Uncategorized

Using the lsof Command in Linux with Examples

Photo of author

By admin

If you use a Linux system, you may know that Linux manages all the files under the File category and arranges them in specific folders. You will see many files and folders in your Linux computer that your system accesses whenever needed. However, all these files and folders are not always visible. They can be hidden but with the lsof command, you can easily find and access even the hidden files. The lsof stands for List Of Open File and shows you a list of files that your Linux system uses.

The command will provide you with information about the files along with their importance regarding specific processes. Apart from providing you with a list of common and regularly used files, the lsof command can also show you directories, a special block file, a special character file, a regular pipe, a named pipe, a UNIX domain socket, an internet socket, a shared library, and much more. In this post, we are going to learn some important lsof commands that will help you make better use of your Linux system.

What is LSOF?

lsof is a command-line utility that you can use on your Linux-based operating systems to view the list of all the open files. No matter what system process opens the file, you can check out their details using the lsof command.

However, to use the lsof command, you have to install it separately because it is not available by default in most Linux distros, including CentOS, RHEL, Ubuntu and, OpenSUSE. To install lsof, you will have to run some commands in the terminal app. Check out the next section for becoming familiar with the process of installing lsof on your Linux system.

How to Install lsof?

Use the following commands to install lsof on different Linux distros:

For CentOS / RHEL System:

~] # yum install lsof -y

CentOS / RHEL / Fedora: 

$ sudo yum install lsof

For CentOS/RHEL 8, use the DNF command:

$ sudo dnf install lsof

Ubuntu / Debian:

$ sudo apt install lsof

For OpenSUSE System:

~] # zypper install lsof
  • If you want to know what options are supported by lsof, you can use the -? or -h flag to get the list. Try the following command:
$ lsof -?

Output:

lsof 4.87
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-f[gG]] [+|-e s]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [-Z [Z]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
  -?|-h list help -a AND selections (OR) -b avoid kernel blocks
  -c c cmd c ^c /c/[bix] +c w COMMAND width (9) +d s dir s files
  -d s select by FD set +D D dir D tree *SLOW?* +|-e s exempt s *RISKY*
  -i select IPv[46] files -K list tasKs (threads) -l list UID numbers
  -n no host names -N select NFS files -o list file offset
  -O no overhead *RISKY* -P no port names -R list paRent PID
  -s list file size -t terse listing -T disable TCP/TPI info
  -U select Unix socket -v list version info -V verbose search
  +|-w Warnings (+) -X skip TCP&UDP* files -Z Z context [Z]
  -- end option scan
  +f|-f +filesystem or -file names +|-f[gG] flaGs
  -F [f] select fields; -F? for help
  +|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
                                        +m [m] use|create mount supplement
  +|-M portMap registration (-) -o o o 0t offset digits (8)
  -p s exclude(^)|select PIDs -S [t] t second stat timeout (15)
  -T qs TCP/TPI Q,St (s) info
  -g [s] exclude(^)|select and print process group IDs
  -i i select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
  +|-r [t[m<fmt>]] repeat every t seconds (15); + until no files, - forever.
       An optional suffix to t is m<fmt>; m must separate t from <fmt> and
      <fmt> is an strftime(3) format for the marker line.
  -s p:s exclude(^)|select protocol (p = TCP|UDP) states by name(s)
  -u s exclude(^)|select login|UID set s
  -x [fl] cross over +d|+D File systems or symbolic Links
  names select named files or files on named file systems
Anyone can list all files; /dev warnings disabled; kernel ID check disabled.
$
  • To check which version of the lsof you have just installed, use the following command on your terminal.
$ lsof -v

Output:

lsof version information:

    revision: 4.87
    latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
    latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
    latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
    constructed: Tue Oct 30 16:28:19 UTC 2018
    constructed by and on: mockbuild@x86-01.bsys.centos.org
    compiler: cc
    compiler version: 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
    compiler flags: -DLINUXV=310000 -DGLIBCV=217 -DHASIPv6 -DHASSELINUX -D_FILE_OFFSET_BITS=64 -D_LARGEFILE64_SOURCE -DHAS_STRFTIME -DLSOF_VSTR="3.10.0" -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
    loader flags: -L./lib -llsof -lselinux
    system info: Linux x86-01.bsys.centos.org 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
    Anyone can list all files.
    /dev warnings are disabled.
    Kernel ID check is disabled.
$
  • The lsof command comes with various options and switches like the ones below:
# lsof
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
init 1 root cwd DIR 8,1 4096 2 /
init 1 root txt REG 8,1 124704 917562 /sbin/init
init 1 root 0u CHR 1,3 0t0 4369 /dev/null
init 1 root 1u CHR 1,3 0t0 4369 /dev/null
init 1 root 2u CHR 1,3 0t0 4369 /dev/null
init 1 root 3r FIFO 0,8 0t0 6323 pipe

