Thursday, November 14, 2019

10 Example of lsof commands in Linux and UNIX

It's been a long time since I have written anything on UNIX or Linux commands. Still, today, I'll talk about the lsof command, a utility command every system admin and developers love. The lsof command stands for list open file descriptors, and as the name suggests, it is used to find open files by the process. Since almost everything in UNIX are file, you can use lsof command to find an open regular file, a directory, a symbolic link, a special block file, an NFS mounted file, a socket stream, a shared library, a special character file, a regular pipe, a named pipe, an internet socket, a UNIX domain socket, and many others. I have mostly used it to find all the files opened by a particular process, which I will show you in the next section.

It's an incredibly useful tool to do debugging and troubleshooting in UNIX and Linux environments. Because of its versatile nature, it's also known as the "The Swiss Army Knife of Linux." Since most of the production system runs on the UNIX-based operating system, knowledge of this tool becomes even more critical.

As a Java developer, I often use lsof command to find all the files opened my Java process or some time to find which process has opened a particular file, e.g., a file that is used to represent a cache in memory, lsof is incredibly useful on doing that.

In this tutorial, we are going to learn different ways and options to use lsof some tasks, which will further help you to find a process and file-related information in UNIX or Linux.  You can combine the lsof with grep command for advanced search and filtering.

I often use grep command to filter output based upon file name, process id, or file type. If you are not familiar with basic commands like grep and find, then I suggest you take a look at Linux Command Line Basics on Udemy, an essential course for any programmer, tester, data security people, or anyone, who work on UNIX and Linux based environment.





How to get lsof command

The lsof command generally comes pre-installed in many UNIX systems. If you are getting -bash: lsof: command not found an error while using lsof, then it could be that lsof is not in your PATH.  Just check /usr/bin or /usr/sbin folder for this command. If you don't find it there, then you can install it from the source, or you can ask your UNIX admin to do that for you.

Now, let's see the 10 examples of lsof command which developers can use for troubleshooting in the Linux machine.


1) How to list all open files by all processes in Linux?


$ lsof

Only running lsof without any argument, print all opened file and process. This is not particularly useful but a good starting point.



2) How to list all process which has opened a file in Linux?


$ lsof /home/someuser/somefile

Will list all the process which has opened this file. You can see the command, PID, user, and full file path to find out the process.



3) How to find all opened files by a user in Linux?

You can use lsof -u command to list all opened files by a user, as shown below.

$ lsof -u username

You can provide a comma-separated list of users to find a list of open files by multiple users, as shown below.

$ lsof -u user1,user2,user3

You can do the same by providing -u option multiple times :

$ lsof -u user1 -u user2

If you are struggling to remember these lsof command options, here is a helpful diagram from Julia Evans, which will help them to remember. If you want, you can also join the Learn The Linux Command Line: Basic Commands, a free course on Udemy for learning essential Linux commands for FREE.

10 Example of lsof commands in UNIX and Linux



4) How to list all files opened by a particular command in UNIX?

You can use lsof -c option to provide the name of the command and list down all the files opened by that command, for example, to list all file opened by java process, you can do this :

$ lsof -c java

This is better than using grep for filtering, as instead of writing lsof | grep java, you can just write lsof -c java.

You can also find all files opened by apache which runs as httpd as shown below :

lsof -c httpd

Just like multiple users, you can also combine multiple processes name to list down files hold by them e.g.

$ lsof -c java -c httpd




5) How to find all files opened by a particular user and command in Linux?

You can combine users and process name in one lsof command to list down all the files opened by a particular process or a specific user, as shown below :

$ lsof -u root -c java

This will list all files opened or hold by root user + all files opened by the java process. See Linux Command Line Interface (CLI) Fundamentals, one of the great courses to learn the Linux command line on Pluralsight.

how to use lsof command in linux






6) How to find files opened by USER and process in Linux?

Like the previous option, you can also combine user and process by using lsof option '-a'. This is like the AND logical operator and will only list files, which matches both options e.g.

$ lsof -a -u root - c java

will only list files opened by java process which is running under the root user




7) lsof with the negation operator example

Similar to AND and OR operator used earlier, you can also use negation operator with lsof command like

$ lsof - u ^root

will list all files opened by all user except root




8) How to list all open files by a process using PID  in UNIX?

As I told, I mostly use the lsof command to find all files opened by a particular process. To do that sometimes, I usually use grep command to filter lsof output by PID, but you can also use lsof -p option to do the same, as shown below :

$ lsof -p 17783

will list all files opened by the process with PID 17783.

