music

�

OSdata.com

lsof

summary

����This subchapter looks at lsof, a UNIX (and Linux) command.

����lsof lists open files (and that includes devices, directories, pipes, nodes, sockets, and anything else that UNIX treats as a file).

free book on UNIX/Linux System Administration Teach Yourself UNIX/Linux System Administration and Shell Programming free computer programming text book project table of contents If you like the idea of this project, then please donate some money. more information on donating

lsof

����This subchapter looks at lsof, a UNIX (and Linux) command.

����lsof lists open files (and that includes devices, directories, pipes, nodes, sockets, and anything else that UNIX treats as a file).

����lsof will give you information on any opened files (including all of the items UNIX treats as a file).

basic use

����Type lsof all by itelf to get a list of all open files belonging to all active processes. The list was huge when creating this example, so I have edited it to highlight some of the things listed.

����$ lsof
����COMMAND���PID����USER FD�����TYPE����DEVICE���SIZE/OF�����NODE NAME
����loginwind��24 admin��cwd������DIR������14,8������1564��������2 /
����loginwind��24 admin��txt������REG������14,8����946736��1076582 /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow
����loginwind��24 admin����0r���� CHR������ 3,2������ 0t0 35264644 /dev/null
����loginwind��24 admin����1���� PIPE 0x224f3f0���� 16384
����loginwind��24 admin����2���� PIPE 0x224f3f0���� 16384
����loginwind��24 admin����3u����unix 0x27766e8������ 0t0����������->0x224cdd0
����launchd����68 admin����3u��KQUEUE������������������������������count=0, state=0x1
����launchd����68 admin����5u�� systm 0x25f1264������ 0t0����������[1:1:0]
����launchd����68 admin�� 15���� PIPE 0x224f6ac���� 16384
����launchd����68 admin�� 19r���� DIR������14,8������1122������248 /Library/Preferences
����AirPort����84 admin��cwd������DIR������14,8������1564��������2 /
����AirPort����84 admin��txt������REG������14,8����573072��3265433 /System/Library/CoreServices/AirPort Base Station Agent.app/Contents/MacOS/AirPort Base Station Agent
����Spotlight��88 admin��cwd������DIR������14,8������1564��������2 /
����Spotlight��88 admin��txt������REG������14,8����708848��1067264 /System/Library/CoreServices/Spotlight.app/Contents/MacOS/Spotlight
����UserEvent��89 admin��cwd������DIR������14,8������1564��������2 /
����Dock������ 90 admin��cwd������DIR������14,8������1564��������2 /
����Dock������ 90 admin��txt������REG������14,8�� 2384752��1046722 /System/Library/CoreServices/Dock.app/Contents/MacOS/Dock
����Dock������ 90 admin����4u��KQUEUE������������������������������count=0, state=0x2
����ATSServer��91 admin��cwd������DIR������14,8������1564��������2 /
����ATSServer��91 admin��txt������REG������14,8�� 5787888��1131290 /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/Support/ATSServer
����pboard���� 92 admin��cwd������DIR������14,8������1564��������2 /
����SystemUIS��94 admin��cwd������DIR������14,8������1564��������2 /
����Finder���� 96 admin��cwd������DIR������14,8������1564��������2 /
����iTunesHel 115 admin��cwd������DIR������14,8������1564��������2 /
����Tex-Edit��146 admin��cwd������DIR������14,8������1564��������2 /
����Tex-Edit��146 admin��txt������REG������14,8����367168��1045618 /System/Library/CoreServices/Encodings/libTraditionalChineseConverter.dylib
����firefox-b 149 admin��cwd������DIR������14,8������1564��������2 /
����firefox-b 576 admin���56u����IPv4 0x4984e64�������0t0������TCP 192.168.0.108:60388->173.194.57.119:http (ESTABLISHED)

����The default is one file per line. The FD column gives the file descriptor and the TYPE column gives the file type. The other columns should make sense.

����Some of the common FD values are:

• cwd = Current Working Directory
• mem = memory mapped file
• mmap = memory mapped device
• rtd = root directory
• txt = text file
• NUMBER = file descriptor. The character after the number inidicates the mode in which the file is opened. r = read, w = write, and u = both read and write. This may be followed by lock information.
• asdf

����Some of the common TYPE values are:

• BLK = block special file
• CHR = character special file
• DIR = directory
• FIFO = First In First Out special file
• IPv4 = IPv4 socket
• IPv6 = IPv6 socket
• LINK = symbolic link file
• PIPE = pipe
• REG = regular file
• unix = UNIX domain socket

find which process opened a file

����You can get information on which processes opened a specific file by giving the filename as an argument.

