Open Doors
lsof give you a comprehensive list of all open files, be it a regular file, a library, a network file, or a data stream. We show you how to use lsof and how to make things easy with a simple graphical interface.
lsof finds, shows, and searches data streams
|
SUNG KUK KIM, 123RF
The idea of lsof [1] is quite simple: The application identifies special system resources – regular files, directories, block and graphical devices, streams or network files (sockets) – which are opened by the kernel. Then it prints a list of these resources, along with additional information, such as the PID, UID, status, and so on. In addition, lsof discloses the paths of opened files, which allows you to find out which libraries and configuration files an application is currently using.
This information helps you detect and debug errors in running processes on the system. For example, if you encounter a problem while trying to unmount a plugged in USB hard disk, lsof shows you the blocking process that is still accessing the resource. Quitting this process makes removing the devices in an orderly fashion possible. It gets harder if processes do not respond to signals anymore or have crashed. In those cases, you may still be able identify them, but you may not be able to terminate them with kill .
However, lsof is way more than a simple tool to find open files or more specifically internally used file descriptors. It includes features that ps , netstat , and a number of other tools provide. It is exactly this diversity of functions that makes working with lsof not that easy. As with other command-line programs, the lsof's special features can be activated and deactivated with options (Table 1). It's worth taking a deeper look at lsof's options syntax.
Table 1
Important Options of lsof
| Option | Function |
|---|---|
| -a | Logical AND |
| -b | Avoids lsof using blocking functions |
| -c <character> | Selects only processes that begin with character |
| +c <count> | Defines how many characters are considered |
| +d <directory> | Finds everything that points to the directory and the files in it |
| -d <pattern> Excludes everything that matches the given pattern | Will be output as 5 with who -r |
| +D <directory> | Same as +d but includes subdirectories |
| +/-f | Defines how lsof should interpret paths |
| -i4 / -i6 | Only considers IPv4 or IPv6 connections |
| -p <PID> | Only considers processes with the given PID |
| -t | Only prints PIDs to make the output usable as argument for kill |
| -u <user> | Only considers processes of the given user ( use the UID or name) |
| -U | Use Unix Domain Sockets |
| -T <key> | Print TCP/IP information according to key (see man page) |
| -s | Shows file sizes |
| -S <seconds> | Timeout for kernel functions (min. 2s, default 15s) |
| +/-r <seconds> | Activates repeat mode |
| -V | Marks requested but not found commands, files, IDs, etc. |
Syntax
As indicators for options (prefixes), lsof uses both the well-known minus sign (-<option> ) and the plus sign (+<option> ). Minus signs introduce and activate options while you can combine multiple switches: -a -b can also be written as -ab , and -ac <count> works the same as -a +c <count> .
The plus sign is reserved for a more special option. With options, it is important whether you call them with a plus or minus sign prefix. If you put an option with a plus sign in front of options with minus signs, lsof usually combines them without any issues: +M -a is equivalent to +Ma . However, when in doubt, you should write the options separately or in groups with the respective prefixes.
If you don't specify, lsof combines the options with a logical OR internally (<condition1> OR <condition2> ). The -a option changes the default behavior, combining the other options with a logical AND (<condition1> AND <condition2> ). Furthermore you can negate conditions with a caret (^ ). For example, to exclude a UID use -u ^<UID> . This is roughly similar to the syntax of groups in regular expressions.
Outputs
If you start lsof without options, it lists all currently opened files of all processes (Listing 1). At the very beginning, the output shows a short info row with the column descriptions. You can sort the output by many of these columns or reduce the output with options. By default, lsof sorts the output by the first column (COMMAND ) so that all details to a process are grouped together. This corresponds with a sorting by the process ID (PID ).
Listing 1
lsof without options
$ lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 8,6 4096 2 / systemd 1 root rtd DIR 8,6 4096 2 / systemd 1 root txt REG 8,6 1511624 400489 /usr/lib/systemd/systemd systemd 1 root mem REG 8,6 19024 413874 /usr/lib/libuuid.so.1.3.0 [...]
Under user , you find (unsurprisingly) the name of the user, but not its UID. Up next, there is the column with the file descriptors (FD ) that create channels to certain files or directories. The most important of the possible values can be found in the Table 2.
Table 2
File Descriptors
| Descriptor | Meaning |
|---|---|
| cwd | Current working directory |
| txt | Text file (code and data) |
| rtd | Root directory |
| mem | Memory-mapped file (mostly libraries) |
| mmap | Memory-mapped device (device access) |
| ltx | Shared library text (code and data) |
| err | FD information error (access error) |
| pd | Parent directory |
Numeric values followed by one or more alphabetical characters stand for descriptor numbers with details about file access. The first character can be either r for read access, w for write access, or u for both. The optional second character describes the type of file lockings. Here, too, the second character can be r , w , and u and also variants with capital letters. With that information, you can see whether parts of the file (small letters) or the whole file (capital letters) are access locked. You can find more about this under the section LOCKS in the lsof man page.
The next field contains a TYPE for the file descriptor. This marks the connection type, such as a local file, a pipe, a FIFO queue, a network connection, and so on. The most frequent variants are listed in the Table 3.
Table 3
FD Types
| Type | Meaning |
|---|---|
| REG | Regular local file |
| DIR | Directory |
| PIPE | Pipe |
| IPv4 , IPv6 | IP connection (socket) |
| DEL | Deleted file |
| BLK | Block device |
| CHR | Character device |
The number combination under DEVICE reveals which device is connected. The file size can be found under SIZE/OFF . The NAME column is of particular importance since it contains the path and name of the opened file – as long as the entry corresponds to a regular local file.
Buy this article as PDF
Express-Checkout as PDF
Pages: 5
Price $0.99
(incl. VAT)
(incl. VAT)
Buy Ubuntu User
TABLET & SMARTPHONE APPS
US / Canada
UK / Australia
Related content
-
Tips & Tricks for Ubuntu
In this article, we'll show you how to deal with some possible errors in Ubuntu that might affect suspend mode as well as Unity.
-
Tips & tricks for Ubuntu
In this article, we'll show you how to deal with some possible errors in Ubuntu that might affect suspend mode and Unity.
-
Tips & Tricks for Ubuntu
In this article, we'll show you how to deal with some possible errors in Ubuntu that might affect suspend mode as well as Unity.
-
moreutils completes the shell's toolbox
The moreutils package expands the standard tools for the shell with useful and sometimes exotic tools.
-
Accelerated command processing with GNU Parallel
With the snazzy little program GNU Parallel, you can make use of the full power of your multicore CPUs through scripts.