LiSOpen Files is a useful and powerful tool that will show you opened files. In Unix everything is a file: pipes are files, IP sockets are files, Unix sockets are files, directories are files, devices are files, inodes are files…

So in this tangle of files lsof lists files opened by processes running on your system. When lsof is called without parameters, it will show all the files opened by any processes.

lsof | nl

Let me know who is using the apache executable file, /etc/passwd, what files are opened on device /dev/sda6 or who’s accessing /dev/cdrom:

lsof `which apache`
lsof /etc/passwd
lsof /dev/sda6
lsof /dev/cdrom

Now show me what process IDs are using the apache binary, and only the PID:

lsof -t `which apache`

Show me what files are opened by processes whose names start with “k” (klogd, kswapd…) and bash. Show me what files are opened by init:

lsof -c k
lsof -c bash
lsof -c init

Show me what files are opened by processes whose names start by “sendmail“, but exclude those whose owner is the user “rob“:

lsof -c sendmail -u ^rob

Show me the processes opened by user apache and user john:

lsof -u apache,john

Show me what files are using the process whose PID is 30297:

lsof +p 30297

Search for all opened instances of directory /tmp and all the files and directories it contains:

lsof +D /tmp

List all opened internet sockets and sockets related to port 80:

lsof -i
lsof -i :80

List all opened Internet and UNIX domain files:

lsof -i -U

Show me what process(es) has a UDP connection opened to or from the host at port 123 (ntp):

lsof -i

Using the -t and -c options together you can HUP processes:

kill -HUP `lsof -t -c sshd`

lsof provides many more options and could be an invaluable forensic tool if your system gets compromised or as daily basis check tool.

Leave a Reply