lsof Open Files

lsof cheatsheet — find what's using a port, list open files per process. lsof -i :8080, lsof -p PID, lsof -u user, lsof /path/to/file. Full open files reference.

5 min read

What it is

lsof lists open files and the processes that opened them, useful for debugging resource leaks or understanding what’s using a particular port or file.

Installation

Linux:

sudo apt update && sudo apt install lsof
sudo yum install lsof

macOS: lsof is pre-installed on macOS.

Windows: lsof is not directly available on Windows. Consider using Sysinternals tools like Process Explorer or Handle for similar functionality.

Core Concepts

lsof works by inspecting the kernel’s data structures that track open file descriptors. It can report on various types of files:

  • Regular files: Standard files on disk.
  • Directories: Opened directories.
  • Network files: Sockets (TCP, UDP), network connections.
  • Character and block special files: Device files.
  • Pipes and FIFOs: Inter-process communication mechanisms.
  • Shared libraries: Loaded libraries.
  • Knowledge Workstations: Memory-mapped files.

Commands / Usage

Listing All Open Files

  • List all open files by all processes:
    lsof
    Lists every open file descriptor for every running process.

Filtering by Process

  • List files opened by a specific process ID (PID):

    lsof -p 1234

    Shows all files opened by the process with PID 1234.

  • List files opened by processes with a specific name:

    lsof -c sshd

    Shows all files opened by processes whose command name starts with sshd.

  • List files opened by the current user:

    lsof -u $(whoami)

    Shows all files opened by the currently logged-in user.

  • List files opened by a specific user:

    lsof -u www-data

    Shows all files opened by the user www-data.

Filtering by File or Directory

  • List processes that have a specific file open:

    lsof /var/log/syslog

    Shows which processes have the file /var/log/syslog open.

  • List processes that have a specific directory open:

    lsof /var/www/html

    Shows processes that have opened files within or the directory /var/www/html itself.

  • List processes that have a specific file descriptor open:

    lsof /dev/sda1

    Shows processes accessing the block device /dev/sda1.

Filtering by Network Activity

  • List all network connections (TCP and UDP):

    lsof -i

    Shows all active internet connections and listening sockets.

  • List all TCP connections:

    lsof -i TCP

    Shows all active TCP connections and listening sockets.

  • List all UDP connections:

    lsof -i UDP

    Shows all active UDP sockets.

  • List processes listening on a specific port:

    lsof -i :80

    Shows processes listening on TCP or UDP port 80.

  • List processes using a specific port range:

    lsof -i :8000-9000

    Shows processes using ports between 8000 and 9000.

  • List processes using a specific protocol and port:

    lsof -i TCP:443

    Shows processes listening on or connected via TCP port 443.

  • List processes connected to a specific host and port:

    lsof -i @192.168.1.100:22

    Shows processes connected to host 192.168.1.100 on port 22.

  • List processes using IPv4 or IPv6:

    lsof -i 4  # IPv4 only
lsof -i 6  # IPv6 only

Combining Filters

  • List files opened by process 1234 that are network connections:

    lsof -p 1234 -i

  • List processes listening on port 22 by user root:

    lsof -u root -i :22

  • List all open files by the 'nginx' process that are regular files:

    lsof -c nginx -f

    (Note: -f is for regular files, but often implied. Explicitly listing file types can be done with -a and specific type codes like REG).

Advanced Usage and Output Control

  • List open files and exit immediately after the first match:

    lsof -t /var/log/myapp.log

    Outputs only the PIDs of processes that have /var/log/myapp.log open. Useful for scripting.

  • List only PIDs:

    lsof -t /var/log/myapp.log

  • List only command names:

    lsof -F c /var/log/myapp.log

  • List open files and show file descriptor types:

    lsof -d FD

    (Where FD is a file descriptor number, e.g., lsof -d 0 for stdin).

  • List open files and show network addresses:

    lsof -i -P -n

    -P prevents port name lookups (shows numbers), -n prevents hostname lookups (shows IPs).

  • List processes using deleted files (often indicate resource leaks):

    lsof +L1

    Shows files that have been unlinked but are still held open by a process.

  • List processes using shared libraries:

    lsof /usr/lib/libc.so.6

    Shows which processes have a specific shared library loaded.

Common Patterns

  • Find which process is using a specific port (e.g., 8080):

    lsof -i :8080

    If you get a result, you can then use the PID to get more details: lsof -p <PID>

  • Find which process is blocking a file from being deleted:

    lsof /path/to/your/file

    This will show you the process holding the file open.

  • Find network connections for a specific application (e.g., MySQL):

    lsof -c mysqld -i

  • Kill a process that is holding a file open:

    kill -9 $(lsof -t /path/to/file)

    Caution: Use kill -9 with extreme care as it forcefully terminates the process without allowing it to clean up.

  • Find processes that have deleted files open (often a sign of memory leaks or hung processes):

    lsof | grep '(deleted)'

    Or more directly:

    lsof +L1

  • See all network activity on your machine (verbose):

    lsof -i -P -n

    This is a very common way to get a quick overview of network traffic.

Gotchas

  • Permissions: On Linux, you typically need root privileges (sudo) to see files opened by all processes. Without sudo, you’ll only see files opened by your own processes.
  • Output Volume: Running lsof without any filters can produce a massive amount of output. Always try to narrow it down with specific PIDs, users, files, or network filters.
  • -c matching: The -c flag matches the beginning of the command name. lsof -c ssh will match sshd but not ssh-agent. Use multiple -c flags or a broader -c and then filter the output if needed.
  • File descriptors: The output FD column (File Descriptor) can be cryptic. Common ones include cwd (current working directory), txt (program text/code), mem (memory-mapped file), rtd (root directory), 0u (stdin), 1u (stdout), 2u (stderr), and numerical descriptors (e.g., 3u).
  • Network State: The STATE column for network files is important. LISTEN indicates a server waiting for connections, ESTABLISHED indicates an active connection.
  • Deleted Files: A file marked as (deleted) in lsof output means the file has been removed from the filesystem, but a process still holds an open file descriptor to it. This can prevent disk space from being freed until the process closes the file descriptor or terminates.