����$ lsof /System/Library/Fonts/Helvetica.dfont
����loginwind��24 admin��txt����REG���14,8��2402112 10720 /System/Library/Fonts/Helvetica.dfont
����ATSServer��90 admin��txt����REG���14,8��2402112 10720 /System/Library/Fonts/Helvetica.dfont
����Tex-Edit��123 admin��txt����REG���14,8��2402112 10720 /System/Library/Fonts/Helvetica.dfont
����firefox-b 576 admin��txt����REG���14,8��2402112 10720 /System/Library/Fonts/Helvetica.dfont

find any open file by name

����To find any open file, including an open UNIX domain socket file, with the name /dev/log, type lsof /dev/log. (from the man pages)

����$ lsof /dev/log

list opened files in directory

����To list all the processes that have opened files in a particular directory, use the +d option.

����$ lsof +d /u/abe/foo/

����To list all the processes that have opened files in a particular directory and all of its child directories (subdirectories), use the +D option. lsof will recurse through all subdirectories.

����$ lsof +D /var/
����COMMAND���PID��USER���FD���TYPE DEVICE��SIZE/OFF����NODE NAME
����loginwind��24 admin��txt����REG���14,8 149168128 1137272 /private/var/db/dyld/dyld_shared_cache_ppc
����loginwind��24 admin����4u���REG���14,8������2512 3589022 /private/var/run/utmpx
����launchd����64 admin��txt����REG���14,8 149168128 1137272 /private/var/db/dyld/dyld_shared_cache_ppc
���������< listing continues >

list open directory

����To list the process that has /u/abe/foo open, type lsof /u/abe/foo. (from the man pages)

����$ lsof /u/abe/foo

list by process names

����To list all open files by process names starting with particlar strings, use the -c option, followed by the process name. You can give multiple -c switches on a single command line.

����Note that this option does not look for an exact match, but any process that includes the character string as a substring of the process name. So, sh would find ssh and sh

����$ lsof -c Terminal
����COMMAND��PID��USER���FD���TYPE����DEVICE��SIZE/OFF�����NODE�NAME
����Terminal 168 admin��cwd����DIR������14,8�������918���547359 /Users/admin
����Terminal 168 admin��txt����REG������14,8��10244512��1048543 /usr/share/icu/icudt36b.dat
����Terminal 168 admin����0r���CHR�������3,2�������0t0 35027076 /dev/null
����Terminal 168 admin����1���PIPE 0x22374b4�����16384
����Terminal 168 admin����2���PIPE 0x22374b4�����16384
���������< listing continues >

list by particular login names

����To list all of the files opened by a specific user, type the -u option.

����$ lsof -u jill

����To list all of the files opened by several specific users, use a comma delimited list.

����$ lsof -u jack,jill

����To list all of the files opened by every user other than a specific user, use the ^ character. You can use a comma delimited list

����$ lsof -u ^jack,jill

list by particular process

����To list all of the files opened by a particular process, type the -p option.

����$ lsof -p 1234

list particular login names, user IDs or process numbers

����To list all open files for any and all of: login name abe, or user ID 1234, or process 456, or process 123, or process 789, type lsof -p 456,123,789 -u 1234,abe. (from the man pages)

����$ lsof -p 456,123,789 -u 1234,abe

list by mount point

����Sometimes when you attempt to unmount a device or directory, the system will warn you with the �Device or resource Busy� error.

����You can list all of the processes using a mount point and then kill those processes so that you can unmount the device or directory.

����$ lsof /home

����An equivalent option is:

����$ lsof +D /home/

list by device

����To list all open files on device /dev/hd4, type lsof /dev/hd4. (from the man pages)

����$ lsof /dev/hd4

kill process

����To kill the process that has /u/abe/foo open (by sending the signal SIGHUP), type kill -HUP `lsof -t /u/abe/foo`. (from the man pages)

����$ kill -HUP `lsof /u/abe/foo`

����Notice that those are back ticks.

����You can also kill all processes that belong to a specific user by using the -t option to output only the process ID and pass that result on to kill.

����$ kill -9 `lsof -t -u jill `

AND/OR

����lsof defaults to logical OR of all options. The following example (from the man pages) will list all of the files open from all three listed processes and from both users.

����$ lsof -p 456,123,789 -u 1234,abe

����Use the -a option to perform a logical AND on the user names, processes, etc. Note that you either OR the entire line or AND the entire line. You can not mix AND and OR together in a single lsof command. The ^ negation on login name or user ID, process ID, or process group ID options are evaluated prior to other selection criteria and therefore don�t get included in AND or OR for lsof. Although the -a is legal in any position, placing it between a pair of items does not cause just those two items to be ANDed, the entire line is still ANDed.

