Here we can see, “How to Use the lsof Command in Linux”
There has to be more to Linux than just files on your hard disc if everything is a file. This tutorial will show you how to use lsof to view all of the various devices and processes that are treated as files.
lsof installation
Most Linux distributions do not include lsof by default, although it is simple to install. To install lsof, use the following command:
CentOS, RHEL, and Fedora are three different operating systems.
$ sudo dnf install lsof
Debian / Ubuntu:
$ sudo apt install lsofObtaining Assistance
Using the -? or -h flag, you can retrieve a summarised list of lsof supported options.
$ lsof -?
lsof 4.87
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [-Z [Z]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
-?|-h list help -a AND selections (OR) -b avoid kernel blocks
-c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s files
-d s select by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY*
-i select IPv[46] files -K list tasKs (threads) -l list UID numbers
-n no host names -N select NFS files -o list file offset
-O no overhead *RISKY* -P no port names -R list paRent PID
-s list file size -t terse listing -T disable TCP/TPI info
-U select Unix socket -v list version info -V verbose search
+|-w Warnings (+) -X skip TCP&UDP* files -Z Z context [Z]
-- end option scan
+f|-f +filesystem or -file names +|-f[gG] flaGs
-F [f] select fields; -F? for help
+|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
+m [m] use|create mount supplement
+|-M portMap registration (-) -o o o 0t offset digits (8)
-p s exclude(^)|select PIDs -S [t] t second stat timeout (15)
-T qs TCP/TPI Q,St (s) info
-g [s] exclude(^)|select and print process group IDs
-i i select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
+|-r [t[m<fmt>]] repeat every t seconds (15); + until no files, - forever.
An optional suffix to t is m<fmt>; m must separate t from <fmt> and
<fmt> is an strftime(3) format for the marker line.
-s p:s exclude(^)|select protocol (p = TCP|UDP) states by name(s).
-u s exclude(^)|select login|UID set s
-x [fl] cross over +d|+D File systems or symbolic Links
names select named files or files on named file systems
Anyone can list all files; /dev warnings disabled; kernel ID check disabled.
$Use the following command to get detailed information about the installed version:
$ lsof -v
lsof version information:
revision: 4.87
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
constructed: Tue Oct 30 16:28:19 UTC 2018
constructed by and on: mockbuild@x86-01.bsys.centos.org
compiler: cc
compiler version: 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
compiler flags: -DLINUXV=310000 -DGLIBCV=217 -DHASIPv6 -DHASSELINUX -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -DHAS_STRFTIME -DLSOF_VSTR="3.10.0" -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
loader flags: -L./lib -llsof -lselinux
system info: Linux x86-01.bsys.centos.org 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Anyone can list all files.
/dev warnings are disabled.
Kernel ID check is disabled.
$Output Fields
The default lsof output field structure is as follows:
Except for the FD and TYPE fields, which are somewhat peculiar to lsof and will be briefly investigated, the majority of these fields are self-explanatory.
The File Descriptor number of the file is FD, and the type of the node linked with the file is TYPE. We’ll go over the valid values for both of these fields now.
The following values can be stored in the FD field:
cwd current working directory;
Lnn library references (AIX);
err FD information error (see NAME column);
jld jail directory (FreeBSD);
ltx shared library text (code and data);
Mxx hex memory-mapped type number xx.
m86 DOS Merge mapped file;
mem memory-mapped file;
mmap memory-mapped device;
pd parent directory;
rtd root directory;
tr kernel trace file (OpenBSD);
txt program text (code and data);
v86 VP/ix mapped file;The FD field is followed by one or more characters that describe the file’s open mode:
r for read access;
w for write access;
u for read and write access;
space if mode unknown and no lock character follows;
`-' if mode unknown and lock character follows.The FD mode character can then be followed by the LOCK character, which has the following description:
N for a Solaris NFS lock of unknown type;
r for read lock on part of the file;
R for a read lock on the entire file;
w for a write lock on part of the file;
W for a write lock on the entire file;
u for a read and write lock of any length;
U for a lock of unknown type;
x for an SCO OpenServer Xenix lock on part of the file;
X for an SCO OpenServer Xenix lock on the entire file;
space if there is no lock.The TYPE field can also contain GDIR, GREG, VDIR, VREG, IPV4, IPV6, and so on. Refer to the man page of lsof for a comprehensive list of supported TYPE.
Usage in the Field
The lsof command is used in a variety of ways, as seen below. The command is compatible with all Linux distributions, and all of the command-line options mentioned below should function on all platforms with the same lsof version.
1. Make a list of all open files.
If you run lsof without any parameters, it will list all open files by active processes.
