How to Use the lsof Command in Linux

434
How to Use the lsof Command in Linux

Here we can see, “How to Use the lsof Command in Linux”

There has to be more to Linux than just files on your hard disc if everything is a file. This tutorial will show you how to use lsof to view all of the various devices and processes that are treated as files.

lsof installation

Most Linux distributions do not include lsof by default, although it is simple to install. To install lsof, use the following command:

CentOS, RHEL, and Fedora are three different operating systems.

$ sudo yum install lsof
The DNF command is available for CentOS/RHEL 8.
$ sudo dnf install lsof

Debian / Ubuntu:

$ sudo apt install lsof

Obtaining Assistance

Using the -? or -h flag, you can retrieve a summarised list of lsof supported options.

$ lsof -?
lsof 4.87
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [-Z [Z]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
  -?|-h list help          -a AND selections (OR)     -b avoid kernel blocks
  -c c  cmd c ^c /c/[bix]  +c w  COMMAND width (9)    +d s  dir s files
  -d s  select by FD set   +D D  dir D tree *SLOW?*   +|-e s  exempt s *RISKY*
  -i select IPv[46] files  -K list tasKs (threads)    -l list UID numbers
  -n no host names         -N select NFS files        -o list file offset
  -O no overhead *RISKY*   -P no port names           -R list paRent PID
  -s list file size        -t terse listing           -T disable TCP/TPI info
  -U select Unix socket    -v list version info       -V verbose search
  +|-w  Warnings (+)       -X skip TCP&UDP* files     -Z Z  context [Z]
  -- end option scan
  +f|-f  +filesystem or -file names     +|-f[gG] flaGs
  -F [f] select fields; -F? for help
  +|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
                                        +m [m] use|create mount supplement
  +|-M   portMap registration (-)       -o o   o 0t offset digits (8)
  -p s   exclude(^)|select PIDs         -S [t] t second stat timeout (15)
  -T qs TCP/TPI Q,St (s) info
  -g [s] exclude(^)|select and print process group IDs
  -i i   select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
  +|-r [t[m<fmt>]] repeat every t seconds (15);  + until no files, - forever.
       An optional suffix to t is m<fmt>; m must separate t from <fmt> and
      <fmt> is an strftime(3) format for the marker line.
  -s p:s  exclude(^)|select protocol (p = TCP|UDP) states by name(s).
  -u s   exclude(^)|select login|UID set s
  -x [fl] cross over +d|+D File systems or symbolic Links
  names  select named files or files on named file systems
Anyone can list all files; /dev warnings disabled; kernel ID check disabled.
$

Use the following command to get detailed information about the installed version:

$ lsof -v
lsof version information:
    revision: 4.87
    latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
    latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
    latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
    constructed: Tue Oct 30 16:28:19 UTC 2018
    constructed by and on: mockbuild@x86-01.bsys.centos.org
    compiler: cc
    compiler version: 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
    compiler flags: -DLINUXV=310000 -DGLIBCV=217 -DHASIPv6 -DHASSELINUX -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -DHAS_STRFTIME -DLSOF_VSTR="3.10.0" -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
    loader flags: -L./lib -llsof  -lselinux
    system info: Linux x86-01.bsys.centos.org 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
    Anyone can list all files.
    /dev warnings are disabled.
    Kernel ID check is disabled.
$
Also See:  How to: Fix Power Bi Error Access to the Resource is Forbidden

Output Fields

The default lsof output field structure is as follows:

COMMAND    PID  TID         USER   FD      TYPE DEVICE  SIZE/OFF     NODE NAME

Except for the FD and TYPE fields, which are somewhat peculiar to lsof and will be briefly investigated, the majority of these fields are self-explanatory.

The File Descriptor number of the file is FD, and the type of the node linked with the file is TYPE. We’ll go over the valid values for both of these fields now.

