lsof is a strong utility accessible for Linux and Unix primarily based methods and actually stands for ‘record (of) open information’.
Its principal perform is to retrieve particulars about various kinds of information opened by completely different operating processes. These information will be common information, folders, block information, community sockets, Named Pipes, and so on.
Of lsof
, you could find completely different processes that lock a file or folder, a course of that listens on a port, a consumer’s course of record, and what information a course of locks. We’ll take care of it first set up after which some standard utilization examples on this article.
set up lsof
lsof
isn’t accessible by default on most Linux distributions, however will be simply put in. Use the command beneath to put in lsof:
CentOS/RHEL/Fedora:
$ sudo yum set up lsof
for CentOS/RHEL 8 you need to use the DNF command
$ sudo dnf set up lsof
Ubuntu/Debian:
$ sudo apt set up lsof
Get some assist
You may get a summarized record of lsof supported choices utilizing -?
or -h
flag.
$ lsof -?
lsof 4.87
newest revision: ftp://lsof.itap.purdue.edu/pub/instruments/unix/lsof/
newest FAQ: ftp://lsof.itap.purdue.edu/pub/instruments/unix/lsof/FAQ
newest man web page: ftp://lsof.itap.purdue.edu/pub/instruments/unix/lsof/lsof_man
utilization: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [-Z [Z]] [--] [names]
Defaults in parentheses; comma-separated set (s) objects; dash-separated ranges.
-?|-h record assist -a AND alternatives (OR) -b keep away from kernel blocks
-c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s information
-d s choose by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY*
-i choose IPv[46] information -Ok record tasKs (threads) -l record UID numbers
-n no host names -N choose NFS information -o record file offset
-O no overhead *RISKY* -P no port names -R record paRent PID
-s record file measurement -t terse itemizing -T disable TCP/TPI data
-U choose Unix socket -v record model data -V verbose search
+|-w Warnings (+) -X skip TCP&UDP* information -Z Z context [Z]
-- finish choice scan
+f|-f +filesystem or -file names +|-f[gG] flaGs
-F [f] choose fields; -F? for assist
+|-L [l] record (+) suppress (-) hyperlink counts < l (0 = all; default = 0)
+m [m] use|create mount complement
+|-M portMap registration (-) -o o o 0t offset digits (8)
-p s exclude(^)|choose PIDs -S [t] t second stat timeout (15)
-T qs TCP/TPI Q,St (s) data
-g [s] exclude(^)|choose and print course of group IDs
-i i choose by IPv[46] deal with: [46][proto][@host|addr][:svc_list|port_list]
+|-r [t[m<fmt>]] repeat each t seconds (15); + till no information, - endlessly.
An elective suffix to t is m<fmt>; m should separate t from <fmt> and
<fmt> is an strftime(3) format for the marker line.
-s p:s exclude(^)|choose protocol (p = TCP|UDP) states by title(s).
-u s exclude(^)|choose login|UID set s
-x [fl] cross over +d|+D File methods or symbolic Hyperlinks
names choose named information or information on named file methods
Anybody can record all information; /dev warnings disabled; kernel ID test disabled.
$
To test detailed details about the put in model, use:
$ lsof -v
lsof model info:
revision: 4.87
newest revision: ftp://lsof.itap.purdue.edu/pub/instruments/unix/lsof/
newest FAQ: ftp://lsof.itap.purdue.edu/pub/instruments/unix/lsof/FAQ
newest man web page: ftp://lsof.itap.purdue.edu/pub/instruments/unix/lsof/lsof_man
constructed: Tue Oct 30 16:28:19 UTC 2018
constructed by and on: [email protected]
compiler: cc
compiler model: 4.8.5 20150623 (Crimson Hat 4.8.5-36) (GCC)
compiler flags: -DLINUXV=310000 -DGLIBCV=217 -DHASIPv6 -DHASSELINUX -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -DHAS_STRFTIME -DLSOF_VSTR="3.10.0" -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
loader flags: -L./lib -llsof -lselinux
system data: Linux x86-01.bsys.centos.org 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
Anybody can record all information.
/dev warnings are disabled.
Kernel ID test is disabled.
$
Output fields
By default, the lsof output discipline construction appears like this:
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Most of those fields are self-explanatory aside from FD
And TYPE
fields which are considerably distinctive to lsof and will probably be briefly explored.