You will see one file per line by default, and the columns here are easy to understand. Have a look at the details of the cryptic columns such as FD and TYPE:

  • FD – File descriptor
  • CWD – Current Working Directory
  • txt – Text file
  • mem – Memory-mapped file
  • mmap – Memory-mapped device
  • NUMBER – Represent the actual file descriptor. The character after the number i.e ‘1u’, represents the mode in which the file is opened; r stands for reading, w stands for writing, and u for reading and writing.
  • TYPE – refers to the type of the file and can have the following values:
  • REG – Regular File
  • DIR – Directory
  • FIFO – First In First Out
  • CHR – Character special file

FD field includes the following values:

cwd current working directory;
Lnn library references (AIX);
err FD information error (see NAME column);
jld jail directory (FreeBSD);
ltx shared library text (code and data);
Mxx hex memory-mapped type number xx.
m86 DOS Merge mapped file;
mem memory-mapped file;
mmap memory-mapped device;
pd parent directory;
rtd root directory;
tr kernel trace file (OpenBSD);
txt program text (code and data);
v86 VP/ix mapped file;

After the FD field, there are more characters that describe the mode under which your file is opened:

  • r for reading access
  • w for write access
  • u for read and write access
  • Space if mode unknown and no lock character follows
  • if mode unknown and lock character follows

The mode character of FD is followed by LOCK with the following description:

  • N for a Solaris NFS lock of unknown type
  • r for reading lock on part of the file
  • R for a read lock on the entire file
  • w for a write lock on part of the file
  • W for a write lock on the entire file
  • u for a read and write lock of any length
  • U for a lock of unknown type
  • x for an SCO OpenServer Xenix lock on the part of the file
  • X for an SCO OpenServer Xenix lock on the entire file
  • space if there is no lock

Like the FD field, the TYPE field can also contain fields including GDIR, GREG, VDIR, VREG, IPV4, IPV6, etc. Apart from these, there are some other fields as well that includes the following:

  • DEVICE –> Device id
  • SIZE/OFF –> Actual size of this process (taken during run time)
  • NODE –> Typically inode number of the directory or parent directory
  • NAME –> Path or link

List Processes That Opens a Specific File

Simply provide the name and arguments of the file to find the processes which have opened that specific file. For example, if there is a .4ext file on your computer and you don’t know where it’s been used, you can use the filename and some arguments to get the required information. Have a look at the sample command below:

# lsof /var/log/syslog

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog

How to List Opened Files Under a Specific Directory?

Use the ‘+D’ option to list the processes that opened files under a specific directory and sub-directories. However, if you don’t want to see the subdirectories, then don’t use the +D option; use ‘+d’ instead. Here’s the command that you need to run:

# lsof +D /var/log/

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 488 syslog 1w REG 8,1 1151 268940 /var/log/syslog
rsyslogd 488 syslog 2w REG 8,1 2405 269616 /var/log/auth.log
console-k 144 root 9w REG 8,1 10871 269369 /var/log/ConsoleKit/history

List All the Opened Files on Your System

If you don’t use any option, such as option +D or filenames, or anything, it will list out all the opened files on your system. These opened files will be related to all the active processes on your Linux. Simply type the “lsof” command and don’t use any other option at the command line, and you will see the following output:

[root@linuxtechi ~]# lsof | more
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root cwd DIR 253,0 4096 128 /
systemd 1 root rtd DIR 253,0 4096 128 /
systemd 1 root txt REG 253,0 1489960 50674818 /usr/lib/systemd/systemd
systemd 1 root mem REG 253,0 20032 33628284 /usr/lib64/libuuid.so.1.3.0
systemd 1 root mem REG 253,0 252704 33745961 /usr/lib64/libblkid.so.1.1.0

The output shown above provides a lot of information about the processes. Such as “systemd” is a process with Process Id (PID) of “1”, User is “root, “File Descriptor (FD) as “CWD,” and more.