The following values can be stored in the FD field:

cwd  current working directory;
Lnn  library references (AIX);
err  FD information error (see NAME column);
jld  jail directory (FreeBSD);
ltx  shared library text (code and data);
Mxx  hex memory-mapped type number xx.
m86  DOS Merge mapped file;
mem  memory-mapped file;
mmap memory-mapped device;
pd   parent directory;
rtd  root directory;
tr   kernel trace file (OpenBSD);
txt  program text (code and data);
v86  VP/ix mapped file;

The FD field is followed by one or more characters that describe the file’s open mode:

r for read access;
w for write access;
u for read and write access;
space if mode unknown and no lock character follows;
`-' if mode unknown and lock character follows.

The FD mode character can then be followed by the LOCK character, which has the following description:

N for a Solaris NFS lock of unknown type;
r for read lock on part of the file;
R for a read lock on the entire file;
w for a write lock on part of the file;
W for a write lock on the entire file;
u for a read and write lock of any length;
U for a lock of unknown type;
x for an SCO OpenServer Xenix lock on part of the file;
X for an SCO OpenServer Xenix lock on the entire file;
space if there is no lock.

The TYPE field can also contain GDIR, GREG, VDIR, VREG, IPV4, IPV6, and so on. Refer to the man page of lsof for a comprehensive list of supported TYPE.

Usage in the Field

The lsof command is used in a variety of ways, as seen below. The command is compatible with all Linux distributions, and all of the command-line options mentioned below should function on all platforms with the same lsof version.

1. Make a list of all open files.

If you run lsof without any parameters, it will list all open files by active processes.

$ sudo lsof | less

Output:

COMMAND    PID  TID         USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME
systemd      1              root  cwd       DIR              253,0       224         64 /
systemd      1              root  rtd       DIR              253,0       224         64 /
systemd      1              root  txt       REG              253,0   1632776     308905 /usr/lib/systemd/systemd
systemd      1              root  mem       REG              253,0     20064      16063 /usr/lib64/libuuid.so.1.3.0
systemd      1              root  mem       REG              253,0    265576     186547 /usr/lib64/libblkid.so.1.1.0
systemd      1              root  mem       REG              253,0     90248      16051 /usr/lib64/libz.so.1.2.7
systemd      1              root  mem       REG              253,0    157424      16059 /usr/lib64/liblzma.so.5.2.2
systemd      1              root  mem       REG              253,0     23968      59696 /usr/lib64/libcap-ng.so.0.0.0
systemd      1              root  mem       REG              253,0     19896      59686 /usr/lib64/libattr.so.1.1.0
systemd      1              root  mem       REG              253,0     19248      15679 /usr/lib64/libdl-2.17.so
systemd      1              root  mem       REG              253,0    402384      16039 /usr/lib64/libpcre.so.1.2.0
systemd      1              root  mem       REG              253,0   2156272      15673 /usr/lib64/libc-2.17.so
systemd      1              root  mem       REG              253,0    142144      15699 /usr/lib64/libpthread-2.17.so
systemd      1              root  mem       REG              253,0     88720         84 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
systemd      1              root  mem       REG              253,0     43712      15703 /usr/lib64/librt-2.17.so
systemd      1              root  mem       REG              253,0    277808     229793 /usr/lib64/libmount.so.1.1.0
systemd      1              root  mem       REG              253,0     91800      76005 /usr/lib64/libkmod.so.2.2.10
systemd      1              root  mem       REG              253,0    127184      59698 /usr/lib64/libaudit.so.1.0.0
systemd      1              root  mem       REG              253,0     61680     229827 /usr/lib64/libpam.so.0.83.1
systemd      1              root  mem       REG              253,0     20048      59690 /usr/lib64/libcap.so.2.22
systemd      1              root  mem       REG              253,0    155744      16048 /usr/lib64/libselinux.so.1

2. Sort the list by filename.

We may use the filename option to get a list of all processes that have opened a given file:

$ sudo lsof {file-name}

Output:

$ sudo lsof /var/log/messages
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
rsyslogd 1000 root    6w   REG  253,0      205 16777741 /var/log/messages
$

3. Make a list of all open files by username.

In a multi-user system, the -u flag followed by username can be used to filter the list of files by specific user-owned processes.