FD
refers back to the file descriptor variety of the file and TYPE
refers to the kind of node related to the file. We’ll now have a look at the supported values for each fields.
FD
discipline can include the next values:
cwd present working listing;
Lnn library references (AIX);
err FD info error (see NAME column);
jld jail listing (FreeBSD);
ltx shared library textual content (code and information);
Mxx hex memory-mapped kind quantity xx.
m86 DOS Merge mapped file;
mem memory-mapped file;
mmap memory-mapped gadget;
pd father or mother listing;
rtd root listing;
tr kernel hint file (OpenBSD);
txt program textual content (code and information);
v86 VP/ix mapped file;
FD
discipline is adopted by a number of characters describing the mode through which the file is open:
r for learn entry;
w for write entry;
u for learn and write entry;
area if mode unknown and no lock character follows;
`-' if mode unknown and lock character follows.
Mode signal for FD
then will be adopted by LOCK
character whose description is given beneath:
N for a Solaris NFS lock of unknown kind;
r for learn lock on a part of the file;
R for a learn lock on the whole file;
w for a write lock on a part of the file;
W for a write lock on the whole file;
u for a learn and write lock of any size;
U for a lock of unknown kind;
x for an SCO OpenServer Xenix lock on a part of the file;
X for an SCO OpenServer Xenix lock on the whole file;
area if there is no such thing as a lock.
In the identical manner, TYPE
discipline can include GDIR, GREG, VDIR, VREG, IPV4, IPV6
and so on. For a full record of supported TYPE
in lsof, check with it man
web page.
Regular utilization
Under are some well-liked makes use of of the lsof command. The command works on all Linux variants and all command line arguments listed beneath ought to work on all platforms given the identical lsof
model.
Listing all open information
Operating lsof with none choices will record all information at the moment open by operating processes.
$ sudo lsof | much less
Exit:
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,0 224 64 /
systemd 1 root rtd DIR 253,0 224 64 /
systemd 1 root txt REG 253,0 1632776 308905 /usr/lib/systemd/systemd
systemd 1 root mem REG 253,0 20064 16063 /usr/lib64/libuuid.so.1.3.0
systemd 1 root mem REG 253,0 265576 186547 /usr/lib64/libblkid.so.1.1.0
systemd 1 root mem REG 253,0 90248 16051 /usr/lib64/libz.so.1.2.7
systemd 1 root mem REG 253,0 157424 16059 /usr/lib64/liblzma.so.5.2.2
systemd 1 root mem REG 253,0 23968 59696 /usr/lib64/libcap-ng.so.0.0.0
systemd 1 root mem REG 253,0 19896 59686 /usr/lib64/libattr.so.1.1.0
systemd 1 root mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
systemd 1 root mem REG 253,0 402384 16039 /usr/lib64/libpcre.so.1.2.0
systemd 1 root mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
systemd 1 root mem REG 253,0 142144 15699 /usr/lib64/libpthread-2.17.so
systemd 1 root mem REG 253,0 88720 84 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
systemd 1 root mem REG 253,0 43712 15703 /usr/lib64/librt-2.17.so
systemd 1 root mem REG 253,0 277808 229793 /usr/lib64/libmount.so.1.1.0
systemd 1 root mem REG 253,0 91800 76005 /usr/lib64/libkmod.so.2.2.10
systemd 1 root mem REG 253,0 127184 59698 /usr/lib64/libaudit.so.1.0.0
systemd 1 root mem REG 253,0 61680 229827 /usr/lib64/libpam.so.0.83.1
systemd 1 root mem REG 253,0 20048 59690 /usr/lib64/libcap.so.2.22
systemd 1 root mem REG 253,0 155744 16048 /usr/lib64/libselinux.so.1
Listing by file title
To record all of the processes that opened a selected file, we are able to specify it file-name
as an argument:
$ sudo lsof {file-name}
Exit:
$ sudo lsof /var/log/messages
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 1000 root 6w REG 253,0 205 16777741 /var/log/messages
$
Listing open information by username
In a multi-user system, you possibly can filter the record of information by particular processes owned by the consumer utilizing -u
flag adopted by username
.