$ sudo lsof | lessOutput:
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,0 224 64 /
systemd 1 root rtd DIR 253,0 224 64 /
systemd 1 root txt REG 253,0 1632776 308905 /usr/lib/systemd/systemd
systemd 1 root mem REG 253,0 20064 16063 /usr/lib64/libuuid.so.1.3.0
systemd 1 root mem REG 253,0 265576 186547 /usr/lib64/libblkid.so.1.1.0
systemd 1 root mem REG 253,0 90248 16051 /usr/lib64/libz.so.1.2.7
systemd 1 root mem REG 253,0 157424 16059 /usr/lib64/liblzma.so.5.2.2
systemd 1 root mem REG 253,0 23968 59696 /usr/lib64/libcap-ng.so.0.0.0
systemd 1 root mem REG 253,0 19896 59686 /usr/lib64/libattr.so.1.1.0
systemd 1 root mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
systemd 1 root mem REG 253,0 402384 16039 /usr/lib64/libpcre.so.1.2.0
systemd 1 root mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
systemd 1 root mem REG 253,0 142144 15699 /usr/lib64/libpthread-2.17.so
systemd 1 root mem REG 253,0 88720 84 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
systemd 1 root mem REG 253,0 43712 15703 /usr/lib64/librt-2.17.so
systemd 1 root mem REG 253,0 277808 229793 /usr/lib64/libmount.so.1.1.0
systemd 1 root mem REG 253,0 91800 76005 /usr/lib64/libkmod.so.2.2.10
systemd 1 root mem REG 253,0 127184 59698 /usr/lib64/libaudit.so.1.0.0
systemd 1 root mem REG 253,0 61680 229827 /usr/lib64/libpam.so.0.83.1
systemd 1 root mem REG 253,0 20048 59690 /usr/lib64/libcap.so.2.22
systemd 1 root mem REG 253,0 155744 16048 /usr/lib64/libselinux.so.12. Sort the list by filename.
We may use the filename option to get a list of all processes that have opened a given file:
$ sudo lsof {file-name}Output:
$ sudo lsof /var/log/messages
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 1000 root 6w REG 253,0 205 16777741 /var/log/messages
$3. Make a list of all open files by username.
In a multi-user system, the -u flag followed by username can be used to filter the list of files by specific user-owned processes.
$ sudo lsof -u {username}Output:
Alternatively, use the -u flag followed by username to list files opened by any user except a specified one, as illustrated below:
$ sudo lsof -u ^{username}Output:
$ sudo lsof -u ^root
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dbus-daem 630 dbus cwd DIR 253,0 224 64 /
dbus-daem 630 dbus rtd DIR 253,0 224 64 /
dbus-daem 630 dbus txt REG 253,0 223232 50590133 /usr/bin/dbus-daemon
dbus-daem 630 dbus mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
dbus-daem 630 dbus mem REG 253,0 68192 59651 /usr/lib64/libbz2.so.1.0.6
dbus-daem 630 dbus mem REG 253,0 90248 16051 /usr/lib64/libz.so.1.2.7
dbus-daem 630 dbus mem REG 253,0 99944 59680 /usr/lib64/libelf-0.176.so
dbus-daem 630 dbus mem REG 253,0 19896 59686 /usr/lib64/libattr.so.1.1.0
dbus-daem 630 dbus mem REG 253,0 402384 16039 /usr/lib64/libpcre.so.1.2.0You can use lsof in circumstances where you need to stop all processes associated with a given user in a single command. To do this (execute as root), we can combine kill with lsof as demonstrated below:
# kill -9 `lsof -t -u {username}`We can use the -t flag to filter out all other information except process-id, as seen in the preceding example. As illustrated in the preceding example, this can be useful in automation and scripting when combined with the kill command.
$ sudo lsof -t -u {username}Output:
$ sudo lsof -t -u abhisheknair
1239
1240
$We may use OR logic with lsof to many aggregate arguments, as illustrated below:
$ sudo lsof -u {username} -c {process-name}Output:
$ sudo lsof -u ftpuser -c bash
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1240 abhisheknair cwd DIR 253,0 120 510681 /home/abhisheknair
bash 1240 abhisheknair rtd DIR 253,0 224 64 /
bash 1240 abhisheknair txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1240 abhisheknair mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1240 abhisheknair mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1240 abhisheknair mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1240 abhisheknair mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1240 abhisheknair mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1240 abhisheknair mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1240 abhisheknair mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1240 abhisheknair 0u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 1u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 2u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 255u CHR 136,0 0t0 3 /dev/pts/0
bash 1425 ftpuser cwd DIR 253,0 182 33578272 /home/ftpuser
bash 1425 ftpuser rtd DIR 253,0 224 64 /
bash 1425 ftpuser txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1425 ftpuser mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1425 ftpuser mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1425 ftpuser mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1425 ftpuser mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1425 ftpuser mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1425 ftpuser mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1425 ftpuser 0u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 1u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 2u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 255u CHR 4,1 0t0 1043 /dev/tty1
$Employ the -a flag instead if you wish to use the AND logic condition.
