The lsof command lists open files, sockets, and pipes. You can use lsof command to see what files are held open (such as libraries or log files) and what ports daemons listen to. You can search for open files using lsof command. lsof should be run as the superuser (root) to see all open files. When used without any arguments/options lsof lists all open files for the current active processes.
# lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 253,0 4096 2 / init 1 root rtd DIR 253,0 4096 2 / init 1 root txt REG 253,0 150352 4587561 /sbin/init (deleted) init 1 root DEL REG 253,0 4849693 /lib64/libnss_files-2.12.so ..........
Understanding output of “lsof” command:
COMMAND: Command using the file. PID: PID of the file USER: Owner of the file FD: File descriptor. Different flags of File descriptor are as below: # : The number in front of flag(s) is the file descriptor number used by the process to associate with the file u : File open with Read and Write permission r : File open with Read permission w : File open with Write permission W : File open with Write permission and with Write Lock on entire file mem : Memory mapped file, usually for shared library TYPE: File type. Different flags of File type are as below: REG - Regular file DIR - Directory DEVICE: major, minor number of the device where file resides. SIZE/OFF: File size NODE: inode number NAME: File name
Find open files under a mount point
Open files under a particular directory can be found using lsof. For example open a text file (do not close it – keep it open) under a directory for editing using vi and check the lsof output under that directory in another session.
# cd /test # vi a.txt
In another session check for lsof output under that directory:
# lsof /test COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 2972 root cwd DIR 253,0 4096 262145 /test vi 3012 root cwd DIR 253,0 4096 262145 /test
This can also be used to umount the busy mount point. Processes keeping the mount point busy can be found using lsof.
Finding info on particular process
For more information about a particular process, use the -p option to lsof:
# lsof -p 8797
Show Listen Addresses
Daemons may either bind to the global 0.0.0.0 IPv4 address, or to specific addresses, such as 127.0.0.1 (localhost). A daemon bound to the localhost address will only be reachable from the system itself. Use the -i and -nP options to lsof to show listening ports without lookups on hostnames and services. For example, the following shows the Apache httpd daemon running on localhost at the non-standard port of 7777. Other systems will not be able to connect to this httpd processes: good for security, bad for remote connectivity.
Example:
# lsof -i -nP | grep httpd httpd 8616 apache 16u IPv4 0x0455567fh 0t0 TCP 127.0.0.1:7777 (LISTEN) httpd 8614 apache 16u IPv4 0x0455567fh 0t0 TCP 127.0.0.1:7777 (LISTEN) httpd 8623 apache 16u IPv4 0x0455567fh 0t0 TCP 127.0.0.1:7777 (LISTEN)
Example:
In contrast, the following OpenSSH sshd process will accept connections from other systems, as it is bound to the 0.0.0.0 address, as indicated by the * preceeding the port number.
# lsof -i -P | grep sshd sshd 4341 root 3u IPv4 46438 TCP *:22 (LISTEN)
Certain applications listen on many different ports, such as the Berkeley Internet Name Daemon (BIND) named daemon, version 9.
Example:
# lsof -i -nP | grep ^named named 9865 named 5u IPv6 0x03348be0 0t0 UDP *:53 named 9865 named 6u IPv6 0x0566re80 0t0 TCP *:53 (LISTEN) named 9865 named 7u IPv4 0x03456b10 0t0 UDP 127.0.0.1:53 named 9865 named 8u IPv4 0x01870570 0t0 TCP 127.0.0.1:53 (LISTEN) named 9865 named 9u IPv4 0x03456a40 0t0 UDP *:49164 named 9865 named 10u IPv6 0x03456970 0t0 UDP *:49165 named 8888 named 11u IPv4 0x0186fd54 0t0 TCP *:953 (LISTEN) named 8888 named 13u IPv4 0x01387ee0 0t0 UDP 168.1.863.1:67 named 8888 named 14u IPv4 0x099899ce4 0t0 TCP 168.1.863.1:67(LISTEN)
Find files opened by a process
A process may not work for other reasons, such as a firewall, access service control like tcp_wrappers, or some other misconfiguration. Use ping, telnet, or nmap to check from a remote system whether something else may be blocking the request, or run tcpdump to see whether connections leave the source or arrive at the target system.
Example
To see what files are opened by processes whose names starts by “t” (telnetd…) and bash. And to see what files are opened by init use the following commands:
# lsof -c t # lsof -c bash # lsof -c init
Example
To see what files are opened by processes whose names starts by “testuser”, but exclude those whose owner is the user “tom” use the following command:
# lsof -c testuser -u ^tom
Find processes opened by users
To see what processes are opened by users myuser and tom, use the following command:
# lsof -u myuser,tom
Finding port used by process
To see what processes are using a particular port use the following command:
# lsof -i TCP:389
How To Find The Number Of Open Files for a Process Name and process pid sorted by number of open files?
This can be interesting when error “too many open files” come up. Use below script which makes use of lsof command:
# lsof | perl -lane '$x{"$F[0]:$F[1]"}++;END { print "$x{$_}\t$_" for sort {$x{$a}<=>$x{$b}} keys %x}'
Find Processes Using Max File Descriptors
File descriptors limits can be set using the following command for a shell:
# ulimit -n 65536
Use the “lsof” command to find what is using the file descriptiors on the system.
# lsof -g | awk '{print $2}' | sort -u > /tmp/lsof_sort.txt
# for var in `cat /tmp/lsof_sort.txt` do echo `echo "$var ---- "``grep -x $var /tmp/lsof.txt | wc -l` done
This will list all the processes and the corresponding number of files opened by them. You can pick the processes which have the most number of files open and see what are they.