Difference between revisions of "Lsof Command Examples"
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
Original post: http://www.thegeekstuff.com/2012/08/lsof-command-examples/ | Original post: http://www.thegeekstuff.com/2012/08/lsof-command-examples/ | ||
− | 1. Introduction to lsof | + | '''1. Introduction to lsof''' |
Simply typing lsof will provide a list of all open files belonging to all active processes. | Simply typing lsof will provide a list of all open files belonging to all active processes. | ||
Line 31: | Line 31: | ||
For a complete list of FD & TYPE, refer man lsof. | For a complete list of FD & TYPE, refer man lsof. | ||
− | 2. List processes which opened a specific file | + | '''2. List processes which opened a specific file''' |
You can list only the processes which opened a specific file, by providing the filename as arguments. | You can list only the processes which opened a specific file, by providing the filename as arguments. | ||
Line 40: | Line 40: | ||
rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog | rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog | ||
− | 3. List opened files under a directory | + | '''3. List opened files under a directory''' |
You can list the processes which opened files under a specified directory using ‘+D’ option. +D will recurse the sub directories also. If you don’t want lsof to recurse, then use ‘+d’ option. | You can list the processes which opened files under a specified directory using ‘+D’ option. +D will recurse the sub directories also. If you don’t want lsof to recurse, then use ‘+d’ option. | ||
Line 51: | Line 51: | ||
console-k 144 root 9w REG 8,1 10871 269369 /var/log/ConsoleKit/history | console-k 144 root 9w REG 8,1 10871 269369 /var/log/ConsoleKit/history | ||
− | 4. List opened files based on process names starting with | + | '''4. List opened files based on process names starting with''' |
You can list the files opened by process names starting with a string, using ‘-c’ option. -c followed by the process name will list the files opened by the process starting with that processes name. You can give multiple -c switch on a single command line. | You can list the files opened by process names starting with a string, using ‘-c’ option. -c followed by the process name will list the files opened by the process starting with that processes name. You can give multiple -c switch on a single command line. | ||
Line 66: | Line 66: | ||
ssh-agent 1528 lakshmanan 3u unix 0xdf70e240 0t0 10464 /tmp/ssh-sUymKXxw1495/agent.1495 | ssh-agent 1528 lakshmanan 3u unix 0xdf70e240 0t0 10464 /tmp/ssh-sUymKXxw1495/agent.1495 | ||
− | 5. List processes using a mount point | + | '''5. List processes using a mount point''' |
Sometime when we try to umount a directory, the system will say “Device or Resource Busy” error. So we need to find out what are all the processes using the mount point and kill those processes to umount the directory. By using lsof we can find those processes. | Sometime when we try to umount a directory, the system will say “Device or Resource Busy” error. So we need to find out what are all the processes using the mount point and kill those processes to umount the directory. By using lsof we can find those processes. | ||
Line 74: | Line 74: | ||
# lsof +D /home/ | # lsof +D /home/ | ||
− | 6. List files opened by a specific user | + | '''6. List files opened by a specific user''' |
In order to find the list of files opened by a specific users, use ‘-u’ option. | In order to find the list of files opened by a specific users, use ‘-u’ option. | ||
Line 95: | Line 95: | ||
The above command listed all the files opened by all users, expect user ‘lakshmanan’. | The above command listed all the files opened by all users, expect user ‘lakshmanan’. | ||
− | 7. List all open files by a specific process | + | '''7. List all open files by a specific process''' |
You can list all the files opened by a specific process using ‘-p’ option. It will be helpful sometimes to get more information about a specific process. | You can list all the files opened by a specific process using ‘-p’ option. It will be helpful sometimes to get more information about a specific process. | ||
Line 107: | Line 107: | ||
... | ... | ||
− | 8. Kill all process that belongs to a particular user | + | '''8. Kill all process that belongs to a particular user''' |
