lsof command (Linux)

lsof stands for "list open files". So actually it shows all files used by some processes of a system. As in linux many interesting resources are modeled as files, lsof command becomes very useful tool.

Let's get best of it!

In the absence of any options, lsof lists all open files belonging to all active processes of a system.


Network connections with lsof

The interesting option here is the -i that should be followed by the Internet address which is specified in the following form:


4 and 6 stand for ip protocol versions, the rest should be self expanded. Let's get hands on:

#Show all open connections
lsof -i

# Show all open TCP connections
lsof -i TCP  

Looking for specific ports...

#Examples of: Show TCP connection on on 636, 80 and UDP port range 3000-3025
lsof -i TCP:636  
lsof -i TCP:80  
lsof -i UDP:3000-3025

#every protocol on port 22
lsof -i :22  

to show all listening objects use:

lsof -i| grep LISTEN  
#or with options -P and -a
lsof -i -P -a| grep LISTEN  


  • -P forces lsof to show port numbers instead of protocol name (22 vs ssh, 5671 vs amqps)
  • -a forces to show ip addresses and not to resolve DNS names

More examplese

Show LDAP *incoming * connections

lsof -i TCP@ ()  
#java  890 root  18u  IPv6 8332031

Who uses SMTP?

lsof -i :25  
#sendmail 401 root    5u  IPv4 0x300023cc141      0t0  TCP *:smtp (LISTEN)
#sendmail 401 root    6u  IPv6 0x3000243c200      0t0  TCP *:smtp (LISTEN)

More Examples of lsof

-c option allows to see what files are open by a particular command.

lsof -c mysq  
lsof -c ruby  

Find files that are open by a particular device or a file

lsof /dev/cdrom  
lsof /tmp/obscure.lock  

Find files that are opened by a user guest

lsof –u guest  
#vi   5200 guest txt REG 3,1   242601 245773 /bin/vi

Recursive watch

And at last use -r option for monitoring. Here is example of periodically (every 10 seconds) refresh of connection status for a concrete application started as php.

lsof -r 10 -c php -a -i :1521  

It gives periodically all 1521 port connections. 1521 is typical Oracle DB connection port, so that example may serve you as base for script that monitors connection growing of your PHP applications.

lsof & PID

Next one uses the -t parameter which causes lsof return only a process id of a file using application. So following command allows you to kill all application that are using provided file.

kill -9 `lsof -t /tmp/obscure.lock`  

Coming from other side, having a PID, we can list all resources used by the process, which might be very useful as well.

lsof -p 8698

#docker-pr 8698 root  cwd       DIR  253,1     4096        128 /
#docker-pr 8698 root  rtd       DIR  253,1     4096        128 /
#docker-pr 8698 root  txt       REG  253,1  1593264   17005705 /usr/bin/docker-proxy
#docker-pr 8698 root  mem       REG  253,1  2127336   33647913 /usr/lib64/
#docker-pr 8698 root  mem       REG  253,1   144792   33647939 /usr/lib64/
#docker-pr 8698 root  mem       REG  253,1   164112   33647906 /usr/lib64/
#docker-pr 8698 root    0r      CHR    1,3      0t0       4558 /dev/null
#docker-pr 8698 root    1w      CHR    1,3      0t0       4558 /dev/null
#docker-pr 8698 root    2w      CHR    1,3      0t0       4558 /dev/null
#docker-pr 8698 root    4u     IPv6  97112      0t0        TCP *:25672 (LISTEN)
#docker-pr 8698 root    5u  a_inode    0,9        0       4554 [eventpoll]
#docker-pr 8698 root   10r      REG    0,3        0 4026531956 net