LSOF command

Use the "lsof" command. lsof stands for LiSt Open Files. lsof can save you a lot of time and hassle if you are just checking on the status of your machine, but more importantly can give you valuable information and point you in the right direction when troubleshooting what exactly your machine is up to. Most are familiar with the command ‘netstat’ which provides a wealth of information about your network sockets. But the name implies exactly what it is good at: revealing information about your network sockets.

lsof takes it a notch further. Linux treats most everything as a file. Sockets, devices, directories, etc, can all be viewed as files. When a process or application interacts with these files it has to "open" them if you will. Using this command you can delve into and see what your system is up to. Checking out the man pages on lsof (#man lsof) is a great start to see how to explore the current "goingson" of your box. Some examples are included to show you the power and wealth of information from this little lister.

It’s a great tool for administrators.


Show all open TCP files – Will return what service is running, who is running it, the process ID and the connections on all TCP ports:

# lsof -i TCP

Show open TCP files on port 80 –

# lsof -i TCP:80 

returns --> httpd2-wo 7010 wwwrun    3u  IPv6  14787       TCP *:http (LISTEN)

Show open LDAP connections on TCP –

# lsof -i TCP:636

Want to know what files are open by a particular command (substitute your command after the c, and yes you can abbreviate it matches the closest command)-

# lsof -c mysq

returns --> 
mysqld    991 admin  cwd    DIR        8,3      240 148743 /home/admin/novell/idm/mysql/data
mysqld    991 admin  rtd    DIR        8,3      536      2 /
mysqld    991 admin  txt    REG        8,3  5464060 148691 /home/admin/novell/idm/mysql/bin/mysqld
mysqld    991 admin    0r   CHR        1,3           41715 /dev/null
mysqld    991 admin    1w   REG        8,3     1250 149954 /home/admin/novell/idm/mysql/mysql.log
mysqld    991 admin    2w   REG        8,3     1250 149954 /home/admin/novell/idm/mysql/mysql.log
mysqld    991 admin    3u  IPv4      86990             TCP *:63306 (LISTEN)...

Want to know what files are open by a particular device?

#lsof /dev/cdrom

returns --> bash    30904 admin  cwd    
DIR    3,0 2048 63692 /media/cdrecorder/linux/user_application_provisioning

You can change TCP to UDP and narrow down your requests to very specific items you want to target (i.e. is there an established connection from

# lsof -i TCP@ (lists LDAP connections to my server) 

returns --> java     890 root   18u  IPv6 8365030       

ndsd    6520 root  262u  IPv4 8390927       

Leave a Reply

Your email address will not be published. Required fields are marked *