lsof

Display a list of all files currently open on the Linux system lsof -p pid

Supplementary instructions

lsof command is used to view the files opened by your process, the process that opened the file, and the ports (TCP, UDP) opened by the process. Retrieve/recover deleted files. It is a very convenient system monitoring tool. Because the lsof command needs to access core memory and various files, it needs to be executed by the root user.

In the Linux environment, everything exists in the form of files. Through files, you can access not only regular data, but also network connections and hardware. Therefore, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, the system allocates a file descriptor to the application in the background. Regardless of the nature of the file, the file descriptor is the application Provides a common interface for interaction with the underlying operating system. Because the descriptor list of files opened by an application provides a lot of information about the application itself, being able to view this list through the lsof tool can be helpful for system monitoring and troubleshooting.

grammar

lsof (options)

Options

-a: List the processes that open files;
-c<process name>: List files opened by the specified process;
-g: List GID number process details;
-d<file number>: List the processes occupying the file number;
+d<directory>: List the files opened in the directory;
+D<directory>: Recursively list open files in the directory;
-n<directory>: List files using NFS;
-i<condition>: List processes that meet the conditions (protocol, :port, @ip)
-p<process number>: List the files opened by the specified process number;
-u: List UID number process details;
-h: Display help information;
-v: display version information

Example

lsof
command PID USER FD type DEVICE SIZE NODE NAME
init 1 root cwd DIR 8,2 4096 2 /
init 1 root rtd DIR 8,2 4096 2 /
init 1 root txt REG 8,2 43496 6121706 /sbin/init
init 1 root mem REG 8,2 143600 7823908 /lib64/ld-2.5.so
init 1 root mem REG 8,2 1722304 7823915 /lib64/libc-2.5.so
init 1 root mem REG 8,2 23360 7823919 /lib64/libdl-2.5.so
init 1 root mem REG 8,2 95464 7824116 /lib64/libselinux.so.1
init 1 root mem REG 8,2 247496 7823947 /lib64/libsepol.so.1
init 1 root 10u FIFO 0,17 1233 /dev/initctl
migration 2 root cwd DIR 8,2 4096 2 /
migration 2 root rtd DIR 8,2 4096 2 /
migration 2 root txt unknown /proc/2/exe
ksoftirqd 3 root cwd DIR 8,2 4096 2/
ksoftirqd 3 root rtd DIR 8,2 4096 2 /
ksoftirqd 3 root txt unknown /proc/3/exe
migration 4 root cwd DIR 8,2 4096 2 /
migration 4 root rtd DIR 8,2 4096 2 /
migration 4 root txt unknown /proc/4/exe
ksoftirqd 5 root cwd DIR 8,2 4096 2/
ksoftirqd 5 root rtd DIR 8,2 4096 2/
ksoftirqd 5 root txt unknown /proc/5/exe
events/0 6 root cwd DIR 8,2 4096 2 /
events/0 6 root rtd DIR 8,2 4096 2 /
events/0 6 root txt unknown /proc/6/exe
events/1 7 root cwd DIR 8,2 4096 2 /

The meaning of each column of information output by lsof is as follows:

Logo	Description
COMMAND	The name of the process
PID	process identifier
PPID	Parent process identifier (requires specifying the -R parameter)
USER	process owner
PGID	Group to which the process belongs
FD	File descriptor by which the application identifies the file

File descriptor list:

Logo	Description
cwd	represents the current working directory, that is: the current working directory of the application. This is the directory where the application is started, unless it itself changes this directory.
txt	This type of file is program code, such as the application binary itself or a shared library, such as the /sbin/init program shown in the list above
lnn	library reference (AIX);
er	FD message error (see name column)
jld	jail directory (FreeBSD);
ltx	Shared library text (code and data)
mxx	Hexadecimal memory mapping type number xx
m86	DOS merge map file
mem	memory mapped file
mmap	Memory mapped device
pd	parent directory
rtd	root directory
tr	Kernel trace file (OpenBSD)
v86	VP/ix mapping file
0	represents standard output
1	stands for standard input
2	stands for standard error

Generally, the standard output, standard error, and standard input are followed by the file status mode:

Logo	Description
u	indicates that the file is open and in read/write mode
r	indicates that the file is opened in read-only mode
w	indicates that the file is open for writing
space	indicates that the status mode of the file is unknown and is not locked
-	indicates that the status mode of the file is unknown and is locked

At the same time, after the file status mode, there are also related locks:

Logo	Description
N	for Solaris NFS lock of unknown type
r	Read locking for partial files
R	read-lock the entire file
w	Write lock on part of the file (partial write lock on the file)
W	Write lock on the entire file (Write lock on the entire file)
u	for read-write locks of any length
U	for locks of unknown type
x	SCO OpenServer Xenix lock for file part
X	SCO OpenServer Xenix lock for entire file
space	if no lock

file type

Logo	Description
DIR	represents directory
CHR	represents character type
BLK	block device type
UNIX	UNIX domain socket
FIFO	First-in-first-out (FIFO) queue
IPv4	Internet Protocol (IP) sockets
DEVICE	Specify the name of the disk
SIZE	The size of the file
NODE	Index node (identification of the file on disk)
NAME	The exact name of the open file
REG	regular file

List files opened by a specified process ID:

lsof -p $pid

Get the process ID corresponding to the port=>pid

lsof -i:9981 -P -t -sTCP:LISTEN

List processes that have open files:

lsof $filename

View port occupancy

lsof -i:$port

View all open files:

lsof

View files opened by the specified process:

lsof -p <PID>

View files opened by a specified user:

lsof -u <username>

View processes related to the specified file name:

lsof <filename>

View network connection related processes:

lsof -i

View processes related to the specified port:

lsof -i :<port>

View the processes using a directory:

lsof +D /path/to/directory

View files that were deleted but still open by a process:

lsof -u +L1

View open files on a file system:

lsof /mountpoint

Display results in list form:

lsof -F

The hostname is not included in the displayed results:

lsof -n

The process path is not included in the displayed results:

lsof -b

Show results in reverse order:

lsof -r

Loop through results at specific intervals:

lsof -r <interval>

Display results in continuous mode:

lsof -t <interval>