« Back to Cheat sheets for Linux

lsof cheat sheet

Files are an important part of Linux, as even devices and network connections are having file descriptors. The lsof command is one of the most useful tools that help with system administration, but especially with troubleshooting issues. This lsof cheat sheet tries to cover the most useful functionality and options, while trying to avoid overwhelming you like the man page might do.

Good to know

Lsof can be used as a normal user and superuser (root or with sudo permissions). Sometimes you may need superuser right to see any output at all, or have access to all information.

Common options

OptionWhat the option does
-aConsider all selectors to be ‘AND’ to reduce output
-cMatch by process name
-iMatch by internet address, or in other words, network connections
-i4Limit to IPv4
-i6Limit to IPv6
-nDo not resolve IP addresses to hostnames
-PDo not resolve port numbers to service names
-tShow only the PIDs
-uLimit files to a specific user

Creating a shell script? Then we suggest using the long format option, as this improves the readability. For quick use of on the command-line consider using the short notation of the related option.

Performing specific requests

Open files in a specific directory

Want to see what is opened within a directory, use the +D option.

lsof +D /var/log/journal

By mount point

Sometimes it may be useful to learn what files are open to a specific mount point, like a NAS. Use the +f followed by two dashes, to signal lsof that a specific path is coming.

lsof +f -- /mnt/backup/

NFS mounts

When using NFS, we can query all open files.

lsof -N

Open files by process id (PID)

lsof -p 1234

Open files by process name

lsof -c nginx

Open files by user

On a web server you may want to check what files are opened for the user account that runs the web server.

lsof -u www-data

To see all open files, except those by root, use the caret before the username.

lsof -u ^root

Deleted files

Sometimes files can be opened, even though they are already deleted. To uncover them, use lsof with the option +L1. The ‘1’ defines the boundary, so all files with less than 1 link are shown.

lsof +L1

Open network connections

As everything is a file on Linux, the related sockets are also visible as files. To query them, select one or more ports.

lsof -i :80,443

Another way is by protocol.

lsof -i UDP -i TCP

To only show listening TCP services, limit the output. To avoid any lookups (hostname or service name), add -n and -P.

lsof -n -P -i TCP -sTCP:Listen

Open connections for a single IP address can be specified as well, optionally with a port.

lsof -n -P -i @192.168.1.1:22

Combine options

Use the -a option to tell lsof to combine the options (logical AND operator). For example to show only files (regular and directory) that are opened by the nginx process, we can combine it to a command like this.

lsof -a -c nginx -r 3 /

By defining the root path, only normal files are displayed. That is, if they are opened by the process with the name ’nginx’. The -r defines a refresh rate, so that we can see the open files by nginx at a given moment in time.

Special use-cases

Use the -t option to show a terse output. This means only the process IDs (PIDs) will be displayed. This can be used then as input for a command like kill.

Relevant articles using lsof command

The following articles include an example on how to use lsof and might be worth further exploring.

Liked this cheat sheet? There are more!

Related articles

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

Small picture of Michael Boelen

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!

Mastodon icon