The lsof command stands for “list open files”. It can show all open files as well as sockets, memory mapped libraries, directories, pipes, and network sockets. It is an incredibly powerful tool which you can use to gather detailed information about what is happening on your system.
If you run lsof as a normal user you will be limited to only the the processes owned by that user. To get system wide results you must run the command as root or use sudo.
Running the command by itself will show information for all active process on the system.
# lsof
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME lsof 7289 root cwd DIR 8,3 4096 6504451 /home/ryan lsof 7289 root rtd DIR 8,3 4096 2 / lsof 7289 root txt REG 8,3 110280 11178207 /usr/bin/lsof lsof 7289 root mem REG 8,3 114952 11504968 /lib64/ld-2.6.1.so lsof 7289 root mem REG 8,3 1293456 11504986 /lib64/libc-2.6.1.so lsof 7289 root 0u CHR 136,1 3 /dev/pts/1 lsof 7289 root 1u CHR 136,1 3 /dev/pts/1 lsof 7289 root 2u CHR 136,1 3 /dev/pts/1 lsof 7289 root 3r DIR 0,3 0 1 /proc lsof 7289 root 4r DIR 0,3 0 19745 /proc/7289/fd lsof 7289 root 5w FIFO 0,5 19759 pipe lsof 7289 root 6r FIFO 0,5 19760 pipe lsof 7290 root cwd DIR 8,3 4096 6504451 /home/ryan lsof 7290 root rtd DIR 8,3 4096 2 / lsof 7290 root txt REG 8,3 110280 11178207 /usr/bin/lsof lsof 7290 root mem REG 8,3 114952 11504968 /lib64/ld-2.6.1.so lsof 7290 root mem REG 8,3 1293456 11504986 /lib64/libc-2.6.1.so lsof 7290 root 4r FIFO 0,5 19759 pipe lsof 7290 root 7w FIFO 0,5 19760 pipe ...
As you can see in the previous output each open file is associated with its program and PID and has many attributes such as type, size, file descriptor, device, and inode number.
You can narrow the results down to an individual process.
# lsof -p 12345
You can get results for every process that is owned by a specific user.
# lsof -u ryan
This will give you detailed information about all network socket connections.
# lsof -i
You can narrow the results down to only TCP connections.
# lsof -i TCP
You can get information on a specific port.
# lsof -i :80
You can get information about all instances of a specific program
# lsof -c bash
This will show all files that are open within the ‘/tmp’ directory.
# lsof +D /tmp
To get even more detailed output you can pipe these results to grep or use the ‘-a‘ option which combines any number of options.
For example you can view all network socket connections that are owned by the user ryan.
# lsof -a -i TCP -u ryan