$ sudo lsof -u {username}

Output:

$ sudo lsof -u abhisheknair
COMMAND  PID         USER   FD   TYPE             DEVICE  SIZE/OFF     NODE NAME
sshd    1239 abhisheknair  cwd    DIR              253,0       224       64 /
sshd    1239 abhisheknair  rtd    DIR              253,0       224       64 /
sshd    1239 abhisheknair  txt    REG              253,0    852856   425229 /usr/sbin/sshd
sshd    1239 abhisheknair  mem    REG              253,0     15488 17204727 /usr/lib64/security/pam_lastlog.so
sshd    1239 abhisheknair  mem    REG              253,0     15648   229829 /usr/lib64/libpam_misc.so.0.82.0
sshd    1239 abhisheknair  mem    REG              253,0    309248 17303270 /usr/lib64/security/pam_systemd.so
sshd    1239 abhisheknair  mem    REG              253,0     19616 17204728 /usr/lib64/security/pam_limits.so
sshd    1239 abhisheknair  mem    REG              253,0     11168 17204726 /usr/lib64/security/pam_keyinit.so
sshd    1239 abhisheknair  mem    REG              253,0     40800 17204735 /usr/lib64/security/pam_namespace.so

Alternatively, use the -u flag followed by username to list files opened by any user except a specified one, as illustrated below:

$ sudo lsof -u ^{username}

Output:

$ sudo lsof -u ^root
COMMAND    PID TID         USER   FD      TYPE             DEVICE  SIZE/OFF     NODE NAME
dbus-daem  630             dbus  cwd       DIR              253,0       224       64 /
dbus-daem  630             dbus  rtd       DIR              253,0       224       64 /
dbus-daem  630             dbus  txt       REG              253,0    223232 50590133 /usr/bin/dbus-daemon
dbus-daem  630             dbus  mem       REG              253,0     61560    15691 /usr/lib64/libnss_files-2.17.so
dbus-daem  630             dbus  mem       REG              253,0     68192    59651 /usr/lib64/libbz2.so.1.0.6
dbus-daem  630             dbus  mem       REG              253,0     90248    16051 /usr/lib64/libz.so.1.2.7
dbus-daem  630             dbus  mem       REG              253,0     99944    59680 /usr/lib64/libelf-0.176.so
dbus-daem  630             dbus  mem       REG              253,0     19896    59686 /usr/lib64/libattr.so.1.1.0
dbus-daem  630             dbus  mem       REG              253,0    402384    16039 /usr/lib64/libpcre.so.1.2.0

You can use lsof in circumstances where you need to stop all processes associated with a given user in a single command. To do this (execute as root), we can combine kill with lsof as demonstrated below:

# kill -9 `lsof -t -u {username}`

We can use the -t flag to filter out all other information except process-id, as seen in the preceding example. As illustrated in the preceding example, this can be useful in automation and scripting when combined with the kill command.

$ sudo lsof -t -u {username}

Output:

$ sudo lsof -t -u abhisheknair
1239
1240
$

We may use OR logic with lsof to many aggregate arguments, as illustrated below:

$ sudo lsof -u {username} -c {process-name}

Output:

$ sudo lsof -u ftpuser -c bash
COMMAND  PID         USER   FD   TYPE DEVICE  SIZE/OFF     NODE NAME
bash    1240 abhisheknair  cwd    DIR  253,0       120   510681 /home/abhisheknair
bash    1240 abhisheknair  rtd    DIR  253,0       224       64 /
bash    1240 abhisheknair  txt    REG  253,0    964536 50548532 /usr/bin/bash
bash    1240 abhisheknair  mem    REG  253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash    1240 abhisheknair  mem    REG  253,0     61560    15691 /usr/lib64/libnss_files-2.17.so
bash    1240 abhisheknair  mem    REG  253,0   2156272    15673 /usr/lib64/libc-2.17.so
bash    1240 abhisheknair  mem    REG  253,0     19248    15679 /usr/lib64/libdl-2.17.so
bash    1240 abhisheknair  mem    REG  253,0    174576    16034 /usr/lib64/libtinfo.so.5.9
bash    1240 abhisheknair  mem    REG  253,0    163312    15666 /usr/lib64/ld-2.17.so
bash    1240 abhisheknair  mem    REG  253,0     26970    16003 /usr/lib64/gconv/gconv-modules.cache
bash    1240 abhisheknair    0u   CHR  136,0       0t0        3 /dev/pts/0
bash    1240 abhisheknair    1u   CHR  136,0       0t0        3 /dev/pts/0
bash    1240 abhisheknair    2u   CHR  136,0       0t0        3 /dev/pts/0
bash    1240 abhisheknair  255u   CHR  136,0       0t0        3 /dev/pts/0
bash    1425      ftpuser  cwd    DIR  253,0       182 33578272 /home/ftpuser
bash    1425      ftpuser  rtd    DIR  253,0       224       64 /
bash    1425      ftpuser  txt    REG  253,0    964536 50548532 /usr/bin/bash
bash    1425      ftpuser  mem    REG  253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash    1425      ftpuser  mem    REG  253,0     61560    15691 /usr/lib64/libnss_files-2.17.so
bash    1425      ftpuser  mem    REG  253,0   2156272    15673 /usr/lib64/libc-2.17.so
bash    1425      ftpuser  mem    REG  253,0     19248    15679 /usr/lib64/libdl-2.17.so
bash    1425      ftpuser  mem    REG  253,0    174576    16034 /usr/lib64/libtinfo.so.5.9
bash    1425      ftpuser  mem    REG  253,0    163312    15666 /usr/lib64/ld-2.17.so
bash    1425      ftpuser  mem    REG  253,0     26970    16003 /usr/lib64/gconv/gconv-modules.cache
bash    1425      ftpuser    0u   CHR    4,1       0t0     1043 /dev/tty1
bash    1425      ftpuser    1u   CHR    4,1       0t0     1043 /dev/tty1
bash    1425      ftpuser    2u   CHR    4,1       0t0     1043 /dev/tty1
bash    1425      ftpuser  255u   CHR    4,1       0t0     1043 /dev/tty1
$

Employ the -a flag instead if you wish to use the AND logic condition.

$ sudo lsof -u {username} -c {process-name} -a

Output:

$ sudo lsof -u ftpuser -c bash -a
COMMAND  PID    USER   FD   TYPE DEVICE  SIZE/OFF     NODE NAME
bash    1425 ftpuser  cwd    DIR  253,0       182 33578272 /home/ftpuser
bash    1425 ftpuser  rtd    DIR  253,0       224       64 /
bash    1425 ftpuser  txt    REG  253,0    964536 50548532 /usr/bin/bash
bash    1425 ftpuser  mem    REG  253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash    1425 ftpuser  mem    REG  253,0     61560    15691 /usr/lib64/libnss_files-2.17.so
bash    1425 ftpuser  mem    REG  253,0   2156272    15673 /usr/lib64/libc-2.17.so
bash    1425 ftpuser  mem    REG  253,0     19248    15679 /usr/lib64/libdl-2.17.so
bash    1425 ftpuser  mem    REG  253,0    174576    16034 /usr/lib64/libtinfo.so.5.9
bash    1425 ftpuser  mem    REG  253,0    163312    15666 /usr/lib64/ld-2.17.so
bash    1425 ftpuser  mem    REG  253,0     26970    16003 /usr/lib64/gconv/gconv-modules.cache
bash    1425 ftpuser    0u   CHR    4,1       0t0     1043 /dev/tty1
bash    1425 ftpuser    1u   CHR    4,1       0t0     1043 /dev/tty1
bash    1425 ftpuser    2u   CHR    4,1       0t0     1043 /dev/tty1
bash    1425 ftpuser  255u   CHR    4,1       0t0     1043 /dev/tty1
$

4. Make a list of all open files by the process.

The -c option followed by the process name can also be used to list files opened by a specific process.