List users and processes, you can also supply multiple PIDs to find files opened by multiple processes, e.g. :

$ lsof -p 17783,17754,17984

We will list all files opened by the process with PIDs 17783,17754,17984. You can also see the Practical Guide to Linux Commands, Editors, and Shell Programming 3rd Edition by Mark G. Sobell to learn more about how to find a process in UNIX.

How to use lsof command in UNIX and Linux




9) How to list all network connections in Linux?

You can use lsof - i option to find all open network connections, which are nothing but open internet sockets (TCP and UDP), for example.

$ lsof -i 

You can further find all TPC connection by using the tcp option as shown below :

$ lsof -i tcp

Similarly, to find all open udp connections you can do :

$ lsof -i udp

will list all processes with open internet sockets.




10) How to find which process is using a particular port in Linux?

Though you can do this with netstat command as well, you would be surprised to know that you can find all processes using a particular TCP or UDP port using the lsof command. For example :

$ lsof -i :19500 

will find the process which is using TCP or UDP port 19500

You can even names defined in etc/services instead of port number e.g.

$ lsof -i :smtp

will print the process using the SMTP port.

You can also combine TCP and UDP with a port to do a more specific search, e.g., to find all process in UNIX which uses TCP port number 19600 you can do the following :

$ lsof -i tcp:19600 

and to find all process which is using UDP port 17600, you can use

$ lsof -i udp:17600


Now that you have seen how to use lsof command to do different things, let's revise them so that you can remember whatever you have learned so far. Here is a nice summary of lsof command examples in Linux:

lsof command example to find all process listening on a port



Bonus Tips

You can use the lsof commands to find all the files that are deleted but still hold the disk space. This is very useful when your disk or filesystem is 100% full, and you are looking for files and directory to delete to free some space.  Suppose /app is your file system then.

$ lsof /app | grep deleted

Will print all deleted files which are claiming disk space. You can just kill the process which is holding the reference of those files and get back your disk space. The command will also print the process id to help you kill the process. You can just kill command for that.


That's all about 10 examples of lsof command in UNIX and Linux. As I said, it's incredibly useful to find the list of files opened by a particular processor to find all the process which holds a lock on a file. Since almost everything is a file in UNIX, you can use lsof to find out open socket, directory, symbolic link, internet socket, and many others. You can also see the lsof man page for full documentation and more options.


Other Linux  command articles you may like

Thanks for reading this article so far. If you find these lsof commands useful, then please share it with your friends and colleagues. If you have any questions or feedback, then please drop a note.

P. S. - If you are serious about improving your Linux skills, then I also suggest you look at the Learn Linux in 5 Days and Level Up Your Career course on Udemy. It's a great course for everyone, and you will definitely learn some useful tips to work better on Linux.

6 comments :

Unknown said...

Great

javin paul said...

Thanks you unknown, glad that you find these lsof command examples useful.

Unknown said...

Great collection, thank you for sharing this.

Javin said...

Thanks you Biwajit, happy that you found these lsolf examples useful.

Anonymous said...

You can also use lsof command to free disk space from delete files. You might not know that even if a process deletes the file but holds the reference of file descriptor the space is not freed. This means if your process is creating cache files and deleting but not you are not restarting process or release file descriptor you may end up with no space in the file system because of those deleted files.

We have been facing space issue quite often in our app server. Whenever I use find command it doesn't produce output which adds upto total size. For example, the /app partition has 100GB, find list some top 50 files adding upto 6 or 7 GB but partition was still showing as 100% full.

like $ find /app -printf '%s %p\n'| sort -nr | head -10

After more investigation we found that the space was hogged by deleted files. Our process was creating cache files and deleting them but keeping the file descriptor. Since our process only starts on Sunday, it hold a lot of reference of deleted files which holds those missing 50+ GB space.

The solution was to locate those files, find the process and restart it to free up those space. That's where the lsof command helped

I use following command to find those deleted files which were still holding disk space
$ lsof -F sn0 | tr -d '\000' | grep deleted | sed 's/^[a-z]*\([0-9]*\)n/\1 /' | sort -n

After that, I found the process using ps -ef | grep "text" and kill that process.

Boom....

we have all the disk space back :-)

So, if find command doesn't show you enough large files to delete, use lsof command and check if your process is keeping reference of deleted files and hogging up space.

Raghu said...

Thanks

Post a Comment