lsof

List open files.

Syntax
      lsof [options] [names]

Options
  -? -h Display help text.

  -a Causes the list selection options to be ANDed.

  -A A Specify A as an alternate name list file where
  the kernel addresses of the dynamic modules might be
  found. This option is available on systems whose AFS kernel 
  code is implemented via dynamic modules.

  -b This option causes lsof to avoid kernel functions that might
  block - lstat(2), readlink(2), and stat(2).
  See the full lsof man page for more on using this option.

  -c c This option selects the listing of files for processes execut-
  ing the command that begins with the characters of c.
  Multiple commands may be specified, using multiple -c options.
  They are joined in a single ORed set before participating in
  AND option selection.

  If c begins and ends with a slash ('/'), the characters
  between the slashes is interpreted as a regular expression.
  Shell meta-characters in the regular expression must be quoted
  to prevent their interpretation by the shell. The closing
  slash may be followed by these modifiers:

       b   the regular expression is a basic one.
       i   ignore the case of letters.
       x   the regular expression is an extended one
     (default).

  See the lsof FAQ for more

  +c w This option defines the maximum number of initial characters
  of the name of the UNIX command associated with a process to
  be printed in the COMMAND column. (The default is nine.)

  If w is zero ('0'), all command characters will be printed.

  If w is less than the length of the column title, ``COMMAND'',
  it will be raised to that length.

  -C This option disables the reporting of any path name components
  from the kernel's name cache. See the KERNEL NAME CACHE sec-
  tion for more information.

  +d s This option causes lsof to search for all open instances
  of directory s and the files and directories it contains at its
  top level. This option does NOT descend the directory tree,
  rooted at s, nor does it follow symbolic links within it. The
  +D D option may be used to request a full-descent directory
  tree search, rooted at directory D.

  Note: the authority of the user of this option limits it to
  searching for files that the user has permission to examine
  with the system stat(2) function.

  -d s This option specifies a list of file descriptors (FDs) to
  exclude from or include in the output listing.  The file
  descriptors are specified in the comma-separated set s - e.g.,
  `cwd,1,3', `^6,^2'. (There should be no spaces in the
  set.)

  The list is an exclusion list if all entries of the set begin
  with '^'. It is an inclusion list if no entry begins with
  '^'.  Mixed lists are not permitted.

  A file descriptor number range may be in the set as long as
  neither member is empty, both members are numbers, and the
  ending member is larger than the starting one - e.g., ``0-7''
  or ``3-10''. Ranges may be specified for exclusion if they
  have the '^' prefix - e.g., ``^0-7'' excludes all file
  descriptors 0 through 7.

  Multiple file descriptor numbers are joined in a single ORed
  set before participating in AND option selection.

  When there are exclusion and inclusion members in the set,
  lsof reports them as errors and exits with a non-zero return
  code.

  See the description of File Descriptor (FD) output values in
  the OUTPUT section for more information on file descriptor
  names.

  +D D This option causes lsof to search for all open instances of
  directory D and all the files and directories it contains to
  its complete depth. Symbolic links within directory D are
  ignored - i.e, not followed.

  -D D This option directs lsof's use of the device cache file.  The
  use of this option is sometimes restricted. See the DEVICE
  CACHE FILE section and the sections that follow it for more
  information on this option.

  -D  must be followed by a function letter; the function letter
  may optionally be followed by a path name.  Lsof recognizes
  these function letters:

       ? - report device cache file paths
       b - build the device cache file
       i - ignore the device cache file
       r - read the device cache file
       u - read and update the device cache file

  The  b,  r, and u functions, accompanied by a path name, are
  sometimes restricted. When these functions are restricted,
  they will not appear in the description of the -D option that
  accompanies -h or -? option output. See the full man page.

  +|-f [cfgGn]
  f by itself clarifies how path name arguments are to be inter-
  preted.  When followed by c, f, g, G, or n in any combination
  it specifies that the listing of kernel file structure infor-
  mation is to be enabled (`+') or inhibited (`-').

  Normally a path name argument is taken to be a file system
  name if it matches a mounted-on directory name reported by
  mount(8), or if it represents a block device, named in the
  mount output and associated with a mounted directory name.
  When +f is specified, all path name arguments will be taken to
  be file system names, and lsof will complain if any are not.
  This can be useful, for example, when the file system name
  (mounted-on device) isn't a block device.  This happens for
  some CD-ROM file systems.