$ sudo lsof -c {process-name}

Output:

$ sudo lsof -c ssh
COMMAND  PID         USER   FD   TYPE             DEVICE SIZE/OFF     NODE NAME
sshd     997         root  cwd    DIR              253,0      224       64 /
sshd     997         root  rtd    DIR              253,0      224       64 /
sshd     997         root  txt    REG              253,0   852856   425229 /usr/sbin/sshd
sshd     997         root  mem    REG              253,0    61560    15691 /usr/lib64/libnss_files-2.17.so
sshd     997         root  mem    REG              253,0    68192    59651 /usr/lib64/libbz2.so.1.0.6
sshd     997         root  mem    REG              253,0    99944    59680 /usr/lib64/libelf-0.176.so
sshd     997         root  mem    REG              253,0    19896    59686 /usr/lib64/libattr.so.1.1.0
sshd     997         root  mem    REG              253,0    15688    75906 /usr/lib64/libkeyutils.so.1.5
sshd     997         root  mem    REG              253,0    67104   186525 /usr/lib64/libkrb5support.so.0.1

5. Make a list of open files by PID.

You can also use the -p flag followed by process-id to list files opened by a process-name if you wish to specify its ID instead of its name.

$ sudo lsof -p {process-id}

Output:

$ sudo lsof -p 663
COMMAND   PID USER   FD      TYPE             DEVICE  SIZE/OFF     NODE NAME
firewalld 663 root  cwd       DIR              253,0       224       64 /
firewalld 663 root  rtd       DIR              253,0       224       64 /
firewalld 663 root  txt       REG              253,0      7144 50491220 /usr/bin/python2.7
firewalld 663 root  mem       REG              253,0    298828 50617647 /usr/lib64/girepository-1.0/NM-1.0.typelib
firewalld 663 root  mem       REG              253,0    343452 50507562 /usr/lib64/girepository-1.0/Gio-2.0.typelib
firewalld 663 root  mem       REG              253,0     12352 17202092 /usr/lib64/python2.7/lib-dynload/grpmodule.so
firewalld 663 root  mem       REG              253,0     29184 17202105 /usr/lib64/python2.7/lib-dynload/selectmodule.so
firewalld 663 root  mem       REG              253,0    168312   388240 /usr/lib64/libdbus-glib-1.so.2.2.2
firewalld 663 root  mem       REG              253,0     11976 34028597 /usr/lib64/python2.7/site-packages/_dbus_glib_bindings.so
firewalld 663 root  mem       REG              253,0    185712 50507559 /usr/lib64/girepository-1.0/GLib-2.0.typelib
Also See:  Download Icecream Password Manager on All Windows Versions

Use -p followed by process-id to get a list of all open files except those opened by a specific process.

$ sudo lsof -p ^{process-id}

6. Make a list of all open files in the directory.

Use the +D option followed by the directory path to get a list of processes that opened files in that directory.

$ sudo lsof +D {path}

Output:

$ sudo lsof +D /var/log
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
auditd     607 root    5w   REG  253,0  1065095   425227 /var/log/audit/audit.log
firewalld  663 root    3w   REG  253,0    13817 17663786 /var/log/firewalld
tuned      999 root    3w   REG  253,0    13395 33574994 /var/log/tuned/tuned.log
rsyslogd  1000 root    6w   REG  253,0     4302 16777753 /var/log/cron
rsyslogd  1000 root    7w   REG  253,0    64740 16777755 /var/log/messages
rsyslogd  1000 root    8w   REG  253,0     5513 16787904 /var/log/secure
rsyslogd  1000 root    9w   REG  253,0      198 16777754 /var/log/maillog
$

Use the -d argument followed by the directory path if you don’t want to recursively list files inside subdirectories.

