive explanations and extensive guides, cheatsheets summarize the most important options forthe command lsof in a clear format. This allows users to quickly access the needed information for lsof without having to sift through lengthy texts. Especially in stressful situations or for recurring tasks, cheatsheets for lsof are a valuable resource to work efficiently and purposefully.
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
█║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌
██╗ ██╗ ██████╗ ██████╗ ██╗ ██╗███████╗██████╗
████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
╚██╔═██╔╝██║ ██║██║ ██║ ╚███╔╝ █████╗ ██║ ██║
████████╗██║ ██║██║ ██║ ██╔██╗ ██╔══╝ ██║ ██║
╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═════╝
█║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.