The lsof command (list open files) is a powerful utility available on Linux and Unix-like operating systems used by administrators and developers to retrieve information on files opened by running processes. First released in the early 1990‘s by Victor A. Abell, lsof provides an incredible amount of diagnostic insight that can be invaluable for troubleshooting performance and configuration issues.
This article will provide an overview of lsof functionality and syntax, accompanied by detailed examples demonstrating its usage for common scenarios like finding open deleted files, detecting network bottlenecks, and tracking down resource saturation issues. We’ll cover interpreting output, addressing permissions and security considerations, integrating lsof with other diagnostic commands, automation, and alternatives. By the end, readers should have a solid grasp of applying lsof for monitoring, reporting, and building advanced workflows.
Interpreting the Output
The key to effectively leveraging lsof is learning how to interpret the information it surfaces. Running the tool with no arguments will return a list of all open files across active processes on the system. Here is a sample output with analysis on some of the key fields:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
init 1 root cwd DIR 8,1 4096 2 /
init 1 root rtd DIR 8,1 4096 2 /
init 1 root txt REG 8,1 43496 62529094 /sbin/init
init 1 root mem REG 8,1 1500 1572864 /lib64/libnss_files-2.12.so
The COMMAND
shows the process name, PID
the process ID, USER
the owner, FD
the file descriptor type, TYPE
the node type (e.g. DIR for directory, REG for regular file), DEVICE
identifier numbers, SIZE
and NODE
info on the file, and NAME
is the actual file or directory name.
The FD
(file descriptor) indicates how the file is opened by the process. cwd
represents the current working directory, rtd
is the root directory, txt
the executable file itself, mem
maps shared libraries, and more.
Here are some key takeaways for deciphering lsof output:
- Look to the
COMMAND
/process andNAME
/file-path columns to spot issues. - The
TYPE
field indicates if a regular file, directory, socket, pipe, etc. DEVICE
can help identify on which filesystem.SIZE
shows the logical size for the file type.
With practice, an administrator can quickly profile all files opened by specific processes across an entire server just by glancing through the output. Next we‘ll demonstrate applying filters to narrow down lists by processes, directories, network stats and more.
Finding Open Deleted Files
Sometimes…
[Additional sections demonstrating concepts and providing insights here]