lsof Command (List Of Open Files)

The lsof output describes:

  • the identification number of the process (PID) that has opened the file;
  • the process group identification number (PGID) of the process (optional);
  • the process identification number of the parent process (PPID) (optional);
  • the command the process is executing;
  • the owner of the process;
  • for all files in use by the process, including the executing text file and the shared libraries it is using:
    • the file descriptor number of the file, if applicable;
    • the file’s access mode;
    • the file’s lock status;
    • the file’s device numbers;
    • the file’s inode number;
    • the file’s size or offset;
    • the name of the file system containing the file;
    • any available components of the file’s path name;
    • the names of the file’s stream components;
    • the file’s local and remote network addresses;
    • the TLI network (typically UDP) state of the file;
    • the TCP state, read queue length, and write queue length of the file;
    • the file’s TCP window read and write lengths (Solaris only); and
    • other file or dialect-specific values.

Search for the process which is listening of a particular port :

sudo lsof -i:4200

Search for the process and kill it using below command :

sudo kill $(sudo lsof -t -i:4200)

Search for the list of open files for a user

lsof -u user 

How to interpret this output of lsof command?

COMMAND     PID     USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
webalizer 32342 ctxmortg    5uW  REG   8,17    12288 32890954 /home2/ctxmortg/tmp/webalizer/eyebestdatedotcomauph.ctxmortgagemortgagerefi.com/dns_cache.db

FD – File Descriptor

If you are looking for file being written, look for following flag

# - The number in front of flag(s) is the file descriptor number of used by the process to associated with the file
u - File open with Read and Write permission
r - File open with Read permission
w - File open with Write permission
W - File open with Write permission and with Write Lock on entire file
mem - Memory mapped file, usually for share library

cwd => current working directory
3r  => file descriptor 3 opened for reading
DIR => directory
REG => regular file 

TYPE – File Type

In Linux, almost everything are files, but with different type.

REG - REGgular file, file that show up in directory
DIR - Directory

NODE

inode number in filesystem

You can find complete details in the man page.

Leave a Comment