lsof(8) is one of those tools that I never got around to learn properly until today. It's an abbreviation for LiSt Open Files, and it will display any open "files".
Now, since UNIX systems represent pretty much anything as files, this can be really useful. Files, directories, inodes, sockets, devices; they are all files in UNIX.
A typical scenario is that you know something is connected to a port, but you're not sure what kind of process it is.
Below you'll find a list of some useful uses of lsof.
Without any parameters, lsof is really verbose.
lsof # Lots and lots of output below
It will list all files opened by all processes on your system.
Let's say you have a Unicorn server listening on a socket in
/var/www/gitorious/app/tmp/pids/unicorn.sock. To display all
processes connected to that socket, simply enter the path to the socket:
lsof /var/www/gitorious/app/tmp/pids/unicorn.sock COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ruby 4786 git 3u unix 0xffff8800379d8380 0t0 9626 /var/www/gitorious/app/tmp/pids/unicorn.sock ruby 4834 git 3u unix 0xffff8800379d8380 0t0 9626 /var/www/gitorious/app/tmp/pids/unicorn.sock ruby 4835 git 3u unix 0xffff8800379d8380 0t0 9626 /var/www/gitorious/app/tmp/pids/unicorn.sock ruby 4836 git 3u unix 0xffff8800379d8380 0t0 9626 /var/www/gitorious/app/tmp/pids/unicorn.sock ruby 4837 git 3u unix 0xffff8800379d8380 0t0 9626 /var/www/gitorious/app/tmp/pids/unicorn.sock
You can see that I have five processes connected to that socket: one master process and four workers.
To view which processes are connected to a Redis server (port 6379):
lsof -i :6379 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME redis-ser 4713 redis 4u IPv4 29783 0t0 TCP localhost:6379 (LISTEN) redis-ser 4713 redis 5u IPv4 30097 0t0 TCP localhost:6379->localhost:33314 (ESTABLISHED) redis-ser 4713 redis 6u IPv4 30144 0t0 TCP localhost:6379->localhost:33317 (ESTABLISHED) ruby 4787 git 5u IPv4 30096 0t0 TCP localhost:33314->localhost:6379 (ESTABLISHED) ruby 4837 git 11u IPv4 30143 0t0 TCP localhost:33317->localhost:6379 (ESTABLISHED)
How about which processes are connected to port 443:
lsof -i :443 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 4806 root 7u IPv4 29986 0t0 TCP *:https (LISTEN) nginx 4807 nginx 7u IPv4 29986 0t0 TCP *:https (LISTEN)
Which PIDs have the
nginx binary open?
lsof /usr/sbin/nginx COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME nginx 4806 root txt REG 253,0 769008 143072 /usr/sbin/nginx nginx 4807 nginx txt REG 253,0 769008 143072 /usr/sbin/nginx
-t switch to lsof will display the PID only:
lsof -t /usr/sbin/nginx 4806 4807
lsof /var/lib/mysql/mysql.sock COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME mysqld 1398 mysql 12u unix 0xffff88007a7c0980 0t0 9242 /var/lib/mysql/mysql.sock mysqld 1398 mysql 81u unix 0xffff880037d8a6c0 0t0 30128 /var/lib/mysql/mysql.sock mysqld 1398 mysql 85u unix 0xffff88007c216980 0t0 30042 /var/lib/mysql/mysql.sock
lsof -t /var/lib/mysql/mysql.sock 1398
and combine it with another useful UNIX utility,
ps -p 1398 PID TTY TIME CMD 1398 ? 00:00:58 mysqld
Let's say you know a PID, and want to know which files have been
opened by this process? Enter the
+p parameter. First of all,
let's find a process listening on a socket
lsof -t /var/www/gitorious/app/tmp/pids/unicorn.sock 4786 4834 4835 4836 4837
Now let's see which files are opened by the second of these processes:
lsof +p 4834 # lots of output below
Let's say you want to know if anyone has an open TCP connection to www.google.com on port 80:
lsof -iTCP@www.google.com:80 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME telnet 5034 root 3u IPv4 33309 0t0 TCP 10.0.0.42:39394->ee-in-f105.1e100.net:http (ESTABLISHED)
To get the PID only:
lsof -t -iTCP@www.google.com:80 5052
I know what you're thinking: what can I use this PID for? Well, how about killing all processes with such a connection open using xargs(1) and kill(1):
lsof -t -iTCP@www.google.com:80 | xargs kill
Feel free to contribute any other useful examples of lsof.comments powered by Disqus