lsof

List open files.

Syntax
      lsof [options] [names]

Options
   -? -h Display help text.

   -a    Causes the list selection options to be ANDed.

   -A A  Specify A as an alternate name list file where the kernel
         addresses of the dynamic modules might be found.
         This option is available on systems whose AFS kernel 
         code is implemented via dynamic modules.

   -b    This option causes lsof to avoid kernel functions that might
         block - lstat(2), readlink(2), and stat(2).
         See the full lsof man page for more on using this option.

   -c c  This option selects the listing of files for processes executing
         the command that begins with the characters of c.
         Multiple commands can be specified, using multiple -c options.
         They are joined in a single ORed set before participating in
         AND option selection.

         If c begins and ends with a slash ('/'), the characters
         between the slashes is interpreted as a regular expression.
         Shell meta-characters in the regular expression must be quoted
         to prevent their interpretation by the shell. The closing
         slash can be followed by these modifiers:

          b   the regular expression is a basic one.
          i   ignore the case of letters.
          x   the regular expression is an extended one (default).

          See the lsof FAQ for more

   +c w  This option defines the maximum number of initial characters
         of the name of the UNIX command associated with a process to
         be printed in the COMMAND column. (The default is nine.)

         If w is zero ('0'), all command characters will be printed.

         If w is less than the length of the column title, ``COMMAND'',
         it will be raised to that length.

  -C     This option disables the reporting of any path name components
         from the kernel's name cache. See the KERNEL NAME CACHE section
         for more information.

  +d s   This option causes lsof to search for all open instances
         of directory s and the files and directories it contains at its
         top level. This option does NOT descend the directory tree,
         rooted at s, nor does it follow symbolic links within it. The
         +D D option can be used to request a full-descent directory
         tree search, rooted at directory D.

         Note: the authority of the user of this option limits it to
         searching for files that the user has permission to examine
         with the system stat(2) function.

  -d s   This option specifies a list of file descriptors (FDs) to
         exclude from or include in the output listing.  The file
         descriptors are specified in the comma-separated set s - e.g.,
         `cwd,1,3', `^6,^2'. (There should be no spaces in the set.)

         The list is an exclusion list if all entries of the set begin
         with '^'. It is an inclusion list if no entry begins with
         '^'.  Mixed lists are not permitted.

         A file descriptor number range can be in the set as long as
         neither member is empty, both members are numbers, and the
         ending member is larger than the starting one - e.g., `0-7'
         or `3-10'. Ranges can be specified for exclusion if they
         have the '^' prefix - e.g., ``^0-7'' excludes all file
         descriptors 0 through 7.

         Multiple file descriptor numbers are joined in a single ORed
         set before participating in AND option selection.

         When there are exclusion and inclusion members in the set,
         lsof reports them as errors and exits with a non-zero return code.

         See the description of File Descriptor (FD) output values in
         the OUTPUT section for more information on file descriptor names.

   +D D  This option causes lsof to search for all open instances of
         directory D and all the files and directories it contains to
         its complete depth. Symbolic links within directory D are
         ignored - i.e, not followed.

   -D D  This option directs lsof's use of the device cache file.  The
         use of this option is sometimes restricted. See the DEVICE
         CACHE FILE section and the sections that follow it for more
         information on this option.

   -D    must be followed by a function letter; the function letter
         can optionally be followed by a path name.  Lsof recognizes
         these function letters:

          ? - report device cache file paths
          b - build the device cache file
          i - ignore the device cache file
          r - read the device cache file
          u - read and update the device cache file

         The  b,  r, and u functions, accompanied by a path name, are
         sometimes restricted. When these functions are restricted,
         they will not appear in the description of the -D option that
         accompanies -h or -? option output. See the full man page.

   +|-f [cfgGn]
         f by itself clarifies how path name arguments are to be interpreted.
         When followed by c, f, g, G, or n in any combination
         it specifies that the listing of kernel file structure information is
         to be enabled (`+') or inhibited (`-').

         Normally a path name argument is taken to be a file system name if it matches
         a mounted-on directory name reported by mount(8), or if it represents a block
         device, named in the mount output and associated with a mounted directory name.
         When +f is specified, all path name arguments will be taken to  be file system
         names, and lsof will complain if any are not.  This can be useful, for example,
         when the file system name (mounted-on device) isn't a block device.
         This happens for some CD-ROM file systems.

         When -f is specified, all path name arguments will be taken to be simple files.
         Thus, for example, the -f / arguments direct lsof to search for open files
         with a / path name, not all open files in the / (root) file system.

         Be careful to make sure +f is properly terminated and isn't followed by a
         character (e.g., of the file or file system name) that might be taken as a parameter.
         For example, use `--' after +f as in this example.