When you want to kill all the processes which has files opened by a specific user, you can use ‘-t’ option to list output only the process id of the process, and pass it to kill as follows | When you want to kill all the processes which has files opened by a specific user, you can use ‘-t’ option to list output only the process id of the process, and pass it to kill as follows | ||
Line 121: | Line 121: | ||
489 | 489 | ||
− | 9. Combine more list options using OR/AND | + | '''9. Combine more list options using OR/AND''' |
By default when you use more than one list option in lsof, they will be ORed. For example, | By default when you use more than one list option in lsof, they will be ORed. For example, | ||
Line 142: | Line 142: | ||
The above command will not output anything, because there is no such process named ‘init’ belonging to user ‘lakshmanan’. | The above command will not output anything, because there is no such process named ‘init’ belonging to user ‘lakshmanan’. | ||
− | 10. Execute lsof in repeat mode | + | '''10. Execute lsof in repeat mode''' |
lsof also support Repeat mode. It will first list files based on the given parameters, and delay for specified seconds and again list files based on the given parameters. It can be interrupted by a signal. | lsof also support Repeat mode. It will first list files based on the given parameters, and delay for specified seconds and again list files based on the given parameters. It can be interrupted by a signal. | ||
Line 172: | Line 172: | ||
Network connections are also files. So we can find information about them by using lsof. | Network connections are also files. So we can find information about them by using lsof. | ||
− | 11. List all network connections | + | '''11. List all network connections''' |
You can list all the network connections opened by using ‘-i’ option. | You can list all the network connections opened by using ‘-i’ option. | ||
Line 185: | Line 185: | ||
You can also use ‘-i4′ or ‘-i6′ to list only ‘IPV4′ or ‘IPV6‘ respectively. | You can also use ‘-i4′ or ‘-i6′ to list only ‘IPV4′ or ‘IPV6‘ respectively. | ||
− | 12. List all network files in use by a specific process | + | '''12. List all network files in use by a specific process''' |
You can list all the network files which is being used by a process as follows | You can list all the network files which is being used by a process as follows | ||
Line 197: | Line 197: | ||
The above command will list the network files opened by the processes starting with ssh. | The above command will list the network files opened by the processes starting with ssh. | ||
− | 13. List processes which are listening on a particular port | + | '''13. List processes which are listening on a particular port''' |
You can list the processes which are listening on a particular port by using ‘-i’ with ‘:’ as follows | You can list the processes which are listening on a particular port by using ‘-i’ with ‘:’ as follows | ||
Line 206: | Line 206: | ||
exim4 2541 Debian-exim 3u IPv4 8677 TCP localhost:smtp (LISTEN) | exim4 2541 Debian-exim 3u IPv4 8677 TCP localhost:smtp (LISTEN) | ||
− | 14. List all TCP or UDP connections | + | '''14. List all TCP or UDP connections''' |
You can list all the TCP or UDP connections by specifying the protocol using ‘-i’. | You can list all the TCP or UDP connections by specifying the protocol using ‘-i’. | ||
Line 212: | Line 212: | ||
# lsof -i tcp; lsof -i udp; | # lsof -i tcp; lsof -i udp; | ||
− | 15. List all Network File System ( NFS ) files | + | '''15. List all Network File System ( NFS ) files''' |
You can list all the NFS files by using ‘-N’ option. The following lsof command will list all NFS files used by user ‘lakshmanan’. | You can list all the NFS files by using ‘-N’ option. The following lsof command will list all NFS files used by user ‘lakshmanan’. |
Latest revision as of 13:43, 12 March 2014
Original post: http://www.thegeekstuff.com/2012/08/lsof-command-examples/
1. Introduction to lsof
Simply typing lsof will provide a list of all open files belonging to all active processes.
# lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 8,1 4096 2 / init 1 root txt REG 8,1 124704 917562 /sbin/init init 1 root 0u CHR 1,3 0t0 4369 /dev/null init 1 root 1u CHR 1,3 0t0 4369 /dev/null init 1 root 2u CHR 1,3 0t0 4369 /dev/null init 1 root 3r FIFO 0,8 0t0 6323 pipe ...
By default One file per line is displayed. Most of the columns are self explanatory. We will explain the details about couple of cryptic columns (FD and TYPE).
