Blog

SysAdmin series – Understanding the lsof output

Tags: Server Management

Published on: February 4, 2019 by Daniel Wren

SysAdmin series – Understanding the lsof output

Scenario:

lsof command displays the list of open files. It could be the list of files opened by a process or it could be a list of files opened by a user or it could be a list of files opened by an IP or it could be a list of files opened by a port.

Let’s analyse the lsof command and its output. Only when you understand the output, you have a better idea of how it could be made useful.

[root@server ~]# lsof

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

init 1 root cwd DIR 253,0 4096 2 /

init 1 root rtd DIR 253,0 4096 2 /

init 1 root txt REG 253,0 150352 92012573 /sbin/init

init 1 root mem REG 253,0 66432 90974918 /lib64/libnss_files-2.12.so

init 1 root mem REG 253,0 1924768 90963979 /lib64/libc-2.12.so

init 1 root mem REG 253,0 90912 90963993 /lib64/libgcc_s-4.4.7-20120601.so.1

init 1 root mem REG 253,0 44472 90974925 /lib64/librt-2.12.so

The fields displayed are:

 COMMAND is the command which is responsible for the file

 PID - Process ID

 TID - Thread ID

 USER - Owner of the process

 FD - File Descriptor

 Type - Type of files

 DEVICE - Type of device with major, minor numbers

 SIZE/OFFSET - Size of the file

 NODE - inode number of the file

 NAME - name of the file

The File Descriptor can take the following values:
 cwd - current working directory

 rtd - root directory

 txt - program text (code and data)

 mem - memory-mapped file, usually for shared library

 1r - file descriptor 1 opened for reading.

 pd - parent directory

In FD column, numbers like 1u is actual file descriptor and followed by u,r,w which indicates itʼs mode as:

 u - File open with Read and Write permission

 r - File open with Read permission

 w - File open with Write permission

 W - File open with Write permission and with Write Lock on entire file

 mem - Memory mapped file, usually for share library

 mmap - Memory mapped device

TYPE displays type of files and itʼs identification.

DIR – Directory

REG – Regular file

CHR – Character special file.

FIFO – First In First Out

Let’s get into few usages of lsof.

List of open files of a user, root

[root@server ~]# lsof -u root

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

init 1 root cwd DIR 253,0 4096 2 /

init 1 root rtd DIR 253,0 4096 2 /

init 1 root txt REG 253,0 150352 92012573 /sbin/init

init 1 root mem REG 253,0 66432 90974918 /lib64/libnss_files-2.12.so

init 1 root mem REG 253,0 1924768 90963979 /lib64/libc-2.12.so

init 1 root mem REG 253,0 90912 90963993 /lib64/libgcc_s-4.4.7-20120601.so.1

init 1 root mem REG 253,0 44472 90974925 /lib64/librt-2.12.so

init 1 root mem REG 253,0 143280 90964003 /lib64/libpthread-2.12.so

init 1 root mem REG 253,0 265736 90964061 /lib64/libdbus-1.so.3.4.0

Exclusion is lsof is with ^ (carrot symbol)
eg: lsof -p ^5341 (will list open files 3ll processes excluding the one with 5341 PID)

lsof -u ^root (will list 3ll open files, except the ones opened by root)

List of Open Files – By Process Name Starting With

[root@server ~]# lsof -c dovecot

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

dovecot 5328 root cwd DIR 253,0 4096 2228598 /var/run/dovecot

dovecot 5328 root rtd DIR 253,0 4096 2 /

dovecot 5328 root txt REG 253,0 93740 56364377 /usr/sbin/dovecot

dovecot 5328 root mem REG 253,0 2279343 2098498 /var/db/nscd/hosts
dovecot 5328 root mem REG 253,0 143280 90964003 /lib64/libpthread-2.12.so

dovecot 5328 root mem REG 253,0 44472 90974925 /lib64/librt-2.12.so

dovecot 5328 root mem REG 253,0 20024 90974866 /lib64/libdl-2.12.so

dovecot 5328 root mem REG 253,0 18712 90964028 /lib64/libattr.so.1.1.0

dovecot 5328 root mem REG 253,0 1924768 90963979 /lib64/libc-2.12.so

Find Parent process ID of a process. Here in this case, 1 is the parent process of the PID 7597

[root@server ~]# lsof -p 7597 -R

COMMAND PID PPID USER FD TYPE DEVICE SIZE/OFF NODE NAME

httpd 7597 1 root cwd DIR 8,3 4096 2 /

httpd 7597 1 root rtd DIR 8,3 4096 2 /

httpd 7597 1 root txt REG 8,3 662696 4202194 /usr/sbin/httpd

httpd 7597 1 root DEL REG 0,4 0 /SYSV000015b3

httpd 7597 1 root mem REG 8,5 217032 4980742 /var/db/nscd/passwd

httpd 7597 1 root mem REG 8,5 217032 4980743 /var/db/nscd/group

httpd 7597 1 root DEL REG 0,4 3482411066 /dev/zero

httpd 7597 1 root DEL REG 0,4 3482411067 /dev/zero

httpd 7597 1 root DEL REG 0,4 3482411070 /dev/zero

httpd 7597 1 root mem REG 8,3 163400 4194605 /usr/lib64/ld-2.17.so

If you just want to list the open files based on process ID, just issue, lsof -p 7597