����The following AND example will produce a listing of only UNIX socket files that belong to processes owned by the user foo.

����$ lsof -a -U -ufoo

timed listings

����You can gather information at specific time intervals. To list the files at descriptors 1 and 3 of every process running the lsof command for login abe every 10 seconds, type lsof -c lsof -a -d 1 -d 3 -u abe -r10. (from the man pages)

����$ lsof -c lsof -a -d 1 -d 3 -u abe -r10

����Use the +r or -r options for timed repeats. The +r switch will stop when no open files that meet the selected criteria are open. The -r will continue until interrupted by a signal. The number after the r is the time in seconds for each delay.

����Between each cycle, lsof will print a sequence of equal signs ( ======= ).

����=======

internet connections

����Because UNIX and Linux (and Mac OS X) treat internet connections as files, you can use the -i switch to view all of your open internet connections.

����$ lsof -i
����COMMAND���PID��USER���FD���TYPE����DEVICE SIZE/OFF NODE NAME
����SystemUIS��93 admin���10u��IPv4 0x2152f48������0t0��UDP *:*
����firefox-b 127 admin���75u��IPv4 0x43c5270������0t0��TCP 192.168.0.108:49816->63.141.192.121:http (CLOSE_WAIT)
����Fetch�����294 admin���23u��IPv4 0x27ffe64������0t0��TCP 192.168.0.108:50539->reliant.websitewelcome.com:ftp (ESTABLISHED)
����Fetch�����294 admin���24u��IPv4 0x2d2be64������0t0��TCP 192.168.0.108:50541->reliant.websitewelcome.com:36975 (LAST_ACK)
����Fetch�����294 admin���25u��IPv4 0x444a66c������0t0��TCP 192.168.0.108:50542->reliant.websitewelcome.com:22271 (TIME_WAIT)

internet files

����To list all open Internet, x.25 (HP-UX), and UNIX domain files, type lsof -i -U. (from the man pages)

����$ lsof -i -U

IPv4 network files by PID

����To list all open IPv4 network files in use by the process whose PID is 1234, type lsof -i 4 -a -p 1234. (from the man pages)

����$ lsof -i 4 -a -p 1234

IPv6 files

����To list all open IPv6 network files (assuming your UNIX system supports IPv6), type lsof -i 6. (from the man pages)

����$ lsof -i 6

list by port

����List all of the processes that are listening to a particular port by using colon ( : ) followed by the port number(s).

����$ lsof -i:21

����To list all files using any protocol on ports 513, 514, or 515 of host wonderland.cc.purdue.edu, type lsof -i @wonderland.cc.purdue.edu:513-515. (from the man pages)

����$ lsof -i @wonderland.cc.purdue.edu:513-515

list TCP or UDP connections

����List all of the TCP connections:

����$ lsof -i tcp

����List all of the UDP connections:

����$ lsof -i udp

list from default domain

����Assuming a default domain of cc.purdue.edu, list all files using any protocol on any port of mace.cc.purdue.edu, type lsof -i @mace. (from the man pages)

����$ lsof -i @mace

Network File System (NFS)

����List all of the Network File System (NFS) files by using the -N switch.

����$ lsof -N

����To find processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible (assuming your mount table supplies the device number for /nfs/mount/point), type lsof -b /nfs/mount/point. (from the man pages)

����$ lsof -b /nfs/mount/point

����To do the preceding search with warning messages suppressed, type lsof -bw /nfs/mount/point. (from the man pages)

����$ lsof -bw /nfs/mount/point

ignore device cache file

����To ignore the device cache file, type lsof -Di. (from the man pages)

����$ lsof -Di

obtain specific multiple info on each file

����You can combine flags to gather specific information. To obtain the PID and command name field for each process, file descriptor, file device number, and file inode number for each file of each process, type lsof -FpcfDi. (from the man pages)

����$ lsof -FpcfDi

using regular expressions

����To list the current working directory of prcoesses running a command that is exactly four characters long and has an upper or lower case �O� or �o� in character position three, type lsof -c /^..o.$/i -a -d cwd. (from the man pages)

����$ lsof -c /^..o.$/i -a -d cwd

socket files

����To find an IP version 4 socket file by its associated numeric dot-form address, type lsof -i@128.210.15.17. (from the man pages)

����$ lsof [email protected]

����To find an IP version 6 socket file by its associated numeric colon-form address, type lsof -i@[0:1:2:3:4:5:6:7]. (from the man pages)

����$ lsof -i@[0:1:2:3:4;5;6:7]

����To find an IP version 6 socket file by its associated numeric colon-form address that has a run of zeros in it (such as the loop-back address), type lsof -i@[::1]. (from the man pages)

����$ lsof -i@[::1]

---