$ sudo lsof -u {username}
Exit:
$ sudo lsof -u abhisheknair
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1239 abhisheknair cwd DIR 253,0 224 64 /
sshd 1239 abhisheknair rtd DIR 253,0 224 64 /
sshd 1239 abhisheknair txt REG 253,0 852856 425229 /usr/sbin/sshd
sshd 1239 abhisheknair mem REG 253,0 15488 17204727 /usr/lib64/safety/pam_lastlog.so
sshd 1239 abhisheknair mem REG 253,0 15648 229829 /usr/lib64/libpam_misc.so.0.82.0
sshd 1239 abhisheknair mem REG 253,0 309248 17303270 /usr/lib64/safety/pam_systemd.so
sshd 1239 abhisheknair mem REG 253,0 19616 17204728 /usr/lib64/safety/pam_limits.so
sshd 1239 abhisheknair mem REG 253,0 11168 17204726 /usr/lib64/safety/pam_keyinit.so
sshd 1239 abhisheknair mem REG 253,0 40800 17204735 /usr/lib64/safety/pam_namespace.so
Alternatively, if you wish to record information opened by any consumer besides a selected consumer, you possibly can -u
flag adopted by ^username
as proven beneath:
$ sudo lsof -u ^{username}
Exit:
$ sudo lsof -u ^root
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dbus-daem 630 dbus cwd DIR 253,0 224 64 /
dbus-daem 630 dbus rtd DIR 253,0 224 64 /
dbus-daem 630 dbus txt REG 253,0 223232 50590133 /usr/bin/dbus-daemon
dbus-daem 630 dbus mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
dbus-daem 630 dbus mem REG 253,0 68192 59651 /usr/lib64/libbz2.so.1.0.6
dbus-daem 630 dbus mem REG 253,0 90248 16051 /usr/lib64/libz.so.1.2.7
dbus-daem 630 dbus mem REG 253,0 99944 59680 /usr/lib64/libelf-0.176.so
dbus-daem 630 dbus mem REG 253,0 19896 59686 /usr/lib64/libattr.so.1.1.0
dbus-daem 630 dbus mem REG 253,0 402384 16039 /usr/lib64/libpcre.so.1.2.0
A technique you need to use lsof is for conditions the place you need to rapidly kill all of a selected consumer’s processes with a single command. We will mix kill
of lsof
as proven within the instance beneath to attain this (run as root):
# kill -9 `lsof -t -u {username}`
As you possibly can see within the instance above, we are able to use -t
flag to filter out all different info besides process-id
. This may be helpful in automation and scripting, as proven within the earlier instance, by combining it with kill
command.
$ sudo lsof -t -u {username}
Exit:
$ sudo lsof -t -u abhisheknair
1239
1240
$
lsof permits us to mix a number of arguments utilizing OR
logic as proven beneath:
$ sudo lsof -u {username} -c {process-name}
Exit:
$ sudo lsof -u ftpuser -c bash
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1240 abhisheknair cwd DIR 253,0 120 510681 /residence/abhisheknair
bash 1240 abhisheknair rtd DIR 253,0 224 64 /
bash 1240 abhisheknair txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1240 abhisheknair mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1240 abhisheknair mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1240 abhisheknair mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1240 abhisheknair mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1240 abhisheknair mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1240 abhisheknair mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1240 abhisheknair mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1240 abhisheknair 0u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 1u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 2u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 255u CHR 136,0 0t0 3 /dev/pts/0
bash 1425 ftpuser cwd DIR 253,0 182 33578272 /residence/ftpuser
bash 1425 ftpuser rtd DIR 253,0 224 64 /
bash 1425 ftpuser txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1425 ftpuser mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1425 ftpuser mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1425 ftpuser mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1425 ftpuser mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1425 ftpuser mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1425 ftpuser mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1425 ftpuser 0u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 1u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 2u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 255u CHR 4,1 0t0 1043 /dev/tty1
$
Alternatively, if you wish to use AND
use of logical situations -a
flag.
$ sudo lsof -u {username} -c {process-name} -a
Exit:
$ sudo lsof -u ftpuser -c bash -a
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser cwd DIR 253,0 182 33578272 /residence/ftpuser
bash 1425 ftpuser rtd DIR 253,0 224 64 /
bash 1425 ftpuser txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1425 ftpuser mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1425 ftpuser mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1425 ftpuser mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1425 ftpuser mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1425 ftpuser mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1425 ftpuser mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1425 ftpuser 0u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 1u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 2u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 255u CHR 4,1 0t0 1043 /dev/tty1
$
Listing open information by course of
We will additionally show information opened by a specific course of through the use of -c
choice adopted by the method title.
