What Will I Learn?

Write here briefly the details of what the user is going to learn in a bullet list.

You will learn to use the lsof command to find what files are being used by the various programs on your system

command to find what files are being used by the various programs on your system You will learn to filter output of the command to get data on specific applications, specific files/directories, and even specific network ports

Requirements

A working Linux system

Basic knowledge of the Linux command line.

Difficulty

Basic

Tutorial Contents

What does the lsof command do?

As we know, files are a pretty important thing in a Linux/Unix system. Files are used not just for storing data, but also for application/program configuration. So with that, it's important to know what files a program is using. The lsof command helps us do that. The lsof command should come installed in most Linux systems, but if it isn't it's most assuredly available in your distribution's package manager.

1. Basic Usage

You can just use the lsof command to get a list of all open files. But the thing is, there are a lot of files opened on a Linux system. Every file is displayed on a line, so the output would be huge. Instead, we'll look at the total number of files opened by piping lsof into wc -l to get the number of lines in the output:

[[email protected] ~]$ lsof | wc -l 96148

So as you can see, my system has about 96000 files opened by all the processes currently running on the system.

Alternatively, to see a few of the files opened, we can pipe lsof into head to get the first 10 lines of output:

So there are a few important things here:

The first column actually shows the name of the command/program that's actually using the file The 2nd column, titled PID shows the PID(Process ID) of the command. (You can use the PID to start,kill, or restrict processes(out of the scope of this post).) The 3rd and 4th columns are blank because they only apply to Tasks (threads), and not to Processes. The 5th column, titled USER shows the user account that started the process. The 6th column, titled FD , shows the File Descriptor of the file being used. In this screenshot, we see 4 FDs - cwd - the directory from which the process was called, rtd - the root directory, txt - a text file(program or data), and mem - a memory mapped file. The 7th column shows the type of file. DIR indicates directories, REG indicates regular files. The 9th column shows the size of the file in bytes. For directories, the size is always 4KB. The 10th column shows the inode of the file on the filesystem The 11th column shows the actual path of the file.

2. Finding what processes are using a file/directory

You can find which processes are using a file or directory by simply passing that file as an argument. So for example, to find out a few of the processes that are using my home directory:

[[email protected] ~]$ lsof /home/h | head COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rslsync 1840 h cwd DIR 8,2 4096 4980738 /home/h gdm-x-ses 1883 h cwd DIR 8,2 4096 4980738 /home/h Xorg 1891 h cwd DIR 8,2 4096 4980738 /home/h Xorg 1891 h mem CHR 226,0 18462 /dev/dri/card0 Xorg 1891 h 12u CHR 226,0 0t0 18462 /dev/dri/card0 Xorg 1891 h 13u CHR 226,0 0t0 18462 /dev/dri/card0 dbus-daem 2299 h cwd DIR 8,2 4096 4980738 /home/h gnome-ses 2317 h cwd DIR 8,2 4096 4980738 /home/h at-spi-bu 2449 h cwd DIR 8,2 4096 4980738 /home/h

3. Finding all the files that a process is using

You can find all the files that a process is using by using the -p command and passing the process id.

To find out the PID of a process, you can use the pgrep tool, like so:

[[email protected] ~]$ pgrep rslsync 1840

And if we put that into lsof :

[[email protected] ~]$ lsof -p 1840 | head COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rslsync 1840 h cwd DIR 8,2 4096 4980738 /home/h rslsync 1840 h rtd DIR 8,2 4096 2 / rslsync 1840 h txt REG 8,2 16395864 824224 /usr/bin/rslsync rslsync 1840 h mem REG 8,2 84016 788618 /usr/lib/libresolv-2.26.so rslsync 1840 h mem REG 8,2 22352 788629 /usr/lib/libnss_dns-2.26.so rslsync 1840 h mem REG 8,2 259088 813964 /usr/lib/libnss_resolve.so.2 rslsync 1840 h mem REG 8,2 72856 798841 /usr/lib/libnss_myhostname.so.2 rslsync 1840 h mem REG 8,2 263184 802821 /usr/lib/libnss_mymachines.so.2 rslsync 1840 h mem REG 8,2 46928 788628 /usr/lib/libnss_files-2.26.so

Another interesting thing about lsof , is that you also get "files" like this one:

rslsync 1840 h 7u IPv4 27208 0t0 TCP *:26887 (LISTEN) rslsync 1840 h 8u IPv6 27209 0t0 TCP *:26887 (LISTEN) rslsync 1840 h 9u IPv4 27210 0t0 UDP *:26887 rslsync 1840 h 10u IPv6 27211 0t0 UDP *:26887

rslsync is an online backup program, which means it listens on several ports for online requests. Since on Linux, ports are like a file, you also get to see all the ports a process is accessing.

You can also combine the 2 commands:

lsof -p `pgrep rslsync`

4. Finding all the files that a user has opened

You can use the -u flag to get all the files that a specific user has opened. So using that, and grep , we can find all the files that Firefox has opened with my user account:

[[email protected] ~]$ lsof -u h | grep firefox | head firefox 4736 h cwd DIR 8,2 4096 4980738 /home/h firefox 4736 h rtd DIR 8,2 4096 2 / firefox 4736 h txt REG 8,2 200296 826228 /usr/lib/firefox/firefox firefox 4736 h DEL REG 0,23 281912 /dev/shm/org.chromium.7bIgxD firefox 4736 h DEL REG 0,23 280972 /dev/shm/org.chromium.rxfnUc firefox 4736 h mem REG 8,2 31408 818702 /usr/lib/libnotify.so.4.0.0 firefox 4736 h DEL REG 0,5 40032 /memfd:pulseaudio firefox 4736 h DEL REG 0,5 23792 /memfd:pulseaudio firefox 4736 h DEL REG 0,5 38451 /memfd:pulseaudio firefox 4736 h mem REG 8,2 22264 1442361 /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-jpeg.so

5. Finding all processes that are listening on a port or protocol

As mentioned earlier, the lsof command also shows you the network ports that a process is listening on. You can actually filter output based on that too, with the -i command. The syntax is:

lsof -i protocol:port

For example, the program rslsync listens for HTTP connections on port 8888. To list any process that is listening on port 8888, we can do this:

[[email protected] ~]$ lsof -i :8888 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME rslsync 1840 h 11u IPv4 297027 0t0 TCP *:ddi-tcp-1 (LISTEN) rslsync 1840 h 52u IPv4 304556 0t0 TCP localhost:ddi-tcp-1->localhost:60184 (ESTABLISHED) rslsync 1840 h 55u IPv4 305437 0t0 TCP localhost:ddi-tcp-1->localhost:60190 (ESTABLISHED) rslsync 1840 h 56u IPv4 305440 0t0 TCP localhost:ddi-tcp-1->localhost:60192 (ESTABLISHED) firefox 4736 h 63u IPv4 304555 0t0 TCP localhost:60184->localhost:ddi-tcp-1 (ESTABLISHED) firefox 4736 h 90u IPv4 306233 0t0 TCP localhost:60190->localhost:ddi-tcp-1 (ESTABLISHED) firefox 4736 h 108u IPv4 305439 0t0 TCP localhost:60192->localhost:ddi-tcp-1 (ESTABLISHED)

Curriculum

Thanks for reading this tutorial. If you liked it, please upvote and resteem.

Sources

@harshallele





Posted on Utopian.io - Rewarding Open Source Contributors