Table of Contents

1 An LSOF cheat sheet

lsof(8) is one of those tools that I never got around to learn properly until today. It's an abbreviation for LiSt Open Files, and it will display any open "files".

Now, since UNIX systems represent pretty much anything as files, this can be really useful. Files, directories, inodes, sockets, devices; they are all files in UNIX.

A typical scenario is that you know something is connected to a port, but you're not sure what kind of process it is.

Below you'll find a list of some useful uses of lsof.

1.1 Without any parameters

Without any parameters, lsof is really verbose.

lsof

# Lots and lots of output below

It will list all files opened by all processes on your system.

1.2 Which processes are using the Unicorn socket:

Let's say you have a Unicorn server listening on a socket in /var/www/gitorious/app/tmp/pids/unicorn.sock. To display all processes connected to that socket, simply enter the path to the socket:

lsof /var/www/gitorious/app/tmp/pids/unicorn.sock

COMMAND  PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
ruby    4786  git    3u  unix 0xffff8800379d8380      0t0 9626 /var/www/gitorious/app/tmp/pids/unicorn.sock
ruby    4834  git    3u  unix 0xffff8800379d8380      0t0 9626 /var/www/gitorious/app/tmp/pids/unicorn.sock
ruby    4835  git    3u  unix 0xffff8800379d8380      0t0 9626 /var/www/gitorious/app/tmp/pids/unicorn.sock
ruby    4836  git    3u  unix 0xffff8800379d8380      0t0 9626 /var/www/gitorious/app/tmp/pids/unicorn.sock
ruby    4837  git    3u  unix 0xffff8800379d8380      0t0 9626 /var/www/gitorious/app/tmp/pids/unicorn.sock

You can see that I have five processes connected to that socket: one master process and four workers.

1.3 Which processes have an open socket on a TCP port

To view which processes are connected to a Redis server (port 6379):

lsof -i :6379

COMMAND    PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
redis-ser 4713 redis    4u  IPv4  29783      0t0  TCP localhost:6379 (LISTEN)
redis-ser 4713 redis    5u  IPv4  30097      0t0  TCP localhost:6379->localhost:33314 (ESTABLISHED)
redis-ser 4713 redis    6u  IPv4  30144      0t0  TCP localhost:6379->localhost:33317 (ESTABLISHED)
ruby      4787   git    5u  IPv4  30096      0t0  TCP localhost:33314->localhost:6379 (ESTABLISHED)
ruby      4837   git   11u  IPv4  30143      0t0  TCP localhost:33317->localhost:6379 (ESTABLISHED)

How about which processes are connected to port 443:

lsof -i :443

COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   4806  root    7u  IPv4  29986      0t0  TCP *:https (LISTEN)
nginx   4807 nginx    7u  IPv4  29986      0t0  TCP *:https (LISTEN)

1.4 Which processes have the nginx binary open

Which PIDs have the nginx binary open?

lsof /usr/sbin/nginx

COMMAND  PID  USER  FD   TYPE DEVICE SIZE/OFF   NODE NAME
nginx   4806  root txt    REG  253,0   769008 143072 /usr/sbin/nginx
nginx   4807 nginx txt    REG  253,0   769008 143072 /usr/sbin/nginx

1.5 What are the PIDs of processes having the nginx binary open

The -t switch to lsof will display the PID only:

lsof -t /usr/sbin/nginx

4806
4807

1.6 Which processes are accessing the Mysql socket?

lsof /var/lib/mysql/mysql.sock

COMMAND  PID  USER   FD   TYPE             DEVICE SIZE/OFF  NODE NAME
mysqld  1398 mysql   12u  unix 0xffff88007a7c0980      0t0  9242 /var/lib/mysql/mysql.sock
mysqld  1398 mysql   81u  unix 0xffff880037d8a6c0      0t0 30128 /var/lib/mysql/mysql.sock
mysqld  1398 mysql   85u  unix 0xffff88007c216980      0t0 30042 /var/lib/mysql/mysql.sock

1.7 And their PIDs

lsof -t /var/lib/mysql/mysql.sock

1398

and combine it with another useful UNIX utility, ps:

ps -p 1398

  PID TTY          TIME CMD
 1398 ?        00:00:58 mysqld

1.8 Which files are being used by a PID?

Let's say you know a PID, and want to know which files have been opened by this process? Enter the +p parameter. First of all, let's find a process listening on a socket

lsof -t /var/www/gitorious/app/tmp/pids/unicorn.sock

4786
4834
4835
4836
4837

Now let's see which files are opened by the second of these processes:

lsof +p 4834

# lots of output below

1.9 Which processes have an open TCP socket to www.google.com

Let's say you want to know if anyone has an open TCP connection to www.google.com on port 80:

lsof -iTCP@www.google.com:80

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
telnet  5034 root    3u  IPv4  33309      0t0  TCP 10.0.0.42:39394->ee-in-f105.1e100.net:http (ESTABLISHED)

To get the PID only:

lsof -t -iTCP@www.google.com:80

5052

I know what you're thinking: what can I use this PID for? Well, how about killing all processes with such a connection open using xargs(1) and kill(1):

lsof -t -iTCP@www.google.com:80 | xargs kill

Feel free to contribute any other useful examples of lsof.

comments powered by Disqus