Using lsof to Find Open Files
More on open source servers
One of the most useful utilities you'll find on Linux and *nix systems is
lsof. Short for "list open files," the
lsof utility can help identify which files are being used by any given application, which network ports are open, and much more.
lsof utility has all manner of useful applications. My first serious application of
lsof was hunting down rootkits and IRC bots that were deployed on shared Linux servers. A process would show up in
ps aux, but the executable didn't seem to exist. Using
lsof, I could hunt down the scripts or executables used to run the malware.
You can do a lot with
lsof, but let's focus on a couple of basics for starters. If you run just
lsof, it will attempt to show all files (which includes network sockets, pipes and special files) that are open. That's a lot to digest, and it's probably more than you need. Let's look at narrowing that down. For example, if you want to see all the open files owned by a process, you can use the
-p option (for PID) like so:
lsof -p XXXXX
Here, you want to replace XXXXX with the process ID (PID) of the process you want to see. Note that you want to run this as root or using
sudo. The output will show the command that has the file open, the PID, the user, the file descriptor, type, size of the file and the name of the file.
You can also see what files are open by users. Running
lsof -u user will show all open files by processes owned by the user. You can also substitute the user ID (UID) for the username. If you want to eliminate a user from the listing, use
^user instead. The preceding caret will negate the selection, so the user will be ignored.
If you want to see what files are open over the network, use
This will show you which files and sockets are open, and their respective protocols,
hostnames and so on. You can narrow network parameters down by IP version (
-i6 for IPv6), protocol (UDP or TCP), and even hostname
or port. By default,
lsof will look up hostnames -- but you can
turn this off using the
-n option. It will run faster without
needing to do name lookups.
You can also "and" things using the
-a option. Want to see what network sockets are owned by a particular user or process? Try
lsof -u user -a -i. That will show only the open TCP and UDP sockets.
Just the options given here can be fairly useful in day-to-day administration. But be sure to check the
lsof man page for more options and operating system specific options.
Joe 'Zonker' Brockmeier is a freelance writer and editor with more than 10 years covering IT. Formerly the openSUSE Community Manager for Novell, Brockmeier has written for Linux Magazine, Sys Admin, Linux Pro Magazine, IBM developerWorks, Linux.com, CIO.com, Linux Weekly News, ZDNet, and many other publications. You can reach Zonker at email@example.com and follow him on Twitter.