List Opened Files by Username

If you are using a computer with multiple users, you can find out the list of files that different users have opened with the help of the -u flag followed by the username. Here’s how the command looks like:

$ sudo lsof -u {username}

Let’s take an example by putting the username abhishknair in the above command:

$ sudo lsof -u abhisheknair

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1239 abhisheknair cwd DIR 253,0 224 64 /
sshd 1239 abhisheknair rtd DIR 253,0 224 64 /
sshd 1239 abhisheknair txt REG 253,0 852856 425229 /usr/sbin/sshd
sshd 1239 abhisheknair mem REG 253,0 15488 17204727 /usr/lib64/security/pam_lastlog.s
sshd 1239 abhisheknair mem REG 253,0 15648 229829 /usr/lib64/libpam_misc.so.0.82.0
sshd 1239 abhisheknair mem REG 253,0 309248 17303270 /usr/lib64/security/pam_systemd.so
sshd 1239 abhisheknair mem REG 253,0 19616 17204728 /usr/lib64/security/pam_limits.so
sshd 1239 abhisheknair mem REG 253,0 11168 17204726 /usr/lib64/security/pam_keyinit.so
sshd 1239 abhisheknair mem REG 253,0 40800 17204735 /usr/lib64/security/pam_namespace.so

However, if you want to open a list of files that are opened by any user and not a specific user, you can use the -u flag followed by ^username like this:

$ sudo lsof -u ^{username}

Here’s an example:

$ sudo lsof -u ^root

Output:

COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dbus-daem 630 dbus cwd DIR 253,0 224 64 /
dbus-daem 630 dbus rtd DIR 253,0 224 64 /
dbus-daem 630 dbus txt REG 253,0 223232 50590133 /usr/bin/dbus-daemon
dbus-daem 630 dbus mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
dbus-daem 630 dbus mem REG 253,0 68192 59651 /usr/lib64/libbz2.so.1.0.6
dbus-daem 630 dbus mem REG 253,0 90248 16051 /usr/lib64/libz.so.1.2.7
dbus-daem 630 dbus mem REG 253,0 99944 59680 /usr/lib64/libelf-0.176.so
dbus-daem 630 dbus mem REG 253,0 19896 59686 /usr/lib64/libattr.so.1.1.0
dbus-daem 630 dbus mem REG 253,0 402384 16039 /usr/lib64/libpcre.so.1.2.0

Another way to use lsof is to kill the processes that a specific user is running with a simple command. For that, you can use kill with lsof together like this:

# kill -9 `lsof -t -u {username}`

You can use the -t flag to leave out every other information excluding process-id because the ID can help with automation and scripting with lsof if you combine it with the kill command:

$ sudo lsof -t -u {username}

Here’s an example:

$ sudo lsof -t -u abhisheknair

Output:

1239
1240
$

You can combine multiple arguments or logics with lsof like the following example:

$ sudo lsof -u {username} -c {process-name}

Here’s an example:

$ sudo lsof -u ftpuser -c bash

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1240 abhisheknair cwd DIR 253,0 120 510681 /home/abhisheknair
bash 1240 abhisheknair rtd DIR 253,0 224 64 /
bash 1240 abhisheknair txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1240 abhisheknair mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1240 abhisheknair mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1240 abhisheknair mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1240 abhisheknair mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1240 abhisheknair mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1240 abhisheknair mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1240 abhisheknair mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1240 abhisheknair 0u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 1u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 2u CHR 136,0 0t0 3 /dev/pts/0
bash 1240 abhisheknair 255u CHR 136,0 0t0 3 /dev/pts/0
bash 1425 ftpuser cwd DIR 253,0 182 33578272 /home/ftpuser
bash 1425 ftpuser rtd DIR 253,0 224 64 /
bash 1425 ftpuser txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1425 ftpuser mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1425 ftpuser mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1425 ftpuser mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1425 ftpuser mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1425 ftpuser mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.so
bash 1425 ftpuser mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1425 ftpuser 0u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 1u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 2u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 255u CHR 4,1 0t0 1043 /dev/tty1
$

Instead of or logic, if you want to use the AND logic condition, use -a flag:

$ sudo lsof -u {username} -c {process-name} -a

Here’s an example:

$ sudo lsof -u ftpuser -c bash -a

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 1425 ftpuser cwd DIR 253,0 182 33578272 /home/ftpuser
bash 1425 ftpuser rtd DIR 253,0 224 64 /
bash 1425 ftpuser txt REG 253,0 964536 50548532 /usr/bin/bash
bash 1425 ftpuser mem REG 253,0 106172832 50548523 /usr/lib/locale/locale-archive
bash 1425 ftpuser mem REG 253,0 61560 15691 /usr/lib64/libnss_files-2.17.so
bash 1425 ftpuser mem REG 253,0 2156272 15673 /usr/lib64/libc-2.17.so
bash 1425 ftpuser mem REG 253,0 19248 15679 /usr/lib64/libdl-2.17.so
bash 1425 ftpuser mem REG 253,0 174576 16034 /usr/lib64/libtinfo.so.5.9
bash 1425 ftpuser mem REG 253,0 163312 15666 /usr/lib64/ld-2.17.s
bash 1425 ftpuser mem REG 253,0 26970 16003 /usr/lib64/gconv/gconv-modules.cache
bash 1425 ftpuser 0u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 1u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 2u CHR 4,1 0t0 1043 /dev/tty1
bash 1425 ftpuser 255u CHR 4,1 0t0 1043 /dev/tty1
$

List all Open Internet and UNIX Domain Files (lsof -i -U)

If you want to list all the open Internet and UNIX Domain files, you can use the “-i -U” option in the lsof command like the following example:

# lsof -i -U

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 12u unix 0xffff8800b8baab40 0t0 11075 /run/systemd/cgroups-agent
systemd 1 root 13u unix 0xffff8800b8bab2c0 0t0 11077 /run/systemd/private
systemd 1 root 42u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 43u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 3u unix 0xffff8800bab8cf00 0t0 16574 /var/run/rpcbind.sock
rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 5u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 6u IPv6 16578 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 7u IPv6 16579 0t0 UDP *:sunrpc
rpcbind 1633 rpc 10u IPv4 16649 0t0 UDP *:960
sshd 2532 root 3u IPv4 21120 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65110 (ESTABLISHED)
sshd 2532 root 4u unix 0xffff8800bbef3a40 0t0 21260 socket
sshd 2532 root 8u unix 0xffff8800b8afd680 0t0 21298 /tmp/ssh-QHz9BdtRvt/agent.2532
sshd 2536 root 3u IPv4 21191 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65112 (ESTABLISHED)
sshd 2536 root 4u unix 0xffff8800b8afd2c0 0t0 21363 socket
………………………………………………………………………………………………………………

List All Open IPv4 Network Files (lsof -i 4)

If you wish to list all the open network files of IPv4, combine the “-i -4” option with lsof command:

# lsof -i 4

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 42u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 43u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
sshd 2258 root 3u IPv4 19493 0t0 TCP *:ssh (LISTEN)
master 2360 root 13u IPv4 20087 0t0 TCP localhost:smtp (LISTEN)
dhclient 2494 root 6u IPv4 20983 0t0 UDP *:bootpc
dhclient 2494 root 20u IPv4 20951 0t0 UDP *:24884
dhclient 2514 root 6u IPv4 20866 0t0 UDP *:bootpc
sshd 2532 root 3u IPv4 21120 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65110 (ESTABLISHED)
sshd 2536 root 3u IPv4 21191 0t0 TCP 192.168.1.6:ssh->192.168.1.5:65112 (ESTABLISHED)
sshd 2621 root 3u IPv4 23506 0t0 TCP 192.168.1.6:ssh->192.168.1.9:65422 (ESTABLISHED)
sshd 2655 root 3u IPv4 23863 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49992 (ESTABLISHED)
sshd 2657 linuxtechi 3u IPv4 23795 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49990 (ESTABLISHED)
sshd 2660 linuxtechi 3u IPv4 23863 0t0 TCP 192.168.1.6:ssh->192.168.1.9:49992 (ESTABLISHED)
[root@linuxtechi ~]#

If you want to list all the open IPv4 network files which are run by a specific process, use the following command:

# lsof i 4 -a -p {process_pid}

The above command will list out all the IPv4 network files for the rpcbind process when the {process_pid} is replaced by 1633 :