            $ lsof +f -- /file/system/name

         The listing of information from kernel file structures, requested with the +f [cfgGn] option
         form, is normally inhibited, and is not available for some dialects - e.g.,
         /proc-based Linux. When the prefix to f is a plus sign (`+'), these characters
         request file structure information:

          c   file structure use count
          f   file structure address
          g   file flag abbreviations
          G   file flags in hexadecimal
          n   file structure node address

         When the prefix is minus (`-') the same characters disable the listing of the indicated values.

         File structure addresses, use counts, flags, and node addresses can be used
         to detect more readily identical files inherited by child processes and
         identical files in use by different processes. Lsof column output can
         be sorted by output columns holding the values and listed to identify
         identical file use, or lsof field output can be parsed by an AWK or Perl
         post-filter script, or by a C program.

   -F f  This option specifies a character list, f, that selects the fields to be output
         for processing by another program, and the character that terminates each
         output field. Each field to be output is specified with a single character in f.
         The field terminator defaults to NL, but can be changed to NUL (000).
         See the OUTPUT FOR OTHER PROGRAMS section for a description of the field identification
         characters and the field output process.

         When the field selection character list is empty, all fields are selected (except the
         raw device field for compatibility reasons) and the NL field terminator is used.

         When the field selection character list contains only a zero (`0'), all fields are
         selected (except the raw device field for compatibility reasons) and the NUL
         terminator character is used.

         Other combinations of fields and their associated field terminator character must
         be set with explicit entries in f, as described in the OUTPUT FOR OTHER PROGRAMS section.

         When a field selection character identifies an item lsof does not normally list
          - e.g., PPID, selected with -R - specification of the field character
          - e.g., ``-FR'' - also selects the listing of the item.

         When the field selection character list contains the single character `?', lsof will
         display a help list of the field identification characters.
         (Escape the `?' character as your  shell requires.)

   -g [s]
         This option selects the listing of files for the processes whose optional process
         group IDentification (PGID) numbers are in the comma-separated set s - e.g., `123' or `123,456'.
         (There should be no spaces in the set.)

         Multiple PGID numbers are joined in a single ORed set before participating
         in AND option selection.

         The -g option also enables the output display of PGID numbers.
         When specified without a PGID set that's all it does.

   -i [i] This option selects the listing of files any of whose Internet
         address matches the address specified in i. If no address is
         specified, this option selects the listing of all Internet and
         x.25 (HP-UX) network files.

         If -i4 or -i6 is specified with no following address, only
         files of the indicated IP version, IPv4 or IPv6, are displayed.

         Multiple addresses can be specified with multiple -i options.

         An Internet address is specified in the form:

         [46][protocol][@hostname|hostaddr][:service|port]

         where:
         46 specifies the IP version, IPv4 or IPv6 that applies to the following address.
            '6' can be be specified only if the UNIX dialect supports IPv6.
            If neither '4' nor '6' is specified, the following address applies to all IP versions.
         protocol is a protocol name - TCP or UDP.
         hostname is an Internet host name. 
            Unless a specific IP version is specified, open network files
            associated with host names of all versions will be selected.
         hostaddr is a numeric Internet IPv4 address in dot form;
            or an IPv6 numeric address in colon form, enclosed in brackets,
            if the UNIX dialect supports IPv6.  When an IP version is
            selected, only its numeric addresses can be specified.
         service is an /etc/services name
         - e.g., smtp -
         or a list of them.
         port is a port number, or a list of them.

         At least one address component - 4, 6, protocol, ,IR hostname
         , hostaddr, or service - must be supplied.

         Some sample addresses:

       -i6               - IPv6 only
       TCP:25            - TCP and port 25
       @1.2.3.4          - Internet IPv4 host address 1.2.3.4
       @[3ffe:1e<file_system>bc::1]:1234 - Internet IPv6 host address 3ffe:1ebc::1, port 1234
       UDP:who           - UDP who service port
       TCP@lsof.itap:513 - TCP, port 513 and host name lsof.itap
       tcp@foo:1-10,smtp,99 - TCP, ports 1 through 10, service name smtp, port 99, host name foo   
       tcp@bar:smtp-nameserver - TCP, ports smtp through nameserver, host bar 
       :time             - either TCP or UDP time service port

   -k k  This option specifies a kernel name list file, k, in place of /vmunix, /mach, etc.

   -l    This option inhibits the conversion of user ID numbers to
         login names. It is also useful when login name lookup is
         working improperly or slowly.

   +|-L [l] This option enables (`+') or disables (`-') the listing of file link counts,
         where they are available - e.g., they aren't available for sockets,
         or most FIFOs and pipes.

         When +L is specified without a following number, all link counts will be listed.
         When -L is specified (the default), no link counts will be listed.

