Using lsof Command in Linux with Examples

The lsof command (list open files) is a powerful utility available on Linux and Unix-like operating systems used by administrators and developers to retrieve information on files opened by running processes. First released in the early 1990‘s by Victor A. Abell, lsof provides an incredible amount of diagnostic insight that can be invaluable for troubleshooting performance and configuration issues.

This article will provide an overview of lsof functionality and syntax, accompanied by detailed examples demonstrating its usage for common scenarios like finding open deleted files, detecting network bottlenecks, and tracking down resource saturation issues. We’ll cover interpreting output, addressing permissions and security considerations, integrating lsof with other diagnostic commands, automation, and alternatives. By the end, readers should have a solid grasp of applying lsof for monitoring, reporting, and building advanced workflows.

Interpreting the Output

The key to effectively leveraging lsof is learning how to interpret the information it surfaces. Running the tool with no arguments will return a list of all open files across active processes on the system. Here is a sample output with analysis on some of the key fields:

COMMAND     PID        USER   FD      TYPE     DEVICE     SIZE       NODE NAME 
init          1        root  cwd       DIR        8,1     4096          2 /      
init          1        root  rtd       DIR        8,1     4096          2 /              
init          1        root  txt       REG        8,1    43496    62529094 /sbin/init 
init          1        root mem       REG        8,1     1500     1572864 /lib64/

The COMMAND shows the process name, PID the process ID, USER the owner, FD the file descriptor type, TYPE the node type (e.g. DIR for directory, REG for regular file), DEVICE identifier numbers, SIZE and NODE info on the file, and NAME is the actual file or directory name.

The FD (file descriptor) indicates how the file is opened by the process. cwd represents the current working directory, rtd is the root directory, txt the executable file itself, mem maps shared libraries, and more.

Here are some key takeaways for deciphering lsof output:

  • Look to the COMMAND/process and NAME/file-path columns to spot issues.
  • The TYPE field indicates if a regular file, directory, socket, pipe, etc.
  • DEVICE can help identify on which filesystem.
  • SIZE shows the logical size for the file type.

With practice, an administrator can quickly profile all files opened by specific processes across an entire server just by glancing through the output. Next we‘ll demonstrate applying filters to narrow down lists by processes, directories, network stats and more.

Finding Open Deleted Files


[Additional sections demonstrating concepts and providing insights here]