List of open files to a specific port

[root@serveur ~]# lsof -i :80

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

nginx 15462 root 6u IPv4 3437785568 0t0 TCP *:http (LISTEN)

nginx 15463 nginx 6u IPv4 3437785568 0t0 TCP *:http (LISTEN)

nginx 15466 nginx 6u IPv4 3437785568 0t0 TCP *:http (LISTEN)

nginx 15469 nginx 4u IPv4 3483569271 0t0 TCP serveur.ex2-p32.com:http->83.137.2.249:50698 (ESTABLISHED)

nginx 15469 nginx 6u IPv4 3437785568 0t0 TCP *:http (LISTEN)
nginx 15470 nginx 4u IPv4 3483569216 0t0 TCP serveur.ex2-p32.com:http->172.69.226.114:60336 (ESTABLISHED)

Find open connections to a specific host and that too of a specific port of a specific host

[root@serveur ~]# lsof -i@149.202.75.180

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

french 5909 maqfr 8u IPv4 3483726686 0t0 UDP serveur.ex2-p32.com:64544->cdns.ovh.net:domain 

french 5911 maqfr 10u IPv4 3483774248 0t0 UDP serveur.ex2-p32.com:39678->cdns.ovh.net:domain 
french 5913 maqfr 14u IPv4 3483732945 0t0 UDP serveur.ex2-p32.com:60288->cdns.ovh.net:domain 

french 5914 maqfr 21u IPv4 3483774113 0t0 UDP serveur.ex2-p32.com:13654->cdns.ovh.net:domain 

french 5916 maqfr 20u IPv4 3483774259 0t0 UDP serveur.ex2-p32.com:50760->cdns.ovh.net:domain 
french 5917 maqfr 22u IPv4 3483771117 0t0 UDP serveur.ex2-p32.com:48329->cdns.ovh.net:domain 

exim 6016 mailnull 8u IPv4 3483768849 0t0 TCP serveur.ex2-p32.com:38514->dev.serveurex2.info:smtp (ESTABLISHED)

imap 6154 cyberren 7u IPv4 3483768128 0t0 TCP serveur.ex2-p32.com:imap->94-224-82-148.access.telenet.be:60681 (ESTABLISHED)

Or even

[root@serveur ~]# lsof -i@149.202.75.180:80

will display the below output:

nginx 15488 nginx 20u IPv4 3483851490 0t0 TCP serveur.ex2-p32.com:http->79.103.55.23.dsl.dyn.forthnet.gr:61805 (ESTABLISHED)

nginx 15488 nginx 22u IPv4 3483850530 0t0 TCP serveur.ex2-p32.com:http->162.158.7.84:31578 (ESTABLISHED)
nginx 15488 nginx 24u IPv4 3483843477 0t0 TCP serveur.ex2-p32.com:http->102.132.37.126:53389 (ESTABLISHED)

nginx 15488 nginx 30u IPv4 3483858141 0t0 TCP serveur.ex2-p32.com:http->adsl196-188-162-217-196.adsl196-14.iam.net.ma:51282 (ESTABLISHED)

Search for all open instances of directory

[root@server ~]# lsof +D /home/ceeaco/mail/

Kill all processes run by the user sages

[root@server ~]# kill -9 `lsof -t -u sages`

List of Files in Repeat Mode

[root@serveur home]# lsof -i -a -c ssh -r2

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

sshd 9023 root 3u IPv4 3483661449 0t0 TCP serveur.ex2-p32.com:d2k-datamover2->launchpad2.majesticsupport.com:42901 (ESTABLISHED)

sshd 21514 root 3u IPv4 3483456549 0t0 TCP serveur.ex2-p32.com:d2k-datamover2->launchpad2.majesticsupport.com:42894 (ESTABLISHED)

sshd 30037 root 3u IPv4 2835783768 0t0 TCP *:d2k-datamover2 (LISTEN)

sshd 30037 root 4u IPv6 2835783770 0t0 TCP *:d2k-datamover2 (LISTEN)

=======

Uninterrupted service delivery can only be assured through constant monitoring of services and servers. Don’t worry. We are here to help you.

Category : Linux, server, Sever management

Daniel Wren

Daniel Wren

An innovative and dedicated IT professional who is very curious to solve and find solutions to seemingly difficult tasks.

You may also read:

Comments

Add new commentSIGN IN

Let's Connect

Get new updates

Categories

$0.000 items