13 lsof Command Linux Best Examples – List Open Files RHEL 7

lsof command is stands for “List Open Files”. lsof command is used to list out open files, process id’s, User related network shared files and temp files which are still not deleted because of process holdings.

An open file can be anything like Regular file, A Directory, a block special file, character file or any other file type.

# lsof
 bash: lsof: command not found

You can install using below command in Red Hat Enterprise Linux 7 and Centos 7

# yum install lsof

Running lsof command from Super User/Root User will give more details.

# lsof

lsof

If you want to find out which process is using particular file you can use below command.

# lsof /var/log/messages

Check Particular File Used by which service

From the output of above command /var/log/messages file is used by rsyslogd service

Open Files Under Particular Directory – lsof command

# lsof +D /etc

Using +D option you can specify particular directory path so that lsof command will list all open files under that directory path

Particular Directory Path

# lsof -c systemd

-c is the option to specify particular command/process name to find associated open files using lsof command

Find files using process name

List All Processes using particular Mount Point

# lsof /home
# lsof +D /home/

+D directory or directory tree which are the files/directory under use by process and command

list mount point open files

See all Opened files and Processes of User

# lsof -u user

-u is the option which can be used to specify user name, That particular user opened files and PID will be listed

User opened files and processes

Exclude Particular User Opened files and PIDs

# lsof -u ^user

Using ^(cap Or Caret character) before user name will exclude user name from output

Exclude Particular User opened Files

Trace Particular PID, It’s opened files

# lsof -p 1599

-p is used to specify process Identification number PID. If you would like to know particular process, what are the files it is using simply use above command and change PID

List all Process used files

Repeat lsof command multiple times

# lsof -u user -c sshd -a -r10

The combination of multiple options you can use, even you can use -p -u -c. – a means AND Selection which means current option Plus other option in lsof command

List All IPv4 and IPv6 Network Files

# lsof -i4 -- List All IPv4
# lsof -i6 -- List All IPv6 Network open files

-i can be used to select IPv4 or IPv6 version connections. It will list all connection currently established and listening.

ipv4 and ipv6 listening

lsof -i

without providing any number like 4 or 6 will list all sockets listening, IPv4 and IPv6

Another command example is below

# lsof -Pnl +M -i4

Find which program is using the particular port  number, this option is mostly useful if you would like to find out what are the programs accessing port number

# lsof -i TCP:80 -a -i UDP:80

List Connections to a specific host

# lsof -i@IP-Address

 If you would like to trace particular remote host, how many connections from remote host. While troubleshooting it will help a lot

In real time i use below commands to kill and clear disk space. Below commands can save your life when your running out of disk space. Example is “/”  Slash partition is full and i could not able to trace what are the files are using space. Using find command you can find under “/” but those files are deleted but there PID are still in process queue. Without restarting services or server you can simply clear all deleted .TMP files.

# lsof |grep deleted   ##To check deleted Temp Files

# lsof |grep deleted |grep ".TMP" | awk '{ print $2 }' | xargs kill -9 ##Clear Temp Files by killing PID's

# lsof |grep deleted |grep ".TMP" |awk '{print $9}' | xargs rm -f ##To delete Temp Files

lsof command options below

  • -a AND selections
  • -b avoid kernel blocks
  • -c c cmd c ^c /c/[bix]
  • +c w COMMAND width (9)
  • +d s dir s files  -d s select by FD set  +D D dir D tree
  • -i Select IPv[46] files
  • -K List tasks
  • -l List UID numbers
  • -n No host names
  • -N Select NFS files
  • -o List file offset
  • -O No overhead *RISKY*
  • -P No port names
  • -R list parent PID
  • -s List file size
  • -t Terse listing
  • -T Disable TCP/TPI info
  • -U Select Unix socket
  • -v List version info
  • -V Verbose search
  • +|-w Warnings
  • -X Skip TCP&UDP* files
  • -Z SELinux Context
  • +f|-f +filesystem or -file names
  • -F [f] select fields;
  • +|-M Port-map registration
  • -p s Exclude(^)|selected PIDs
  • -S [t] t second stat timeout (15)
  • -s p:s exclude(^)|select protocol (p = TCP|UDP) states by name(s).
  • -u s exclude(^)|select login|UID set s

Related Articles

Monitor user activity in Linux server

Lock and Unlock User Account using pam_tally2 command

Video tutorial

Thanks for your wonderful Support and Encouragement