  When -f is specified, all path name arguments will be taken to
  be simple files. Thus, for example, the -f / arguments
  direct lsof to search for open files with a / path name, not
  all open files in the / (root) file system.

  Be careful to make sure +f is properly terminated and isn't
  followed by a character (e.g., of the file or file system
  name) that might be taken as a parameter. For example, use
  `--' after +f as in this example.

       $ lsof +f -- /file/system/name

  The listing of information from kernel file structures,
  requested with the +f [cfgGn] option form, is normally inhib-
  ited, and is not available for some dialects - e.g.,
  /proc-based Linux. When the prefix to f is a plus sign (`+'),
  these characters request file structure information:

       c   file structure use count
       f   file structure address
       g   file flag abbreviations
       G   file flags in hexadecimal
       n   file structure node address

  When the prefix is minus (`-') the same characters disable the
  listing of the indicated values.

  File structure addresses, use counts, flags,  and  node
  addresses may be used to detect more readily identical files
  inherited by child processes and identical files in use by
  different processes. Lsof column output can be sorted by out-
  put columns holding the values and listed to identify
  identical file use, or lsof field output can be parsed by an
  AWK or Perl post-filter script, or by a C program.

  -F f This option specifies a character list, f, that selects the
  fields to be output for processing by another program, and the
  character that terminates each output field. Each field to be
  output is specified with a single character in f. The field
  terminator defaults to NL, but may be changed to NUL (000).
  See the OUTPUT FOR OTHER PROGRAMS section for a description of
  the field identification characters and the field output pro-
  cess.

  When the field selection character list is empty, all fields
  are selected (except the raw device field for compatibility
  reasons) and the NL field terminator is used.

  When the field selection character list contains only a zero
  (`0'), all fields are selected (except the raw device field
  for compatibility reasons) and the NUL terminator character is
  used.

  Other combinations of fields and their associated field termi-
  nator character must be set with explicit entries in f, as
  described in the OUTPUT FOR OTHER PROGRAMS section.

  When a field selection character identifies an item lsof does
  not normally list - e.g., PPID, selected with -R - specifica-
  tion of the field character - e.g., ``-FR'' - also selects the
  listing of the item.

  When the field selection character list contains the single
  character `?', lsof will display a help list of the field
  identification characters. (Escape the `?' character as your
  shell requires.)

  -g [s] This option selects the listing of files for the processes
  whose optional process group IDentification (PGID) numbers are
  in the comma-separated set s - e.g., `123' or `123,456'.
  (There should be no spaces in the set.)

  Multiple PGID numbers are joined in a single ORed set before
  participating in AND option selection.

  The -g option also enables the output display of PGID numbers.
  When specified without a PGID set that's all it does.

  -i [i] This option selects the listing of files any of whose Internet
  address matches the address specified in i. If no address is
  specified, this option selects the listing of all Internet and
  x.25 (HP-UX) network files.

  If -i4 or -i6 is specified with no following address, only
  files of the indicated IP version, IPv4 or IPv6, are displayed.

  Multiple addresses may be specified with multiple -i options.

  An Internet address is specified in the form:

  [46][protocol][@hostname|hostaddr][:service|port]

  where:
   46 specifies the IP version, IPv4 or IPv6 that applies to the following address.
   '6' may be be specified only if the UNIX dialect supports IPv6.
      If neither '4' nor '6' is specified, the following address applies to all IP versions.
   protocol is a protocol name - TCP or UDP.
   hostname is an Internet host name. 
     Unless a specific IP version is specified, open network files
     associated with host names of all versions will be selected.
   hostaddr is a numeric Internet IPv4 address in dot form;
     or an IPv6 numeric address in colon form, enclosed in brackets,
     if the UNIX dialect supports IPv6.  When an IP version is
     selected, only its numeric addresses may be specified.
   service is an /etc/services name
     - e.g., smtp -
     or a list of them.
   port is a port number, or a list of them.

  At least one address component - 4, 6, protocol, ,IR hostname
  , hostaddr, or service - must be supplied.

