Using lsof to Find Open Files

By Joe Brockmeier (Send Email)
Posted Nov 22, 2010


More on open source servers

One of the most useful utilities you'll find on Linux and *nix systems is lsof. Short for "list open files," the lsof utility can help identify which files are being used by any given application, which network ports are open, and much more.

lsof is one of the most useful utilities for Linux and Unix systems. At its most basic, lsof can help identify which files are being used by any given application and which network ports are open.

The lsof utility has all manner of useful applications. My first serious application of lsof was hunting down rootkits and IRC bots that were deployed on shared Linux servers. A process would show up in top or ps aux, but the executable didn't seem to exist. Using lsof, I could hunt down the scripts or executables used to run the malware.

You can do a lot with lsof, but let's focus on a couple of basics for starters. If you run just lsof, it will attempt to show all files (which includes network sockets, pipes and special files) that are open. That's a lot to digest, and it's probably more than you need. Let's look at narrowing that down. For example, if you want to see all the open files owned by a process, you can use the -p option (for PID) like so:

lsof -p XXXXX

Here, you want to replace XXXXX with the process ID (PID) of the process you want to see. Note that you want to run this as root or using sudo. The output will show the command that has the file open, the PID, the user, the file descriptor, type, size of the file and the name of the file.

You can also see what files are open by users. Running lsof -u user will show all open files by processes owned by the user. You can also substitute the user ID (UID) for the username. If you want to eliminate a user from the listing, use ^user instead. The preceding caret will negate the selection, so the user will be ignored.

If you want to see what files are open over the network, use -i. This will show you which files and sockets are open, and their respective protocols, hostnames and so on. You can narrow network parameters down by IP version (-i4 for IPv4, -i6 for IPv6), protocol (UDP or TCP), and even hostname or port. By default, lsof will look up hostnames -- but you can turn this off using the -n option. It will run faster without needing to do name lookups.

You can also "and" things using the -a option. Want to see what network sockets are owned by a particular user or process? Try lsof -u user -a -i. That will show only the open TCP and UDP sockets.

Just the options given here can be fairly useful in day-to-day administration. But be sure to check the lsof man page for more options and operating system specific options.

Joe 'Zonker' Brockmeier is a freelance writer and editor with more than 10 years covering IT. Formerly the openSUSE Community Manager for Novell, Brockmeier has written for Linux Magazine, Sys Admin, Linux Pro Magazine, IBM developerWorks, Linux.com, CIO.com, Linux Weekly News, ZDNet, and many other publications. You can reach Zonker at jzb@zonker.net and follow him on Twitter.

Follow ServerWatch on Twitter

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.