$ sudo lsof -u {username} -c {process-name} -aOutput:
$ sudo lsof -u ftpuser -c bash -a
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser cwd DIR 253,0 182 33578272 /home/ftpuser
bash 1425 ftpuser rtd DIR 253,0 224 64 /
bash 1425 ftpuser txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1425 ftpuser mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1425 ftpuser mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1425 ftpuser mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1425 ftpuser mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1425 ftpuser mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1425 ftpuser mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1425 ftpuser 0u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 1u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 2u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 255u CHR 4,1 0t0 1043 /dev/tty1
$4. Make a list of all open files by the process.
The -c option followed by the process name can also be used to list files opened by a specific process.
$ sudo lsof -c {process-name}Output:
$ sudo lsof -c ssh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root cwd DIR 253,0 224 64 /
sshd 997 root rtd DIR 253,0 224 64 /
sshd 997 root txt REG 253,0 852856 425229 /usr/sbin/sshd
sshd 997 root mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
sshd 997 root mem REG 253,0 68192 59651 /usr/lib64/libbz2.so.1.0.6
sshd 997 root mem REG 253,0 99944 59680 /usr/lib64/libelf-0.176.so
sshd 997 root mem REG 253,0 19896 59686 /usr/lib64/libattr.so.1.1.0
sshd 997 root mem REG 253,0 15688 75906 /usr/lib64/libkeyutils.so.1.5
sshd 997 root mem REG 253,0 67104 186525 /usr/lib64/libkrb5support.so.0.15. Make a list of open files by PID.
You can also use the -p flag followed by process-id to list files opened by a process-name if you wish to specify its ID instead of its name.
$ sudo lsof -p {process-id}Output:
$ sudo lsof -p 663
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firewalld 663 root cwd DIR 253,0 224 64 /
firewalld 663 root rtd DIR 253,0 224 64 /
firewalld 663 root txt REG 253,0 7144 50491220 /usr/bin/python2.7
firewalld 663 root mem REG 253,0 298828 50617647 /usr/lib64/girepository-1.0/NM-1.0.typelib
firewalld 663 root mem REG 253,0 343452 50507562 /usr/lib64/girepository-1.0/Gio-2.0.typelib
firewalld 663 root mem REG 253,0 12352 17202092 /usr/lib64/python2.7/lib-dynload/grpmodule.so
firewalld 663 root mem REG 253,0 29184 17202105 /usr/lib64/python2.7/lib-dynload/selectmodule.so
firewalld 663 root mem REG 253,0 168312 388240 /usr/lib64/libdbus-glib-1.so.2.2.2
firewalld 663 root mem REG 253,0 11976 34028597 /usr/lib64/python2.7/site-packages/_dbus_glib_bindings.so
firewalld 663 root mem REG 253,0 185712 50507559 /usr/lib64/girepository-1.0/GLib-2.0.typelibUse -p followed by process-id to get a list of all open files except those opened by a specific process.
$ sudo lsof -p ^{process-id}6. Make a list of all open files in the directory.
Use the +D option followed by the directory path to get a list of processes that opened files in that directory.
$ sudo lsof +D {path}Output:
$ sudo lsof +D /var/log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
auditd 607 root 5w REG 253,0 1065095 425227 /var/log/audit/audit.log
firewalld 663 root 3w REG 253,0 13817 17663786 /var/log/firewalld
tuned 999 root 3w REG 253,0 13395 33574994 /var/log/tuned/tuned.log
rsyslogd 1000 root 6w REG 253,0 4302 16777753 /var/log/cron
rsyslogd 1000 root 7w REG 253,0 64740 16777755 /var/log/messages
rsyslogd 1000 root 8w REG 253,0 5513 16787904 /var/log/secure
rsyslogd 1000 root 9w REG 253,0 198 16777754 /var/log/maillog
$Use the -d argument followed by the directory path if you don’t want to recursively list files inside subdirectories.