$ sudo lsof +d {path}

Output:

$ sudo lsof +d /var/log
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
firewalld  663 root    3w   REG  253,0    13817 17663786 /var/log/firewalld
rsyslogd  1000 root    6w   REG  253,0     4302 16777753 /var/log/cron
rsyslogd  1000 root    7w   REG  253,0    64740 16777755 /var/log/messages
rsyslogd  1000 root    8w   REG  253,0     5833 16787904 /var/log/secure
rsyslogd  1000 root    9w   REG  253,0      198 16777754 /var/log/maillog
$

7. Repetition mode

In repeat mode, lsof can be used. lsof will generate and print output at regular intervals in repeat mode. lsof supports two repeat modes, with the -r and +r parameters. The -r flag causes lsof to repeat its execution until it receives an interrupt/kill signal from the user, but the +r flag causes lsof to cease its repeat mode as soon as its output has no open files. With the -r or +r flags, we may also specify a time delay.

$ sudo lsof {arguments} -r{time-interval}

Output:

$ sudo lsof -u ftpuser -c bash +D /usr/lib -a -r3
COMMAND  PID    USER  FD   TYPE DEVICE  SIZE/OFF     NODE NAME
bash    1425 ftpuser mem    REG  253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======
COMMAND  PID    USER  FD   TYPE DEVICE  SIZE/OFF     NODE NAME
bash    1425 ftpuser mem    REG  253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======
COMMAND  PID    USER  FD   TYPE DEVICE  SIZE/OFF     NODE NAME
bash    1425 ftpuser mem    REG  253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======

8. Compile a list of open files by the network protocol.

lsof allows you to list any form of Linux file, including network sockets and so on. As a result, the -i flag can be used to display information about open network connections.

$ sudo lsof -i

Output:

$ sudo lsof -i
COMMAND  PID         USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chronyd  639       chrony    5u  IPv4  14333      0t0  UDP localhost:323
chronyd  639       chrony    6u  IPv6  14334      0t0  UDP localhost:323
sshd     997         root    3u  IPv4  17330      0t0  TCP *:ssh (LISTEN)
sshd     997         root    4u  IPv6  17339      0t0  TCP *:ssh (LISTEN)
master  1229         root   13u  IPv4  18129      0t0  TCP localhost:smtp (LISTEN)
master  1229         root   14u  IPv6  18130      0t0  TCP localhost:smtp (LISTEN)
sshd    1235         root    3u  IPv4  18318      0t0  TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd    1239 abhisheknair    3u  IPv4  18318      0t0  TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$

You can use lsof to get a list of all network connections used by a certain process-id:

$ sudo lsof -i -a -p {process-id}

Output:

$ sudo lsof -i -a -p 997
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    997 root    3u  IPv4  17330      0t0  TCP *:ssh (LISTEN)
sshd    997 root    4u  IPv6  17339      0t0  TCP *:ssh (LISTEN)
$

We can also use process-name to see all network connections used by a given process:

$ sudo lsof -i -a -c {process-name}

Output:

$ sudo lsof -i -a -c ssh
COMMAND  PID         USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd     997         root    3u  IPv4  17330      0t0  TCP *:ssh (LISTEN)
sshd     997         root    4u  IPv6  17339      0t0  TCP *:ssh (LISTEN)
sshd    1235         root    3u  IPv4  18318      0t0  TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd    1239 abhisheknair    3u  IPv4  18318      0t0  TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$

With the -i flag, we can filter the output of lsof by network protocol type, such as TCP or UDP, by specifying the protocol type.

