lsof

lsof ( L i s t o pen f iles) has been developed by Vic Abell open source -tool that on Unix which programs indicating systems which files or sockets keep open.

Output format

Open files are at lsof

• UNIX Domain Sockets (type = unix)
• Regular files (type = REG)
• FIFOs (type = FIFO)
• Open directories (type = DIR)
• Internet Domain sockets (type = IPv4 or type = IPv6 )
• Character devices (special files like / dev / random ; type = CHR)

and a few dozen others, such as AX.25 sockets, block devices, etc.

The output looks like this:

COMMAND     PID   TID       USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME
...
ssh-agent  2678              lbo    3u     unix 0xffff88013e71cac0      0t0       7624 /tmp/ssh-oyerzGJI2633/agent.2633
ssh-agent  2678              lbo    6w     FIFO                0,8      0t0       4795 pipe
ssh-agent  2678              lbo    8r     FIFO                0,8      0t0       4799 pipe
system-co  2866              lbo  mem       REG                8,6   162968    1050015 /usr/lib/x86_64-linux-gnu/libssh2.so.1.0.1
sshd       3031             root  cwd       DIR                8,6     4096          2 /
sshd       3031             root  rtd       DIR                8,6     4096          2 /
sshd       3031             root  txt       REG                8,6   517088    1053360 /usr/sbin/sshd
sshd       3031             root  mem       REG                8,6   131107    1187879 /lib/x86_64-linux-gnu/libpthread-2.13.so
sshd       3031             root  mem       REG                8,6    80712    1180726 /lib/x86_64-linux-gnu/libresolv-2.13.so
sshd       3031             root    0u      CHR                1,3      0t0       1028 /dev/null
sshd       3031             root    3u     IPv4               8026      0t0        TCP *:ospfapi (LISTEN)
sshd       3031             root    4u     IPv6               8028      0t0        TCP *:ospfapi (LISTEN)
ssh        7314              lbo  cwd       DIR                8,7     4096    5767169 /home/lbo
ssh        8602              lbo    3r     IPv6              68343      0t0        TCP [2001:470:1f0b:2f2:3189:67c1:b550:9400]:56194->obsd-lbo6:ssh (ESTABLISHED)
...
udevd      3226             root  11u   netlink 0t0      10784 KOBJECT_UEVENT
...

Here you can see the different types very well (TYPE column), here mainly based on the sshd and ssh client.

Output format for other programs

For processing the output with scripts, the -F option can be used to generate an alternative output format in which an identifying letter followed by the corresponding value is in each line. A multi-line section is created for each running process, which is introduced by the line with the letter p and the process ID. Within a process section there are values ​​such as the user ID of the process, introduced by u, as well as several sections on the open files, introduced by a line with the letter f and the file descriptor. An example output for the sshd process with two file sections would look like this:

...
p5502
g5502
R1
csshd
u0
Lroot
fcwd
a
l
tDIR
D0x811
s4096
i2
k25
n/
ftxt
a
l
tREG
D0x811
s540896
i657919
k1
n/usr/sbin/sshd
...

This output format is used e.g. B. from some scripts that are supplied with lsof.

Everyday use

Lsof is used very often when the Unix umount command refuses to unmount a device if files are still open on this device or in its mount directory (the diamond represents a root shell):

# umount /mount/path
umount: /mount/path: device is busy.

# lsof /mount/path
bash 3156             usr cwd DIR               8,33     4096          2 /mount/path

# umount /mount/path
umount: /mount/path: device is busy.
       (In some cases useful info about processes that use the device is found by lsof(8) or fuser(1))