$ sudo lsof +d {path}Output:
$ sudo lsof +d /var/log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firewalld 663 root 3w REG 253,0 13817 17663786 /var/log/firewalld
rsyslogd 1000 root 6w REG 253,0 4302 16777753 /var/log/cron
rsyslogd 1000 root 7w REG 253,0 64740 16777755 /var/log/messages
rsyslogd 1000 root 8w REG 253,0 5833 16787904 /var/log/secure
rsyslogd 1000 root 9w REG 253,0 198 16777754 /var/log/maillog
$7. Repetition mode
In repeat mode, lsof can be used. lsof will generate and print output at regular intervals in repeat mode. lsof supports two repeat modes, with the -r and +r parameters. The -r flag causes lsof to repeat its execution until it receives an interrupt/kill signal from the user, but the +r flag causes lsof to cease its repeat mode as soon as its output has no open files. With the -r or +r flags, we may also specify a time delay.
$ sudo lsof {arguments} -r{time-interval}Output:
$ sudo lsof -u ftpuser -c bash +D /usr/lib -a -r3
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======8. Compile a list of open files by the network protocol.
lsof allows you to list any form of Linux file, including network sockets and so on. As a result, the -i flag can be used to display information about open network connections.
$ sudo lsof -iOutput:
$ sudo lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 5u IPv4 14333 0t0 UDP localhost:323
chronyd 639 chrony 6u IPv6 14334 0t0 UDP localhost:323
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
master 1229 root 13u IPv4 18129 0t0 TCP localhost:smtp (LISTEN)
master 1229 root 14u IPv6 18130 0t0 TCP localhost:smtp (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$You can use lsof to get a list of all network connections used by a certain process-id:
$ sudo lsof -i -a -p {process-id}Output:
$ sudo lsof -i -a -p 997
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
$We can also use process-name to see all network connections used by a given process:
$ sudo lsof -i -a -c {process-name}Output:
$ sudo lsof -i -a -c ssh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$With the -i flag, we can filter the output of lsof by network protocol type, such as TCP or UDP, by specifying the protocol type.
$ sudo lsof -i {protocol}Output:
$ sudo lsof -i tcp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
master 1229 root 13u IPv4 18129 0t0 TCP localhost:smtp (LISTEN)
master 1229 root 14u IPv6 18130 0t0 TCP localhost:smtp (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$OR
Output:
$ sudo lsof -i udp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 5u IPv4 14333 0t0 UDP localhost:323
chronyd 639 chrony 6u IPv6 14334 0t0 UDP localhost:323
$9. Make a list of all open files by port.
We can also use the command syntax below to filter the output of lsof with the -i flag by port number:
$ sudo lsof -i :{port-number}Output:
$ sudo lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$10. Sort open files by IPv4/IPv6 address.
There’s an option to limit the list of network connections to either IPv4 or IPv6. To receive only IPv4 listings, use the following command syntax:
$ sudo lsof -i4Output:
$ sudo lsof -i4
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 5u IPv4 14333 0t0 UDP localhost:323
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
master 1229 root 13u IPv4 18129 0t0 TCP localhost:smtp (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$OR, if you only want IPv6 information, use:
$ sudo lsof -i6Output:
$ sudo lsof -i6
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 6u IPv6 14334 0t0 UDP localhost:323
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
master 1229 root 14u IPv6 18130 0t0 TCP localhost:smtp (LISTEN)
$11.Make a list of the NFS files that are currently open.
lsof can also display a list of all NFS files that a user is presently working with.
$ sudo lsof -N -u abhisheknair -a12. List the locked and deleted files.
In Linux, it is possible for files to be removed but still be locked by one or more processes. As a result, those files do not appear in standard file system listings such as ls, but they continue to consume disc space as indicated by df output. This is particularly true for large files erased on purpose to free up disc space without breaking the process lock. lsof can be used to find processes like:
$ sudo lsof {path} | grep deletedOutput:
$ sudo lsof / | grep deleted
firewalld 654 root 8u REG 253,0 4096 16777726 /tmp/#16777726 (deleted)
tuned 968 root 8u REG 253,0 4096 16777720 /tmp/#16777720 (deleted)
$Conclusion
I hope you found this information helpful. Please fill out the form below if you have any queries or comments.
User Questions:
- In lsof, what is size off?
The size of the file or the file offset in bytes is indicated by SIZE, SIZE/OFF, or OFFSET. Only if a value is available is it displayed in this column. Lsof returns whatever value – size or offset – is appropriate for the file type and lsof version.
- What is the purpose of lsof?
The command lsof, which stands for “list open files,” is used on many Unix-like systems to display a list of all open files as well as the processes that opened them.
- What does FIFO LSOF stand for?
A FIFO special file (also known as a named pipe) is comparable to a pipe but is accessed through the filesystem. Multiple processes can open it for reading or writing. When processes use the FIFO to exchange data, the kernel passes all data inside rather than sending it to the filesystem.
- lsof Command in Linux
- Is there a way to watch “lsof” command while running a program?
Is there a way to watch "lsof" command while running a program? from linuxquestions