$ sudo lsof -i {protocol}

Output:

$ sudo lsof -i tcp
COMMAND  PID         USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd     997         root    3u  IPv4  17330      0t0  TCP *:ssh (LISTEN)
sshd     997         root    4u  IPv6  17339      0t0  TCP *:ssh (LISTEN)
master  1229         root   13u  IPv4  18129      0t0  TCP localhost:smtp (LISTEN)
master  1229         root   14u  IPv6  18130      0t0  TCP localhost:smtp (LISTEN)
sshd    1235         root    3u  IPv4  18318      0t0  TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd    1239 abhisheknair    3u  IPv4  18318      0t0  TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$

OR

Output:

$ sudo lsof -i udp
COMMAND PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony    5u  IPv4  14333      0t0  UDP localhost:323
chronyd 639 chrony    6u  IPv6  14334      0t0  UDP localhost:323
$

9. Make a list of all open files by port.

We can also use the command syntax below to filter the output of lsof with the -i flag by port number:

$ sudo lsof -i :{port-number}

Output:

$ sudo lsof -i :22
COMMAND  PID         USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd     997         root    3u  IPv4  17330      0t0  TCP *:ssh (LISTEN)
sshd     997         root    4u  IPv6  17339      0t0  TCP *:ssh (LISTEN)
sshd    1235         root    3u  IPv4  18318      0t0  TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd    1239 abhisheknair    3u  IPv4  18318      0t0  TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$

10. Sort open files by IPv4/IPv6 address.

There’s an option to limit the list of network connections to either IPv4 or IPv6. To receive only IPv4 listings, use the following command syntax:

$ sudo lsof -i4

Output:

$ sudo lsof -i4
COMMAND  PID         USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chronyd  639       chrony    5u  IPv4  14333      0t0  UDP localhost:323
sshd     997         root    3u  IPv4  17330      0t0  TCP *:ssh (LISTEN)
master  1229         root   13u  IPv4  18129      0t0  TCP localhost:smtp (LISTEN)
sshd    1235         root    3u  IPv4  18318      0t0  TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd    1239 abhisheknair    3u  IPv4  18318      0t0  TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$

OR, if you only want IPv6 information, use:

$ sudo lsof -i6

Output:

$ sudo lsof -i6
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chronyd  639 chrony    6u  IPv6  14334      0t0  UDP localhost:323
sshd     997   root    4u  IPv6  17339      0t0  TCP *:ssh (LISTEN)
master  1229   root   14u  IPv6  18130      0t0  TCP localhost:smtp (LISTEN)
$

11.Make a list of the NFS files that are currently open.

lsof can also display a list of all NFS files that a user is presently working with.

$ sudo lsof -N -u abhisheknair -a

12. List the locked and deleted files.

In Linux, it is possible for files to be removed but still be locked by one or more processes. As a result, those files do not appear in standard file system listings such as ls, but they continue to consume disc space as indicated by df output. This is particularly true for large files erased on purpose to free up disc space without breaking the process lock. lsof can be used to find processes like:

$ sudo lsof {path} | grep deleted

Output:

$ sudo lsof / | grep deleted
firewalld  654         root    8u   REG  253,0      4096 16777726 /tmp/#16777726 (deleted)
tuned      968         root    8u   REG  253,0      4096 16777720 /tmp/#16777720 (deleted)
$

Conclusion

I hope you found this information helpful. Please fill out the form below if you have any queries or comments.

User Questions:

  1. In lsof, what is size off?

The size of the file or the file offset in bytes is indicated by SIZE, SIZE/OFF, or OFFSET. Only if a value is available is it displayed in this column. Lsof returns whatever value – size or offset – is appropriate for the file type and lsof version.

  1. What is the purpose of lsof?

The command lsof, which stands for “list open files,” is used on many Unix-like systems to display a list of all open files as well as the processes that opened them.

  1. What does FIFO LSOF stand for?

A FIFO special file (also known as a named pipe) is comparable to a pipe but is accessed through the filesystem. Multiple processes can open it for reading or writing. When processes use the FIFO to exchange data, the kernel passes all data inside rather than sending it to the filesystem.

Also See:  How to: Fix Windows Defender Closes Games in Windows 10
  1. lsof Command in Linux

lsof Command in Linux from Linuxadministrators

  1. Is there a way to watch “lsof” command while running a program?

Is there a way to watch "lsof" command while running a program? from linuxquestions