The lsof command in Linux: list open files by processes

Posted on by BlockmyIP | Category: Linux terminal commands

Introduction to lsof

The lsof command (List Open Files) is an essential tool for Linux system administrators that allows you to see which files, devices, sockets, and pipes each process has open on the system. This information is useful for debugging permission problems, detecting resource leaks, or investigating suspicious activity.

Installation and availability

In most modern distributions, lsof comes pre‑installed. If it is not available, you can install it with the appropriate package manager:

  • Debian/Ubuntu: sudo apt-get install lsof
  • Red Hat/CentOS: sudo yum install lsof
  • Fedora: sudo dnf install lsof
  • Arch Linux: sudo pacman -S lsof

Basic syntax

The simplest way to run lsof is without arguments, which shows all files opened by all processes:

sudo lsof

Because the output can be very extensive, it is often useful to combine it with filtering options or with grep.

Most used filtering options

  • -p <PID>: shows the files opened by the process whose ID is <PID>.
  • -u <usuario>: lists the files opened by all processes of the specified user.
  • -i <condition>: filters network connections. For example, -i TCP:80 shows TCP sockets on port 80.
  • +D <directory>: lists all files opened within a directory and its subdirectories.
  • -d <descriptor>: limits the output to certain types of file descriptors (for example, -d 1 for stdout).
  • -t: only prints the PIDs, useful for passing to other commands such as kill.
  • -F: produces machine‑readable output, ideal for scripts.

Practical examples

Below are some examples that illustrate everyday use of lsof:

  • See what files a specific process has open:

    sudo lsof -p 1234

  • Find processes that are using a port:

    sudo lsof -i TCP:22

  • List all files opened by a user:

    sudo lsof -u juan

  • Detect processes that keep a deleted file open:

    sudo lsof | grep deleted

  • Get only the PIDs of processes that use a directory:

    sudo lsof -t +D /var/log

  • Use machine‑readable output for a script:

    sudo lsof -F pct -i TCP:80

Security considerations

Because lsof can reveal sensitive information (file paths, usernames, network connection details), its execution usually requires root privileges to view information for all processes. In environments where the principle of least privilege is applied, it is advisable to restrict access to lsof via sudo or via specific kernel capabilities.

Conclusion

The lsof command is a powerful and versatile tool that belongs in the toolkit of any Linux administrator. Mastering its options allows you to quickly diagnose resource problems, audit file usage, and monitor network activity on the system. Practicing with the examples shown and consulting the manual page (man lsof) will help you get the most out of this utility.

This post is also available in ESPAÑOL.

Leave a Reply

Your email address will not be published. Required fields are marked *

Esta obra está bajo una Licencia Creative Commons Atribución 4.0 Internacional para Francesc Roig francesc@vivaldi.net .