$ sudo lsof -c {process-name}
Exit:
$ sudo lsof -c ssh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root cwd DIR 253,0 224 64 /
sshd 997 root rtd DIR 253,0 224 64 /
sshd 997 root txt REG 253,0 852856 425229 /usr/sbin/sshd
sshd 997 root mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
sshd 997 root mem REG 253,0 68192 59651 /usr/lib64/libbz2.so.1.0.6
sshd 997 root mem REG 253,0 99944 59680 /usr/lib64/libelf-0.176.so
sshd 997 root mem REG 253,0 19896 59686 /usr/lib64/libattr.so.1.1.0
sshd 997 root mem REG 253,0 15688 75906 /usr/lib64/libkeyutils.so.1.5
sshd 997 root mem REG 253,0 67104 186525 /usr/lib64/libkrb5support.so.0.1
Listing open information by PID
Alternatively, you possibly can record information opened by a course of, however as a substitute of process-name
whose ID you need to specify, you need to use -p
flag adopted by process-id
.
$ sudo lsof -p {process-id}
Exit:
$ sudo lsof -p 663
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firewalld 663 root cwd DIR 253,0 224 64 /
firewalld 663 root rtd DIR 253,0 224 64 /
firewalld 663 root txt REG 253,0 7144 50491220 /usr/bin/python2.7
firewalld 663 root mem REG 253,0 298828 50617647 /usr/lib64/girepository-1.0/NM-1.0.typelib
firewalld 663 root mem REG 253,0 343452 50507562 /usr/lib64/girepository-1.0/Gio-2.0.typelib
firewalld 663 root mem REG 253,0 12352 17202092 /usr/lib64/python2.7/lib-dynload/grpmodule.so
firewalld 663 root mem REG 253,0 29184 17202105 /usr/lib64/python2.7/lib-dynload/selectmodule.so
firewalld 663 root mem REG 253,0 168312 388240 /usr/lib64/libdbus-glib-1.so.2.2.2
firewalld 663 root mem REG 253,0 11976 34028597 /usr/lib64/python2.7/site-packages/_dbus_glib_bindings.so
firewalld 663 root mem REG 253,0 185712 50507559 /usr/lib64/girepository-1.0/GLib-2.0.typelib
- To record each open file besides these opened by a specific course of, use
-p
adopted by^process-id
.
$ sudo lsof -p ^{process-id}
Listing of open information that include folder
To record processes which have opened information in a selected folder, use +D
choice adopted by folder path.
$ sudo lsof +D {path}
Exit:
$ sudo lsof +D /var/log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
auditd 607 root 5w REG 253,0 1065095 425227 /var/log/audit/audit.log
firewalld 663 root 3w REG 253,0 13817 17663786 /var/log/firewalld
tuned 999 root 3w REG 253,0 13395 33574994 /var/log/tuned/tuned.log
rsyslogd 1000 root 6w REG 253,0 4302 16777753 /var/log/cron
rsyslogd 1000 root 7w REG 253,0 64740 16777755 /var/log/messages
rsyslogd 1000 root 8w REG 253,0 5513 16787904 /var/log/safe
rsyslogd 1000 root 9w REG 253,0 198 16777754 /var/log/maillog
$
In the event you do not need to record the information in subdirectories recursively, use -d
flag adopted by folder path.
$ sudo lsof +d {path}
Exit:
$ sudo lsof +d /var/log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
firewalld 663 root 3w REG 253,0 13817 17663786 /var/log/firewalld
rsyslogd 1000 root 6w REG 253,0 4302 16777753 /var/log/cron
rsyslogd 1000 root 7w REG 253,0 64740 16777755 /var/log/messages
rsyslogd 1000 root 8w REG 253,0 5833 16787904 /var/log/safe
rsyslogd 1000 root 9w REG 253,0 198 16777754 /var/log/maillog
$
Repeat Mode
lsof will be run in iterate mode. In repeat mode, lsof will generate and print output at common intervals. Once more, there are two iteration modes supported by lsof, that’s, with -r
And +r
flags. Of -r
flag, iterates lsof to execute till it receives an interrupt/kill sign from the consumer whereas it’s operating +r
flag, lsof repeat mode will finish as soon as the output accommodates no open information. As well as, we are able to specify a delay with -r
or +r
flag.