  Some sample addresses:

       -i6               - IPv6 only
       TCP:25            - TCP and port 25
       @1.2.3.4          - Internet IPv4 host address 1.2.3.4
       @[3ffe:1e<file_system>bc::1]:1234 - Internet IPv6 host address 3ffe:1ebc::1, port 1234
       UDP:who           - UDP who service port
       TCP@lsof.itap:513 - TCP, port 513 and host name lsof.itap
       tcp@foo:1-10,smtp,99 - TCP, ports 1 through 10, service name smtp, port 99, host name foo   
       tcp@bar:smtp-nameserver - TCP, ports smtp through nameserver, host bar 
       :time             - either TCP or UDP time service port

  -k k  This option specifies a kernel name list file, k, in place of
  /vmunix, /mach, etc.

  -l  This option inhibits the conversion of user ID numbers to
  login names. It is also useful when login name lookup is
  working improperly or slowly.

  +|-L [l] This option enables (`+') or disables (`-') the listing of
  file link counts, where they are available - e.g., they aren't
  available for sockets, or most FIFOs and pipes.

  When +L is specified without a following number, all link
  counts will be listed. When -L is specified (the default), no
  link counts will be listed.

  When +L is followed by a number, only files having a link
  count less than that number will be listed.  (No number may
  follow -L.)  A specification of the form ``+L1'' will select
  open files that have been unlinked. A specification of the
  form ``+aL1 '' will select unlinked open files on
  the specified file system.

  For other link count comparisons, use field output (-F) and a
  post-processing script or program.

  -m m This option specifies a kernel memory file, c, in place of
  /dev/kmem or /dev/mem - e.g., a crash dump file.

  +|-M Enables (+) or disables (-) the reporting of portmapper regis-
  trations for local TCP and UDP ports.
  See the lsof FAQ for more detail.

  -n This option inhibits the conversion of network numbers to host
  names for network files. Inhibiting conversion may make lsof
  run faster.  It is also useful when host name lookup is not
  working properly.

  -N This option selects the listing of NFS files.

  -o This option directs lsof to display file offset at all times.
  Consult the lsof FAQ for more information.
  The -o and -s options are mutually exclusive.

  -o o This option defines the number of decimal digits (o) to be
  printed after the `0t' for a file offset before the form is
  switched to `0x...'. An o value of zero (unlimited) directs
  lsof to use the `0t' form for all offset output.
  The default number is normally 8.

  -O This option directs lsof to bypass the strategy it uses to
  avoid being blocked by some kernel operations.
      Use this option cautiously.

  -p s This option selects the listing of files for the processes
  whose ID numbers are in the comma-separated set s - e.g.,
  `123' or `123,456'. (There should be no spaces in the set.)

  Multiple process ID numbers are joined in a single ORed set
  before participating in AND option selection.

  -P This option inhibits the conversion of port numbers to port
  names for network files. Inhibiting the conversion may make
  lsof run a little faster. It is also useful when host name
  lookup is not working properly.

  +|-r [t] This option puts lsof in repeat mode. There lsof lists 
  open files as selected by other options, delays t seconds (default
  fifteen), then repeats the listing, delaying and listing
  repetitively until stopped by a condition defined by the pre-
  fix to the option.

  If the prefix is a `-', repeat mode is endless. Lsof must be
  terminated with an interrupt or quit signal.

  If the prefix is `+', repeat mode will end the first cycle no
  open files are listed - and of course when lsof is stopped
  with an interrupt or quit signal.  When repeat mode ends
  because no files are listed, the process exit code will be
  zero if any open files were ever listed; one, if none were
  ever listed.

  Lsof marks the end of each listing: if field output is in
  progress (the -F, option has been specified), the marker is
  'm'; otherwise the marker is '========'. The marker is
  followed by a NL character.

  Repeat mode reduces lsof startup overhead, so it is more effi-
  cient to use this mode than to call lsof repetitively from a
  shell script, for example.

  To use repeat mode most efficiently, accompany +|-r with spec-
  ification of other lsof selection options, so the amount of
  kernel memory access lsof does will be kept to a minimum.
  Options that filter at the process level - e.g., -c, -g, -p,
  -u - are the most efficient selectors.