# lsof -i 4 -a -p 1633

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rpcbind 1633 rpc 4u IPv4 16576 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 5u IPv4 16577 0t0 UDP *:sunrpc
rpcbind 1633 rpc 10u IPv4 16649 0t0 UDP *:960
[root@linuxtechi ~]#

List All Open Network Files for IPv6 (lsof -i 6)

The IPv6 domain support with the lsof command will display the following output if you use the ‘# lsof -i 6’ command:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd  1 root 44u IPv6 16578  0t0 TCP *:sunrpc (LISTEN)
systemd  1 root 46u IPv6 16579  0t0 UDP *:sunrpc
rpcbind 1633 rpc 6u IPv6 16578  0t0 TCP *:sunrpc (LISTEN)
rpcbind 1633 rpc 7u IPv6 16579  0t0 UDP *:sunrpc
rpcbind 1633 rpc 11u IPv6 16650  0t0 UDP *:960
sshd  2258 root 4u IPv6 19504  0t0 TCP *:ssh (LISTEN)
master 2360 root 14u IPv6 20088 0t0 TCP localhost:smtp (LISTEN)
dhclient 2494 root 21u IPv6 20952  0t0 UDP *:16498
dhclient 2514 root 21u IPv6 20823  0t0 UDP *:34955
httpd 2594 root 4u IPv6 22703  0t0 TCP *:http (LISTEN)
httpd 2595 apache 4u IPv6 22703  0t0 TCP *:http (LISTEN)
httpd 2596 apache 4u IPv6 22703  0t0 TCP *:http (LISTEN)
httpd 2597 apache 4u IPv6 22703  0t0 TCP *:http (LISTEN)
httpd 2598 apache 4u IPv6 22703  0t0 TCP *:http (LISTEN)
httpd 2599 apache 4u IPv6 22703  0t0 TCP *:http (LISTEN)
[root@linuxtechi ~]#

List All TCP & UDP Processes Running on Specific Port (lsof -i TCP/UDP:port)

If you want to list out all the TCP processes running on 80 port, use the following command:

# lsof -i TCP:80

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 2594 root 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2595 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2596 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2597 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2598 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
httpd 2599 apache 4u IPv6 22703 0t0 TCP *:http (LISTEN)
[root@linuxtechi ~]#

You can use the below command to list the open files on TCP port from port range (1 to 1048):

# lsof -i TCP:1-1048

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 41u IPv4 16863 0t0 TCP *:sunrpc (LISTEN)
systemd 1 root 44u IPv6 16865 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1663 rpc 4u IPv4 16863 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1663 rpc 6u IPv6 16865 0t0 TCP *:sunrpc (LISTEN)
sshd 2294 root 3u IPv4 19949 0t0 TCP *:ssh (LISTEN)
sshd 2294 root 4u IPv6 19965 0t0 TCP *:ssh (LISTEN)
master 2433 root 13u IPv4 21026 0t0 TCP localhost:smtp (LISTEN)
master 2433 root 14u IPv6 21027 0t0 TCP localhost:smtp (LISTEN)
sshd 2600 root 3u IPv4 21737 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52393 (ESTABLISHED)
sshd 2659 root 3u IPv4 22056 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52486 (ESTABLISHED)
sshd 2663 root 3u IPv4 22123 0t0 TCP 192.168.1.3:ssh->192.168.1.9:52489 (ESTABLISHED)
httpd 2837 root 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2838 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2839 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2840 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2841 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
httpd 2842 apache 4u IPv6 26112 0t0 TCP *:http (LISTEN)
sshd 2891 root 3u IPv4 26896 0t0 TCP 192.168.1.3:ssh->192.168.1.9:53541 (ESTABLISHED)
sshd 2895 linuxtechi 3u IPv4 26896 0t0 TCP 192.168.1.3:ssh->192.168.1.9:53541 (ESTABLISHED)
[root@linuxtechi ~]#

And use the below command to list out all the UDP process running on a specific port:

# lsof -i UDP:16498

Output:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 2494 root 21u IPv6 20952 0t0 UDP *:16498
[root@linuxtechi ~]#

Conclusion

The commands discussed above are the most popular lsof command examples that you need to know. However, you should keep in mind that there are many more commands that make use of lsof. Hopefully, through this article, you have gained sufficient knowledge about Isof and also become familiar with its usage on a Linux system.

How to Remove Files and Directories in Linux?

How to Install Git on Centos, Ubuntu, and Windows?

Leave a Comment