         When +L is followed by a number, only files having a link count less than that
         number will be listed.  (No number can follow -L.)
         A specification of the form `+L1' will select open files that have been unlinked.
         A specification of the form `+aL1 ' will select unlinked open files on
         the specified file system.

         For other link count comparisons, use field output (-F) and a
         post-processing script or program.

   -m m  This option specifies a kernel memory file, c, in place of
         /dev/kmem or /dev/mem - e.g., a crash dump file.

   +|-M  Enables (+) or disables (-) the reporting of portmapper registrations for local TCP and UDP ports.
         See the lsof FAQ for more detail.

   -n    This option inhibits the conversion of network numbers to host
         names for network files. Inhibiting conversion can make lsof run faster.
         It is also useful when host name lookup is not working properly.

   -N    This option selects the listing of NFS files.

   -o     This option directs lsof to display file offset at all times.
         Consult the lsof FAQ for more information.
         The -o and -s options are mutually exclusive.

   -o o  This option defines the number of decimal digits (o) to be printed after the `0t'
         for a file offset before the form is switched to `0x...'.
         An o value of zero (unlimited) directs lsof to use the `0t' form for all offset output.
         The default number is normally 8.

   -O    This option directs lsof to bypass the strategy it uses to avoid being blocked by some kernel operations.
         Use this option cautiously.

   -p s  This option selects the listing of files for the processes
         whose ID numbers are in the comma-separated set s - e.g.,
         `123' or `123,456'. (There should be no spaces in the set.)

         Multiple process ID numbers are joined in a single ORed set  before participating in AND option selection.

   -P    This option inhibits the conversion of port numbers to port names for network files.
         Inhibiting the conversion can make lsof run a little faster.
         It is also useful when host name lookup is not working properly.

  +|-r [t] This option puts lsof in repeat mode. There lsof lists open files as selected by other
          options, delays t seconds (default fifteen), then repeats the listing, delaying and
         listing repetitively until stopped by a condition defined by the prefix to the option.

         If the prefix is a `-', repeat mode is endless. Lsof must be terminated with an interrupt
         or quit signal.

         If the prefix is `+', repeat mode will end the first cycle no open files are listed
          - and of course when lsof is stopped with an interrupt or quit signal.
         When repeat mode ends because no files are listed, the process exit code will be
         zero if any open files were ever listed; one, if none were ever listed.

         Lsof marks the end of each listing: if field output is in progress (the -F, option
         has been specified), the marker is 'm'; otherwise the marker is '========'.
         The marker is followed by a NL character.

         Repeat mode reduces lsof startup overhead, so it is more efficient to use this mode than
         to call lsof repetitively from a shell script, for example.

         To use repeat mode most efficiently, accompany +|-r with specification of other lsof selection
         options, so the amount of  kernel memory access lsof does will be kept to a minimum.
         Options that filter at the process level - e.g., -c, -g, -p, -u - are the most efficient selectors.

         Repeat mode is useful when coupled with field output (see the -F, option description) and
         a supervising awk or Perl script, or a C program.

   -R    List the Parent Process IDentification number in the PPID column.

   -s    This option directs lsof to display file size at all times.
         It causes the SIZE/OFF output column title to be changed to SIZE.
         If the file does not have a size, nothing is displayed.

         The -o (without a following decimal digit count) and -s options are mutually exclusive.

         Since some types of files don't have true sizes - sockets, FIFOs, pipes, etc.
         - lsof displays for their sizes the content amounts in their associated kernel buffers, if possible.

   -S [t] This option specifies an optional time-out seconds value for kernel functions
          - lstat(2), readlink(2), and stat(2) - that might otherwise deadlock.
         The minimum for t is two; the default is fifteen.

   -T [t] Display TCP/TPI information

   -T     with no following key characters disables TCP/TPI info.

   -T     with following character(s) selects the reporting info:

       q   selects queue length reporting.
       s   selects state reporting.
       w   selects window size reporting (not all dialects).

   -t Terse output with process identifiers only and no header - 
         e.g., so that the output can be piped to kill(1).
         This option selects the -w option.

   -u s  This option selects the listing of files for the user whose
         login names or user ID numbers are in the comma-separated set
         s - e.g., `abe', or `548,root'.  (There should be no spaces in the set.)

         Multiple login names or user ID numbers are joined in a single
         ORed set before participating in AND option selection.

         If a login name or user ID is preceded by a `^', it becomes a negation
         - i.e., files of processes owned by the login name or user ID will never be listed.
         For example, to direct lsof to exclude the listing of files belonging to root processes
         specify `-u^root' or `-u^0'.

   -U    This option selects the listing of UNIX domain socket files.

   -v    This option selects the listing of lsof version information,
         including: revision number; when the lsof binary was constructed; who constructed
         the binary and where; the name of the compiler used to construct the lsof binary;
         the version number of the compiler when readily available; the compiler
         and loader flags used to construct the lsof binary; and system information,
         typically the output of uname's -a option.

