lsof
-
- List all network connections
- List all processes listening on a particular port
- List all TCP or UDP connections
- List all IPv4 or IPv6 network files
- List all network files using TCP port ranges from 1-1024
- List all network files in use by a specific process
- List active connections
- List reads and writes of a directory
- List NFS files
Summary
The command ‘lsof’ is used and short for list open files.
Usage Examples
List all network connections
# lsof -iList all processes listening on a particular port
# lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 37813 root 4u IPv4 3609901 0t0 TCP *:http (LISTEN)
httpd 37826 apache 4u IPv4 3609901 0t0 TCP *:http (LISTEN)
httpd 37827 apache 4u IPv4 3609901 0t0 TCP *:http (LISTEN)
httpd 37828 apache 4u IPv4 3609901 0t0 TCP *:http (LISTEN)
httpd 37829 apache 4u IPv4 3609901 0t0 TCP *:http (LISTEN)
httpd 37830 apache 4u IPv4 3609901 0t0 TCP *:http (LISTEN)
httpd 37831 apache 4u IPv4 3609901 0t0 TCP *:http (LISTEN)
httpd 37832 apache 4u IPv4 3609901 0t0 TCP *:http (LISTEN)
httpd 37833 apache 4u IPv4 3609901 0t0 TCP *:http (LISTEN)List all TCP or UDP connections
# lsof -i tcp
# lsof -i udpList all IPv4 or IPv6 network files
# lsof -i 4
# lsof -i 6List all network files using TCP port ranges from 1-1024
# lsof -i TCP:1-1024List all network files in use by a specific process
# lsof -i -a -p <pid>List active connections
# lsof -LnPTqs
# lsof -LnPTqs | grep -i 10.100List reads and writes of a directory
# lsof <path> | grep -e "[[:digit:]]\+r\|[[:digit:]]\+w"List NFS files
# lsof -NSysctl Help
List count of file descriptors in kernel memory
# sysctl fs.file-nr
fs.file-nr = 26360 0 16401474Scenario Based Examples
Process holding open (deleted) files
A process may be unable to write to a given directory and may state there is no space left on the
device, but the ouput of df shows there is plenty of space left. In this scenario,
it may be likely that the process is holding a lock on file(s) that have been ‘deleted’, and lsof
can help determine if that is the case.
Reviewing the output of the lsof command, take note of lines with ‘(deleted)’ in them. The ‘(deleted)’ string means the file has been deleted, but it could not be removed because it is locked by a running process. To resolve this issue, the process holding the files opened would need to be stopped to release the file locks, freeing up disk space.
BONUS
If in a bind and the process cannot be stopped, it is possible to track down file descriptor(s)
in /proc/<pid>/fd/ and zero the ‘deleted’ file. That process may look something like the below:
# > /proc/<pid>/fd/4Referenced commands: df