FD – Represents the file descriptor. Some of the values of FDs are,
cwd – Current Working Directory txt – Text file mem – Memory mapped file mmap – Memory mapped device NUMBER – Represent the actual file descriptor. The character after the number i.e ’1u’, represents the mode in which the file is opened. r for read, w for write, u for read and write. TYPE – Specifies the type of the file. Some of the values of TYPEs are,
REG – Regular File DIR – Directory FIFO – First In First Out CHR – Character special file For a complete list of FD & TYPE, refer man lsof.
2. List processes which opened a specific file
You can list only the processes which opened a specific file, by providing the filename as arguments.
# lsof /var/log/syslog COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog
3. List opened files under a directory
You can list the processes which opened files under a specified directory using ‘+D’ option. +D will recurse the sub directories also. If you don’t want lsof to recurse, then use ‘+d’ option.
# lsof +D /var/log/ COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog rsyslogd 488 syslog 2w REG 8,1 2405 269616 /var/log/auth.log console-k 144 root 9w REG 8,1 10871 269369 /var/log/ConsoleKit/history
4. List opened files based on process names starting with
You can list the files opened by process names starting with a string, using ‘-c’ option. -c followed by the process name will list the files opened by the process starting with that processes name. You can give multiple -c switch on a single command line.
# lsof -c ssh -c init COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root txt REG 8,1 124704 917562 /sbin/init init 1 root mem REG 8,1 1434180 1442625 /lib/i386-linux-gnu/libc-2.13.so init 1 root mem REG 8,1 30684 1442694 /lib/i386-linux-gnu/librt-2.13.so ... ssh-agent 1528 lakshmanan 1u CHR 1,3 0t0 4369 /dev/null ssh-agent 1528 lakshmanan 2u CHR 1,3 0t0 4369 /dev/null ssh-agent 1528 lakshmanan 3u unix 0xdf70e240 0t0 10464 /tmp/ssh-sUymKXxw1495/agent.1495
5. List processes using a mount point
Sometime when we try to umount a directory, the system will say “Device or Resource Busy” error. So we need to find out what are all the processes using the mount point and kill those processes to umount the directory. By using lsof we can find those processes.
# lsof /home
The following will also work.
# lsof +D /home/
6. List files opened by a specific user
In order to find the list of files opened by a specific users, use ‘-u’ option.
# lsof -u lakshmanan COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME update-no 1892 lakshmanan 20r FIFO 0,8 0t0 14536 pipe update-no 1892 lakshmanan 21w FIFO 0,8 0t0 14536 pipe bash 1995 lakshmanan cwd DIR 8,1 4096 393218 /home/lakshmanan
Sometimes you may want to list files opened by all users, expect some 1 or 2. In that case you can use the ‘^’ to exclude only the particular user as follows
# lsof -u ^lakshmanan COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rtkit-dae 1380 rtkit 7u 0000 0,9 0 4360 anon_inode udisks-da 1584 root cwd DIR 8,1 4096 2 /
The above command listed all the files opened by all users, expect user ‘lakshmanan’.
7. List all open files by a specific process
You can list all the files opened by a specific process using ‘-p’ option. It will be helpful sometimes to get more information about a specific process.
# lsof -p 1753 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME bash 1753 lakshmanan cwd DIR 8,1 4096 393571 /home/lakshmanan/test.txt bash 1753 lakshmanan rtd DIR 8,1 4096 2 / bash 1753 lakshmanan 255u CHR 136,0 0t0 3 /dev/pts/0 ...
8. Kill all process that belongs to a particular user
When you want to kill all the processes which has files opened by a specific user, you can use ‘-t’ option to list output only the process id of the process, and pass it to kill as follows
# kill -9 `lsof -t -u lakshmanan`
The above command will kill all process belonging to user ‘lakshmanan’, which has files opened.