   -V    This option directs lsof to indicate the items it was asked to list and failed to find
          - command names, file names, Internet addresses or files, login names, NFS files,
         PIDs, PGIDs, and  UIDs.

         When other options are ANDed to search options, or compile-time options restrict the listing
         of some files, lsof might not report that it failed to find a search item when an ANDed
         option or compile-time option prevents the listing of the open file containing the located search item.

   +|-w  Enables (+) or disables (-) the suppression of warning messages.
         The -t option selects the -w option.

   -X    This is a dialect-specific option.

   --    The double minus sign option is a marker that signals the end of the keyed options.
         It can be used, for example, when the first file name begins with a minus sign.
         It can also be used when the absence of a value for the last keyed option must be
         signified by the presence of a minus sign in the following option and before the start of the file names.

  names  These are path names of specific files to list.
         Symbolic links are resolved before use. The first name can be separated from
         the preceding options with the -- option.

         Multiple file names are joined in a single ORed set before participating in AND option selection.

An open file can be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket.) A specific file or all the files in a file system can be selected by path.

On MacOS, lsof only shows your own processes unless running as root with sudo.

Instead of a formatted display, lsof can produce output that can be parsed by other programs. See the -F, option.

In addition to producing a single output list, lsof will run in repeat mode. In repeat mode it will produce output, delay, then repeat the output operation until stopped with an interrupt or quit signal. See the +|-r [t] option.

Examples

List all open files, if you need to filter the output, pipe this into grep:

$ lsof

Show who is using a file, list all the processes that are using a file, or several files:
$ lsof /path/to/file1

$ lsof /path/to/file1 /path/to/file2

To list all open files on a device:
$ lsof /dev/hd4

List all open files by a user, or users:
$ lsof -u ashley
$ lsof -u ashley, pete
$ lsof -u ashley -u pete

Options can be combined, the default is to OR between options unless you also specify -a which will AND the options.
List all open files for login name ''ashley'', or user ID 6464, or process 123, or process 456:
$ lsof -p 123,456 -u 6464,ashley

Find the files opened by a program/process whose command name begins with 'apache':
$ lsof -c apache

List all network connections:
$ lsof -i

List the files opened by all users except root. The caret here ^ specifies NOT:
$ lsof -u ^root

List the processes that are using port 80 (HTTP activity):
$ lsof -i :80

lsof repeat mode, add -r and a number in seconds to any lsof command to make it repeat.
Monitoring port 80 can be useful to spot processes or websites that are constantly dialling home (cough facebook):
$ lsof -i :80 -r 2

To list all open files whose PID is 1234 AND are in use via the IPv4 network:
$ lsof -i 4 -a -p 1234

List only open IPv6 network files:
$ lsof -i 6

List all files using any protocol on ports 513, 514, or 515 of host ss64.com:
$ lsof -i @ss64.com:513-515

To list all files using any protocol on any port of mace.cc.purdue.edu (cc.purdue.edu is the default domain), use:
$ lsof -i @mace

Lists memory-mapped files with the special value mem:
$ lsof -d mem

List programs loaded in memory and executing with the special value txt:
$ lsof -d txt

To send a SIGHUP to the processes that have /u/abe/bar open, use:
$ kill -HUP 'lsof -t /u/abe/bar'

To find any open file, including an open UNIX domain socket file, with the name /dev/log, use:
$ lsof /dev/log

Find processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible, and presuming your mount table supplies the device number for /nfs/mount/point:
$ lsof -b /nfs/mount/point

To do the preceding search with warning messages suppressed:
$ lsof -bw /nfs/mount/point

Ignore the device cache file:
$ lsof -Di

Obtain PID and command name field output for each process, file descriptor, file device number, and file inode number for each file of each process:
$ lsof -FpcfDi

List the files at descriptors 1 and 3 of every process running the lsof command for login ID ''abe'' every 10 seconds:
$ lsof -c lsof -a -d 1 -d 3 -u abe -r10

To list the current working directory of processes running a command that is exactly four characters long and has an 'o' or 'O' in character three, use this regular expression form of the -c c option:
$ lsof -c /^..o.$/i -a -d cwd

To find an IP version 4 socket file by its associated numeric dot-form address, use:
$ lsof -i@128.210.15.17

"It is when we all play safe that we create a world of the utmost insecurity" ~ Dag Hammarskjold, United Nations secretary general

lsof FAQ - full documentation.

Related:

lsof man page - Apple.com
sudo - Execute a command as another user
kill - Stop a process from running
opensnoop - Snoop file opens as they occur
ps - List running processes (returns PID)
uname - Print system information


© Copyright SS64.com 1999-2016
Some rights reserved