$ sudo lsof {arguments} -r{time-interval}
Exit:
$ sudo lsof -u ftpuser -c bash +D /usr/lib -a -r3
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
=======
Listing open information with community protocol
lsof helps the show of any kind of Linux information together with community sockets and so on. As such we are able to show particulars of open community connections utilizing -i
flag.
$ sudo lsof -i
Exit:
$ sudo lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 5u IPv4 14333 0t0 UDP localhost:323
chronyd 639 chrony 6u IPv6 14334 0t0 UDP localhost:323
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
grasp 1229 root 13u IPv4 18129 0t0 TCP localhost:smtp (LISTEN)
grasp 1229 root 14u IPv6 18130 0t0 TCP localhost:smtp (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$
To record all community connections utilized by a selected consumer process-id
can you employ lsof if:
$ sudo lsof -i -a -p {process-id}
Exit:
$ sudo lsof -i -a -p 997
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
$
Or to record all community connections utilized by a selected course of we may give process-name
if:
$ sudo lsof -i -a -c {process-name}
Exit:
$ sudo lsof -i -a -c ssh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$
We will filter the output of lsof with -i
flag by community protocol kind, i.e.: TCP
or UDP
by specifying the protocol kind.
$ sudo lsof -i {protocol}
Exit:
$ sudo lsof -i tcp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
grasp 1229 root 13u IPv4 18129 0t0 TCP localhost:smtp (LISTEN)
grasp 1229 root 14u IPv6 18130 0t0 TCP localhost:smtp (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$
OR
Exit:
$ sudo lsof -i udp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 5u IPv4 14333 0t0 UDP localhost:323
chronyd 639 chrony 6u IPv6 14334 0t0 UDP localhost:323
$
Listing open information by port
We will additionally filter lsof’s output with -i
flag by way of port quantity
use the command syntax as beneath:
$ sudo lsof -i :{port-number}
Exit:
$ sudo lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$
Listing opened information on IPv4/IPv6
There may be an choice to filter the record of community connections by limiting it to IPv4 or IPv6. Use the command syntax beneath to get solely the IP v4 record:
$ sudo lsof -i4
Exit:
$ sudo lsof -i4
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 5u IPv4 14333 0t0 UDP localhost:323
sshd 997 root 3u IPv4 17330 0t0 TCP *:ssh (LISTEN)
grasp 1229 root 13u IPv4 18129 0t0 TCP localhost:smtp (LISTEN)
sshd 1235 root 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
sshd 1239 abhisheknair 3u IPv4 18318 0t0 TCP centos7vm:ssh->192.168.1.61:23566 (ESTABLISHED)
$
OR to get solely IPv6 information use:
$ sudo lsof -i6
Exit:
$ sudo lsof -i6
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
chronyd 639 chrony 6u IPv6 14334 0t0 UDP localhost:323
sshd 997 root 4u IPv6 17339 0t0 TCP *:ssh (LISTEN)
grasp 1229 root 14u IPv6 18130 0t0 TCP localhost:smtp (LISTEN)
$
Listing open information on NFS
lsof may record all NFS information at the moment open by a consumer.
$ sudo lsof -N -u abhisheknair -a
Listing of locked deleted information
It generally occurs that information are deleted in Linux, however are nonetheless locked by a number of processes. As such, these information should not proven within the regular file system record utilizing ls
command and so on. however they nonetheless eat disk area as reported by df
output, this primarily happens with massive information which were deliberately deleted to unencumber disk area with out lifting the method lock. Yow will discover such processes utilizing lsof as:
$ sudo lsof {path} | grep deleted
Exit:
$ sudo lsof / | grep deleted
firewalld 654 root 8u REG 253,0 4096 16777726 /tmp/#16777726 (deleted)
tuned 968 root 8u REG 253,0 4096 16777720 /tmp/#16777720 (deleted)
$
Conclusion
lsof gives a spread of choices to customise the output to your wants. It’s a helpful utility for day-to-day system and community administration duties. The power to mix completely different arguments makes it all of the extra helpful and permits you to simply get the required output. Consult with the lsof man web page to study all of the supported arguments and their makes use of.
$ man lsof