Similarly you can also use ‘-t’ in many ways. For example, to list process id of a process which opened /var/log/syslog can be done by
# lsof -t /var/log/syslog 489
9. Combine more list options using OR/AND
By default when you use more than one list option in lsof, they will be ORed. For example,
# lsof -u lakshmanan -c init COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME init 1 root cwd DIR 8,1 4096 2 / init 1 root txt REG 8,1 124704 917562 /sbin/init bash 1995 lakshmanan 2u CHR 136,2 0t0 5 /dev/pts/2 bash 1995 lakshmanan 255u CHR 136,2 0t0 5 /dev/pts/2 ...
The above command uses two list options, ‘-u’ and ‘-c’. So the command will list process belongs to user ‘lakshmanan’ as well as process name starts with ‘init’.
But when you want to list a process belongs to user ‘lakshmanan’ and the process name starts with ‘init’, you can use ‘-a’ option.
# lsof -u lakshmanan -c init -a
The above command will not output anything, because there is no such process named ‘init’ belonging to user ‘lakshmanan’.
10. Execute lsof in repeat mode
lsof also support Repeat mode. It will first list files based on the given parameters, and delay for specified seconds and again list files based on the given parameters. It can be interrupted by a signal.
Repeat mode can be enabled by using ‘-r’ or ‘+r’. If ‘+r’ is used then, the repeat mode will end when no open files are found. ‘-r’ will continue to list,delay,list until a interrupt is given irrespective of files are opened or not.
Each cycle output will be separated by using ‘=======’. You also also specify the time delay as ‘-r’ | ‘+r’.
# lsof -u lakshmanan -c init -a -r5 ======= ======= COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME inita.sh 2971 lakshmanan cwd DIR 8,1 4096 393218 /home/lakshmanan inita.sh 2971 lakshmanan rtd DIR 8,1 4096 2 / inita.sh 2971 lakshmanan txt REG 8,1 83848 524315 /bin/dash inita.sh 2971 lakshmanan mem REG 8,1 1434180 1442625 /lib/i386-linux-gnu/libc-2.13.so inita.sh 2971 lakshmanan mem REG 8,1 117960 1442612 /lib/i386-linux-gnu/ld-2.13.so inita.sh 2971 lakshmanan 0u CHR 136,4 0t0 7 /dev/pts/4 inita.sh 2971 lakshmanan 1u CHR 136,4 0t0 7 /dev/pts/4 inita.sh 2971 lakshmanan 2u CHR 136,4 0t0 7 /dev/pts/4 inita.sh 2971 lakshmanan 10r REG 8,1 20 393578 /home/lakshmanan/inita.sh =======
In the above output, for the first 5 seconds, there is no output. After that a script named “inita.sh” is started, and it list the output.
Finding Network Connection
Network connections are also files. So we can find information about them by using lsof.
11. List all network connections
You can list all the network connections opened by using ‘-i’ option.
# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME avahi-dae 515 avahi 13u IPv4 6848 0t0 UDP *:mdns avahi-dae 515 avahi 16u IPv6 6851 0t0 UDP *:52060 cupsd 1075 root 5u IPv6 22512 0t0 TCP ip6-localhost:ipp (LISTEN)
You can also use ‘-i4′ or ‘-i6′ to list only ‘IPV4′ or ‘IPV6‘ respectively.
12. List all network files in use by a specific process
You can list all the network files which is being used by a process as follows
# lsof -i -a -p 234
You can also use the following
# lsof -i -a -c ssh
The above command will list the network files opened by the processes starting with ssh.
13. List processes which are listening on a particular port
You can list the processes which are listening on a particular port by using ‘-i’ with ‘:’ as follows
# lsof -i :25 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME exim4 2541 Debian-exim 3u IPv4 8677 TCP localhost:smtp (LISTEN)
14. List all TCP or UDP connections
You can list all the TCP or UDP connections by specifying the protocol using ‘-i’.
# lsof -i tcp; lsof -i udp;
15. List all Network File System ( NFS ) files
You can list all the NFS files by using ‘-N’ option. The following lsof command will list all NFS files used by user ‘lakshmanan’.
# lsof -N -u lakshmanan -a