lsof stands for "list open files". So actually it shows all files used by some processes of a system. As in linux many interesting resources are modeled as files, lsof command becomes very useful tool.

Let's get best of it!

In the absence of any options, lsof lists all open files belonging to all active processes of a system.

lsof

Network connections with lsof

The interesting option here is the -i that should be followed by the Internet address which is specified in the following form:

[4|6][protocol][@hostname|hostaddr][:service|port]

4 and 6 stand for ip protocol versions, the rest should be self expanded. Let's get hands on:

#Show all open connections lsof -i # Show all open TCP connections lsof -i TCP

Looking for specific ports...

#Examples of: Show TCP connection on on 636, 80 and UDP port range 3000-3025 lsof -i TCP:636 lsof -i TCP:80 lsof -i UDP:3000-3025 #every protocol on port 22 lsof -i :22

to show all listening objects use:

lsof -i| grep LISTEN #or with options -P and -a lsof -i -P -a| grep LISTEN

bash

-P forces lsof to show port numbers instead of protocol name (22 vs ssh, 5671 vs amqps)

forces lsof to show port numbers instead of protocol name (22 vs ssh, 5671 vs amqps) -a forces to show ip addresses and not to resolve DNS names

More examplese

Show LDAP *incoming * connections

lsof -i TCP@192.168.0.1:636 () #java 890 root 18u IPv6 8332031 #TCP myserver.com:42936 myserver.com:ldaps (ESTABLISHED)

Who uses SMTP?

lsof -i :25 #COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME #sendmail 401 root 5u IPv4 0x300023cc141 0t0 TCP *:smtp (LISTEN) #sendmail 401 root 6u IPv6 0x3000243c200 0t0 TCP *:smtp (LISTEN)

More Examples of lsof

-c option allows to see what files are open by a particular command.

lsof -c mysq lsof -c ruby

Find files that are open by a particular device or a file

lsof /dev/cdrom lsof /tmp/obscure.lock

Find files that are opened by a user guest

lsof –u guest #vi 5200 guest txt REG 3,1 242601 245773 /bin/vi

Recursive watch

And at last use -r option for monitoring. Here is example of periodically (every 10 seconds) refresh of connection status for a concrete application started as php.

lsof -r 10 -c php -a -i :1521

It gives periodically all 1521 port connections. 1521 is typical Oracle DB connection port, so that example may serve you as base for script that monitors connection growing of your PHP applications.

lsof & PID

Next one uses the -t parameter which causes lsof return only a process id of a file using application. So following command allows you to kill all application that are using provided file.

kill -9 `lsof -t /tmp/obscure.lock`

Coming from other side, having a PID, we can list all resources used by the process, which might be very useful as well.