Today we will see lsof command examples and practical usage of lsof command. Before that let’s see what’s lsof?

Lsof command is a short form of listing open files. It’s a utility on a Linux system that will list the information of the files that are currently in opened state or are opened by a process.

If you simply type lsof command on a terminal it will list all the active files.

Installation of lsof command

[root@centos7 ~]# yum install lsof

Lsof command usage:

See the default output of lsof command it will show all the active files.

[root@centos7 ~]# lsof
COMMAND    PID  TID    USER   FD      TYPE             DEVICE  SIZE/OFF       NODE NAME
systemd      1         root  cwd       DIR              253,0       224         64 /
systemd      1         root  rtd       DIR              253,0       224         64 /
systemd      1         root  txt       REG              253,0   1632960  538226417 /usr/lib/systemd/systemd
systemd      1         root  mem       REG              253,0     20064  537322022 /usr/lib64/libuuid.so.1.3.0
systemd      1         root  mem       REG              253,0    265576  537881327 /usr/lib64/libblkid.so.1.1.0
init       1       root    0u      CHR        1,3       0t0       4369 /dev/null
init       1       root    1u      CHR        1,3       0t0       4369 /dev/null
init       1       root    2u      CHR        1,3       0t0       4369 /dev/null
init       1       root    3r     FIFO        0,8       0t0       6323 pipe

if you want to see what processes a particular file has opened you can use the table below

[root@centos7 ~]# lsof script.sh
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF       NODE NAME
sh      10869 root  255r   REG  253,0       61 1610824772 script.sh
[root@centos7 ~]#

In the example above, I have created a simple script.sh with while loop and it’s running. So when I do lsof script.sh it will show you all the processes opened by the file.

To see the files opened by a particular user use the command below.

[root@centos7 ~]# lsof -u centos
COMMAND     PID   USER   FD   TYPE             DEVICE  SIZE/OFF       NODE NAME
sshd      23686 centos  cwd    DIR              253,0       224         64 /
sshd      23686 centos  rtd    DIR              253,0       224         64 /
sshd      23686 centos  txt    REG              253,0    852888  537356191 /usr/sbin/sshd
sshd      23686 centos  mem    REG              253,0     15488  537355571 /usr/lib64/security/pam_lastlog.so
sshd      23686 centos  mem    REG              253,0     15648  537355550 /usr/lib64/libpam_misc.so.0.82.0
sshd      23686 centos  mem    REG              253,0    309248  538226413 /usr/lib64/security/pam_systemd.so
sshd      23686 centos  mem    REG              253,0     19616  537355572 /usr/lib64/security/pam_limits.so
sshd      23686 centos  mem    REG              253,0     11168  537355570 /usr/lib64/security/pam_keyinit.so

If you use the root instead of centos and grep script it will show script.sh is still running

[root@centos7 ~]# lsof -u root | grep script
sh        10881 root  255r      REG              253,0        70 1610824772 /root/script.sh

Network connections

[root@centos7 ~]# lsof -i
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chronyd   650 chrony    5u  IPv4  15523      0t0  UDP localhost:323
chronyd   650 chrony    6u  IPv6  15524      0t0  UDP localhost:323
dhclient  799   root    6u  IPv4  17173      0t0  UDP *:bootpc
sshd      986   root    3u  IPv4  18026      0t0  TCP *:ssh (LISTEN)
sshd      986   root    4u  IPv6  18035      0t0  TCP *:ssh (LISTEN)
master   1233   root   13u  IPv4  18729      0t0  TCP localhost:smtp (LISTEN)
master   1233   root   14u  IPv6  18730      0t0  TCP localhost:smtp (LISTEN)

Similarly, you can just check out the network connections just for IPV6

[root@centos7 ~]# lsof -i 6
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chronyd  650 chrony    6u  IPv6  15524      0t0  UDP localhost:323
sshd     986   root    4u  IPv6  18035      0t0  TCP *:ssh (LISTEN)
master  1233   root   14u  IPv6  18730      0t0  TCP localhost:smtp (LISTEN)

Similarly, if you want to exclude IPV6 from lsof command and just see IPV4 then you can type 4 instead of 6

[root@centos7 ~]# lsof -i 4
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
chronyd   650 chrony    5u  IPv4  15523      0t0  UDP localhost:323
dhclient  799   root    6u  IPv4  17173      0t0  UDP *:bootpc
sshd      986   root    3u  IPv4  18026      0t0  TCP *:ssh (LISTEN)
master   1233   root   13u  IPv4  18729      0t0  TCP localhost:smtp (LISTEN)

If you want to see all the processes opened by a PID then use the command below

[root@centos7 ~]# lsof -p 650
COMMAND PID   USER   FD   TYPE             DEVICE SIZE/OFF      NODE NAME
chronyd 650 chrony  cwd    DIR              253,0      224        64 /
chronyd 650 chrony  rtd    DIR              253,0      224        64 /
chronyd 650 chrony  txt    REG              253,0   269392 537537844 /usr/sbin/chronyd
chronyd 650 chrony  mem    REG              253,0    68192 536928494 /usr/lib64/libbz2.so.1.0.6
chronyd 650 chrony  mem    REG              253,0   157424 536928468 /usr/lib64/liblzma.so.5.2.2
chronyd 650 chrony  mem    REG              253,0    90176 536910258 /usr/lib64/libz.so.1.2.7
chronyd 650 chrony  mem    REG              253,0    99944 536928565 /usr/lib64/libelf-0.176.so
chronyd 650 chrony  mem    REG              253,0    88720 536870988 /usr/lib64/libgcc_s-4.8.5-20150702.so.1
chronyd 650 chrony  mem    REG              253,0   338672 537381838 /usr/lib64/libdw-0.176.so
chronyd 650 chrony  mem    REG              253,0    43712 536910244 /usr/lib64/librt-2.17.so

Kill all processes of a particular

Many times you will have the situation where you want to kill the processes opened by a particular user, maybe he is doing some weird stuff or running too many scripts which is slowing down the server.

Kill -9 `lsof -t -u justgeek`

You can also see the open files for a particular file system as well for example

[root@centos7 ~]# lsof /var/log

I hope you have mastered LSOF command examples and checkout Shells in Linux