Hack 95. lsof Command Examples

by Ramesh

Lsof stands for ls open files, which will list all the open files in the system. The open files include network connection, devices and directories. The output of the lsof command will have the following columns:

  • COMMAND process name.
  • PID process ID
  • USER Username
  • FD file descriptor
  • TYPE node type of the file
  • DEVICE device number
  • SIZE file size
  • NODE node number
  • NAME full path of the file name.

View all open files of the system

Execute the lsof command without any parameter as shown below.

  1. # lsof | more
  2. COMMAND     PID       USER   FD      TYPE     DEVICE      SIZE       NODE NAME
  3. init          1       root  cwd       DIR        8,1      4096          2 /
  4. init          1       root  rtd       DIR        8,1      4096          2 /
  5. init          1       root  txt       REG        8,1     32684     983101 /sbin/init
  6. init          1       root  mem       REG        8,1    106397     166798 /lib/ld-2.3.4.so
  7. init          1       root  mem       REG        8,1   1454802     166799 /lib/tls/libc-2.3.4.so
  8. init          1       root  mem       REG        8,1     53736     163964 /lib/libsepol.so.1
  9. init          1       root  mem       REG        8,1     56328     166811 /lib/libselinux.so.1
  10. init          1       root   10u     FIFO       0,13                  972 /dev/initctl
  11. migration     2       root  cwd       DIR        8,1      4096          2 /
  12. skipped

The lsof command by itself without may return lot of records as output, which may not be very meaningful except to give you a rough idea about how many files are open in the system at any given point of view as shown below.

  1. # lsof | wc -l
  2.  
  3. 3093

View open files by a specific user

Use lsof –u option to display all the files opened by a specific user.

  1. # lsof –u ramesh
  2.  
  3. vi      7190 ramesh  txt    REG        8,1   474608   475196 /bin/vi
  4.  
  5. sshd    7163 ramesh    3u  IPv6   15088263               TCP dev-db:ssh->abc-12-12-12-12.socal.res.rr.com:2631 (ESTABLISHED)

A system administrator can use this command to get some idea on what users are executing on the system.List Users of a particular file

If you like to view all the users who are using a particular file, use lsof as shown below. In this example, it displays all users who are currently using vi.

  1. # lsof /bin/vi
  2.  
  3. COMMAND  PID  USER    FD   TYPE DEVICE   SIZE   NODE NAME
  4. vi      7258  root   txt    REG    8,1 474608 475196 /bin/vi
  5. vi      7300  ramesh txt    REG    8,1 474608 475196 /bin/vi