  Repeat mode is useful when coupled with field output (see the
  -F,  option description) and a supervising awk or Perl script,
  or a C program.

  -R List the Parent Process IDentification number in the PPID column.

  -s This option directs lsof to display file size at all times.
  It causes the SIZE/OFF output column title to be changed to
  SIZE. If the file does not have a size, nothing is displayed.

  The -o (without a following decimal digit count) and -s
  options are mutually exclusive.

  Since some types of files don't have true sizes - sockets,
  FIFOs, pipes, etc. - lsof displays for their sizes the content
  amounts in their associated kernel buffers, if possible.

  -S [t] This option specifies an optional time-out seconds value for
  kernel functions - lstat(2), readlink(2), and stat(2) - that
  might otherwise deadlock. The minimum for t is two; the
  default is fifteen.

  -T [t] Display TCP/TPI information

  -T  with no following key characters disables TCP/TPI info.

  -T with following character(s) selects the reporting info:

       q   selects queue length reporting.
       s   selects state reporting.
       w   selects window size reporting (not all dialects).

  -t Terse output with process identifiers only and no header - 
  e.g., so that the output may be piped to kill(1).
  This option selects the -w option.

   -u s This option selects the listing of files for the user whose
  login names or user ID numbers are in the comma-separated set
  s - e.g., `abe', or `548,root'.  (There should be no
  spaces in the set.)

  Multiple login names or user ID numbers are joined in a single
  ORed set before participating in AND option selection.

  If a login name or user ID is preceded by a `^', it becomes a
  negation - i.e., files of processes owned by the login name or
  user ID will never be listed. For example, to direct lsof to 
  exclude the listing of files belonging to root processes
  specify `-u^root' or `-u^0'.

  -U This option selects the listing of UNIX domain socket files.

  -v This option selects the listing of lsof version information,
  including: revision number; when the lsof binary was con-
  structed; who constructed the binary and where; the name of
  the compiler used to construct the lsof binary; the version
  number of the compiler when readily available; the compiler
  and loader flags used to construct the lsof binary; and system
  information, typically the output of uname's -a option.

  -V This option directs lsof to indicate the items it was asked to
  list and failed to find - command names, file names, Internet
  addresses or files, login names, NFS files, PIDs, PGIDs, and
  UIDs.

  When other options are ANDed to search options, or com-
  pile-time options restrict the listing of some files, lsof may
  not report that it failed to find a search item when an ANDed
  option or compile-time option prevents the listing of the open
  file containing the located search item.

  +|-w Enables (+) or disables (-) the suppression of warning
  messages. The -t option selects the -w option.

  -X This is a dialect-specific option.

  -- The double minus sign option is a marker that signals the
  end of the keyed options. It may be used, for example, when the
  first file name begins with a minus sign. It may also be used
  when the absence of a value for the last keyed option must be
  signified by the presence of a minus sign in the following
  option and before the start of the file names.

  names  These are path names of specific files to list. Symbolic
  links are resolved before use. The first name may be
  separated from the preceding options with the ``--'' option.

  Multiple file names are joined in a single ORed set before
  participating in AND option selection.

An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket.) A specific file or all the files in a file system may be selected by path.

Instead of a formatted display, lsof can produce output that can be parsed by other programs. See the -F, option.

In addition to producing a single output list, lsof will run in repeat mode. In repeat mode it will produce output, delay, then repeat the output operation until stopped with an interrupt or quit signal. See the +|-r [t] option.

Examples

List files currently open by me and my processes. 
   lsof

List files currently open on the entire system.
   sudo lsof 
 
List open network connections on the entire system.
   sudo lsof -i 

List open files on the "FW Drive" volume; 
useful for figuring out why you can't eject/dismount a disk because something is using it.
   sudo lsof "/Volumes/FW Drive" 

"It is when we all play safe that we create a world of the utmost insecurity" ~ Dag Hammarskjold, United Nations secretary general

lsof FAQ - FTP link to full documentation.

Related:

lsof man page - Apple.com
sudo - Execute a command as another user
kill - Stop a process from running
opensnoop - Snoop file opens as they occur
ps - List running processes (returns PID)
uname - Print system information


© Copyright SS64.com 1999-2014
Some rights reserved