The lsof command (list open files) is a powerful utility available on Linux and Unix-like operating systems used by administrators and developers to retrieve information on files opened by running processes. First released in the early 1990‘s by Victor A. Abell, lsof provides an incredible amount of diagnostic insight that can be invaluable for troubleshooting performance and configuration issues.
This article will provide an overview of lsof functionality and syntax, accompanied by detailed examples demonstrating its usage for common scenarios like finding open deleted files, detecting network bottlenecks, and tracking down resource saturation issues. We’ll cover interpreting output, addressing permissions and security considerations, integrating lsof with other diagnostic commands, automation, and alternatives. By the end, readers should have a solid grasp of applying lsof for monitoring, reporting, and building advanced workflows.
Interpreting the Output
The key to effectively leveraging lsof is learning how to interpret the information it surfaces. Running the tool with no arguments will return a list of all open files across active processes on the system. Here is a sample output with analysis on some of the key fields:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
init 1 root cwd DIR 8,1 4096 2 /
init 1 root rtd DIR 8,1 4096 2 /
init 1 root txt REG 8,1 43496 62529094 /sbin/init
init 1 root mem REG 8,1 1500 1572864 /lib64/libnss_files-2.12.soThe COMMAND shows the process name, PID the process ID, USER the owner, FD the file descriptor type, TYPE the node type (e.g. DIR for directory, REG for regular file), DEVICE identifier numbers, SIZE and NODE info on the file, and NAME is the actual file or directory name.
The FD (file descriptor) indicates how the file is opened by the process. cwd represents the current working directory, rtd is the root directory, txt the executable file itself, mem maps shared libraries, and more.
Here are some key takeaways for deciphering lsof output:
- Look to the
COMMAND/process andNAME/file-path columns to spot issues. - The
TYPEfield indicates if a regular file, directory, socket, pipe, etc. DEVICEcan help identify on which filesystem.SIZEshows the logical size for the file type.
With practice, an administrator can quickly profile all files opened by specific processes across an entire server just by glancing through the output. Next we‘ll demonstrate applying filters to narrow down lists by processes, directories, network stats and more.
Finding Open Deleted Files
Sometimes…
[Additional sections demonstrating concepts and providing insights here]