Last week’s tip looked at fuser, which shows which process is
accessing a given file. lsof is another tool for locating open
files. What makes this especially useful is that in Linux, everything
is treated as a file: pipes, directories, devices, inodes, sockets and so
on.
Tip of the Trade: From pipes to directories to sockets, lsof is able to locate all open files.
lsof (no options) will list all files opened by any processes currently running. To restrict this to processes owned by username, use
lsof -u username. Here’s some sample output:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME sshd 2354 juliet mem REG 254,0 14880 105723 /lib/libcap.so.1.10 sshd 2354 juliet DEL REG 0,8 127123574 /dev/zero bash 2363 juliet cwd DIR 254,4 20480 7274497 /home/juliet bash 2363 juliet txt REG 254,0 769368 4126 /bin/bash bash 2363 juliet mem REG 254,0 97928 105698 /lib/ld-2.3.6.so
The FD column shows file descriptor information, or identifies
other types of file. Here, cwd indicates the current working
directory, and txt indicates program text. The TYPE column has
filetype info (REG indicates a regular file). The NODE column may be
useful if you’re trying to recover a deleted file.
See the man page for a full explanation of the output.
lsof filename shows which processes have files of this name open.
lsof +D /directory will show processes which have files in this
directory open. You can use this if you’re trying to unmount a filesystem but
getting an ‘in use’ error, to find the processes using files on that FS and
kill them as required.
lsof -c processname will show all processes beginning with
processname that have files open; lsof +p PID does the same
thing for a process ID. Using lsof -i will get you information about
IP sockets. Check out the man page for more detail and for the many other
available options.