LabEx
Log InJoin Free

Linux lsof Command with Practical Examples

LinuxBeginner
Practice Now

Introduction

In this lab, you will learn how to use the lsof command, which stands for "list open files", to identify open files and network connections on a Linux system. The lsof command is a powerful tool that provides detailed information about the processes that have open files, including the file descriptor, file type, device, and file name.

The lab covers three main steps: understanding the lsof command, identifying open files by a process, and locating network connections using lsof. You will learn how to interpret the output of the lsof command and use various options to filter the results. This lab is part of the System Monitoring and Management curriculum and will help you develop skills in system administration and troubleshooting.

Linux Commands Cheat Sheet

Understand the lsof Command

In this step, you will learn about the lsof command, which stands for "list open files". The lsof command is a powerful tool in Linux that allows you to identify which processes have open files and network connections.

To begin, let's start by running the lsof command without any arguments:

sudo lsof

Example output:

COMMAND     PID   TID     USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME
systemd       1             root  cwd       DIR                8,1      4096          2 /
systemd       1             root  rtd       DIR                8,1      4096          2 /
systemd       1             root  txt       REG                8,1   1428176     655360 /usr/lib/systemd/systemd
systemd       1             root  mem       REG                8,1   2067688     655361 /usr/lib/x86_64-linux-gnu/libc-2.35.so
...

The lsof command displays a lot of information about open files and network connections on your system. Let's break down the columns:

  • COMMAND: The name of the process that has the open file.
  • PID: The process ID of the process.
  • TID: The thread ID (if applicable).
  • USER: The user who owns the process.
  • FD: The file descriptor, which is a number that identifies the open file.
  • TYPE: The type of the open file (e.g., regular file, directory, socket, etc.).
  • DEVICE: The device number of the file system where the file is located.
  • SIZE/OFF: The size of the file or the file offset.
  • NODE: The inode number of the file.
  • NAME: The name of the file or network connection.

The output can be quite lengthy, so you can use various options to filter the results. For example, to see only the open files for a specific process, you can use the -p option followed by the process ID:

sudo lsof -p 1

This will show you all the open files for the process with PID 1, which is typically the systemd process.

You can also use the lsof command to find open files by a specific user:

sudo lsof -u labex

This will show you all the open files owned by the labex user.

In the next step, you will learn how to use the lsof command to identify open files by a specific process.

Identify Open Files by a Process

In this step, you will learn how to use the lsof command to identify the open files associated with a specific process.

Let's start by finding the process ID (PID) of a running process. You can use the ps command for this:

sudo ps -ef | grep nginx

Example output:

root         825       1  0 14:32 ?        00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data    826     825  0 14:32 ?        00:00:00 nginx: worker process
www-data    827     825  0 14:32 ?        00:00:00 nginx: worker process

In this example, the nginx process has a PID of 825.

Now, you can use the lsof command to list all the open files associated with this process:

sudo lsof -p 825

Example output:

COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
nginx   825 root  cwd    DIR  253,0     4096 1048576 /usr/sbin
nginx   825 root  rtd    DIR  253,0     4096       2 /
nginx   825 root  txt    REG  253,0   977528 1048577 /usr/sbin/nginx
nginx   825 root  mem    REG  253,0  2067688 1048578 /usr/lib/x86_64-linux-gnu/libc-2.35.so
nginx   825 root  mem    REG  253,0   169032 1048579 /usr/lib/x86_64-linux-gnu/ld-2.35.so
nginx   825 root    0u   CHR  136,0      0t0       3 /dev/pts/0
nginx   825 root    1u   CHR  136,0      0t0       3 /dev/pts/0
nginx   825 root    2u   CHR  136,0      0t0       3 /dev/pts/0

This output shows all the open files associated with the nginx process, including the executable file, shared libraries, and the standard input/output/error file descriptors.

You can also use the lsof command to find open files by a specific user. For example, to find all the open files owned by the labex user:

sudo lsof -u labex

This can be useful for troubleshooting issues or understanding the activity of a specific user on the system.

In the next step, you will learn how to use the lsof command to locate network connections.

Locate Network Connections Using lsof

In this step, you will learn how to use the lsof command to identify network connections on your system.

To list all the network connections on your system, you can use the lsof command with the -i option:

sudo lsof -i

Example output:

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd      824 root   3u  IPv4  18620      0t0  TCP *:22 (LISTEN)
sshd      824 root   4u  IPv6  18622      0t0  TCP *:22 (LISTEN)
nginx    825 root   6u  IPv4  18650      0t0  TCP *:80 (LISTEN)
nginx    826 www-data 6u IPv4  18650      0t0  TCP *:80 (LISTEN)
nginx    827 www-data 6u IPv4  18650      0t0  TCP *:80 (LISTEN)

This output shows all the network connections on the system, including the sshd process listening on port 22 (SSH) and the nginx process listening on port 80 (HTTP).

You can also filter the output to show only specific types of network connections. For example, to show only TCP connections:

sudo lsof -i TCP

Example output:

COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd      824 root   3u  IPv4  18620      0t0  TCP *:22 (LISTEN)
sshd      824 root   4u  IPv6  18622      0t0  TCP *:22 (LISTEN)
nginx    825 root   6u  IPv4  18650      0t0  TCP *:80 (LISTEN)
nginx    826 www-data 6u IPv4  18650      0t0  TCP *:80 (LISTEN)
nginx    827 www-data 6u IPv4  18650      0t0  TCP *:80 (LISTEN)

You can also filter the output to show only connections for a specific user or process. For example, to show only the network connections for the labex user:

sudo lsof -i -u labex

The lsof command can be a powerful tool for troubleshooting network issues and understanding the network activity on your system.

Summary

In this lab, you will learn how to use the lsof command, which stands for "list open files". The lsof command is a powerful tool in Linux that allows you to identify which processes have open files and network connections. You will start by running the lsof command without any arguments to understand the various columns of information it provides, such as the process name, process ID, file descriptor, file type, and file name. You will then learn how to use the -p option to view the open files for a specific process. Finally, you will explore how to use the lsof command to locate network connections on your system.

Linux Commands Cheat Sheet

Related Linux Courses
Quick Start with Linux

Quick Start with Linux

linux
Become a Junior System Administrator

Become a Junior System Administrator

linuxshell
Linux for Noobs

Linux for Noobs

linux