Linux lsof Command

Chưa phân loại
The “lsof” command tool in Linux is one of the many built-in tools that’s super useful for checking out the “list of open files”. Yes, the term “lsof” is the abbreviation of the task.

There are a number of processes running in the system all the time, accessing different files of the system. These files could be disk files, scripts, network sockets, devices, named pipes, and others. Using “lsof”, it’s possible to perform a lot of things, like debugging. It’s also quite useful for system admins to figure out what files are being accessed by what processes. One of the most useful scenarios I’ve found is when you’re about to unmount a filesystem but it’s still being accessed.

Without further ado, let’s get started with “lsof”! I’m assuming that your current UNIX/Linux system already has “lsof” installed.


which lsof

This reports the full path of the command, in this case, “lsof”.

“lsof” version
lsof -v

This will report in-depth version information of “lsof”, including the build date of the binary, compiler version, compiler flags and others.

Basic “lsof” usage

Run “lsof” by itself.


This reports a BIG list of all the files that are being accessed by the system at the moment of running the command.

While all the fields are self-explanatory, mostly get confused about the “FD” and “TYPE” columns and their values. Let’s check them out.

FD: Abbreviation of “File Descriptor”. It comes up with the following values.

  • cwd: Current working directory
  • rtd: Root directory
  • txt: Program text (data, code, and others)
  • mem: Memory-mapped file
  • err: FD information error
  • mmap: Memory-mapped device
  • ltx: Shared library text (data and code)
  • m86: DOS Merge mapped file

There are also other values you’ll notice in the column, like “1u” followed by u, r, w, etc. value. What do those mean?

  • r: Read access
  • w: Write access
  • u: Read and write access
  • – : Unknown mode and it contains a lock character
  • ‘ ‘: Mode is unknown and there’s no lock character

TYPE: Describes the file type and its identification. The values are as follows.

  • DIR: Directory
  • CHR: Character-special file
  • REG: Regular file
  • FIFO: First in, first out

User-specific opened files

Linux is a brilliant multi-user platform. Multiple users can access the system at the same time and perform operations that they have permission for.

To check out the files that are being accessed by a certain user, run the following command.

lsof -u <username>

However, for checking out the users with higher rank, “lsof” will need “superuser” privilege.

sudo lsof -u <username>

How about checking out all the commands and files a certain user is accessing? Run the following one.

lsof -i -u <username>

Again, for users with higher rank, “lsof” will need the “superuser” privilege.

sudo lsof -i -u <username>

Port-specific running processes

For finding out all the processes that are currently using a certain port, call “lsof” with the “-i” flag followed by the protocol and port information.

lsof -i<46><protocol><@hostname|host_address>

For example, to check out all the programs currently accessing port 80 over TCP/IP protocol, run the following command.

lsof -i TCP:80

This method can also be used to show all the processes that are using ports within a certain range, for example, 1 to 1000. The command structure is similar to before with a little magic at the port number part.

lsof -i TCP:11000

Protocol-specific processes

Here are 2 examples showing the processes that are currently using the IPv4 and IPv6 protocols.

lsof -i 4

lsof -i 6

Listing network connections

The following command will report all the network connections from the current system.

lsof -i

Excluding with ^

Yes, we can exclude specific user, port, FD and others using the character “^”. All you have to do is use it with caution so that you don’t mess up the entire output.

In this example, let’s exclude all the processes from the user “root”.

lsof -u^root

There are other ways of using this excluding mechanism with “lsof”, for example, with the flags like “-c”, “-d” etc. Not all flags support this mechanism. That’s why I recommend trying out a demo with this method with any flag before implementing it into some scripts.

PID search

PID is an important property of any running process on the system. It allows finer pinpointing to a certain process. The process name isn’t quite helpful in lots of situations as the same binary can create copies of itself and perform different task in parallel.

If you don’t know how to get the PID of a process, just use “ps” to list all the running processes and filter the output using “grep” with the process name and/or commands.

ps -A

Now, perform the filtering using “grep”.

ps -A | grep <process_or_command>

Now, check out what files that PID is accessing.

lsof -p <PID >

Listing open files for a specific device

The functionality of “lsof” isn’t just limited to these functions. You can also filter the result of “lsof” by device basis as well. For this purpose, the command will look something like this.

lsof <device_mount_point>

This command is super useful to find out all the running processes with their owner info accessing a particular filesystem. If you’re having trouble unmounting a filesystem, this is the best way to go.

lsof <busy_device_mount_point>

List opened files under a directory

Similar to the previous example, just pass the directory path to “lsof” to find out if any process is accessing it.

Note: “lsof” will check the directory recursively, so it can take time.

=lsof +D <directory_path>

Bonus: terminate all user activity

Be extremely cautious with this part as it can simply mess up with everything a user is doing. The following command will kill all the running processes of a user.

sudo kill -9 `lsof -t -u <username`

Final thoughts

The features of “lsof” don’t just stop here. The ones mentioned here are the ones that we will need the most on a day to day basis. There are plenty other functionalities of “lsof” that can come in handy (in specific cases, of course).

For all the available features and their usage, check out the man and info pages of “lsof”.

man lsof

info lsof

lsof -?


Sandclock IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, Sandclock IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

Nmap scan specific udp port

This tutorial starts by showing how to carry out UDP scans and identify vulnerable candidates to execute RDDOS (Reflective...

Install Converseen – Batch Image Resizer on Linux

Converseen recently released, is a free cross-platform batch image resizer for Windows and Linux that allows you...

How to Install and Use GNOME Shell Extensions in Linux

GNOME Shell is a popular desktop interface consisting of a panel, an application overview grid, a dock, a system tray and...
Bài Viết

Bài Viết Mới Cập Nhật

Hướng dẫn chuyển đổi windows server windows evaluation to standard và active windows server 2008 + 2012 + 2016 + 2019

How to Update Ubuntu Linux

Squid Proxy Manager cài đặt và quản lý Proxy Squid tự động trên ubuntu

Hướng dẫn cài đặt Apache CloudStack

Hướng dẫn ký file PDF bằng chữ ký số (chữ ký điện tử) và sửa lỗi mới nhất 2021 foxit reader