List open files.
Syntax lsof [options] [names] Options -? -h Display help text. -a Causes the list selection options to be ANDed. -A A Specify A as an alternate name list file where the kernel addresses of the dynamic modules might be found. This option is available on systems whose AFS kernel code is implemented via dynamic modules. -b This option causes lsof to avoid kernel functions that might block - lstat(2), readlink(2), and stat(2). See the full lsof man page for more on using this option. -c c This option selects the listing of files for processes executing the command that begins with the characters of c. Multiple commands can be specified, using multiple -c options. They are joined in a single ORed set before participating in AND option selection. If c begins and ends with a slash ('/'), the characters between the slashes is interpreted as a regular expression. Shell meta-characters in the regular expression must be quoted to prevent their interpretation by the shell. The closing slash can be followed by these modifiers: b the regular expression is a basic one. i ignore the case of letters. x the regular expression is an extended one (default). See the lsof FAQ for more +c w This option defines the maximum number of initial characters of the name of the UNIX command associated with a process to be printed in the COMMAND column. (The default is nine.) If w is zero ('0'), all command characters will be printed. If w is less than the length of the column title, ``COMMAND'', it will be raised to that length. -C This option disables the reporting of any path name components from the kernel's name cache. See the KERNEL NAME CACHE section for more information. +d s This option causes lsof to search for all open instances of directory s and the files and directories it contains at its top level. This option does NOT descend the directory tree, rooted at s, nor does it follow symbolic links within it. The +D D option can be used to request a full-descent directory tree search, rooted at directory D. Note: the authority of the user of this option limits it to searching for files that the user has permission to examine with the system stat(2) function. -d s This option specifies a list of file descriptors (FDs) to exclude from or include in the output listing. The file descriptors are specified in the comma-separated set s - e.g., `cwd,1,3', `^6,^2'. (There should be no spaces in the set.) The list is an exclusion list if all entries of the set begin with '^'. It is an inclusion list if no entry begins with '^'. Mixed lists are not permitted. A file descriptor number range can be in the set as long as neither member is empty, both members are numbers, and the ending member is larger than the starting one - e.g., `0-7' or `3-10'. Ranges can be specified for exclusion if they have the '^' prefix - e.g., ``^0-7'' excludes all file descriptors 0 through 7. Multiple file descriptor numbers are joined in a single ORed set before participating in AND option selection. When there are exclusion and inclusion members in the set, lsof reports them as errors and exits with a non-zero return code. See the description of File Descriptor (FD) output values in the OUTPUT section for more information on file descriptor names. +D D This option causes lsof to search for all open instances of directory D and all the files and directories it contains to its complete depth. Symbolic links within directory D are ignored - i.e, not followed. -D D This option directs lsof's use of the device cache file. The use of this option is sometimes restricted. See the DEVICE CACHE FILE section and the sections that follow it for more information on this option. -D must be followed by a function letter; the function letter can optionally be followed by a path name. Lsof recognizes these function letters: ? - report device cache file paths b - build the device cache file i - ignore the device cache file r - read the device cache file u - read and update the device cache file The b, r, and u functions, accompanied by a path name, are sometimes restricted. When these functions are restricted, they will not appear in the description of the -D option that accompanies -h or -? option output. See the full man page. +|-f [cfgGn] f by itself clarifies how path name arguments are to be interpreted. When followed by c, f, g, G, or n in any combination it specifies that the listing of kernel file structure information is to be enabled (`+') or inhibited (`-'). Normally a path name argument is taken to be a file system name if it matches a mounted-on directory name reported by mount(8), or if it represents a block device, named in the mount output and associated with a mounted directory name. When +f is specified, all path name arguments will be taken to be file system names, and lsof will complain if any are not. This can be useful, for example, when the file system name (mounted-on device) isn't a block device. This happens for some CD-ROM file systems. When -f is specified, all path name arguments will be taken to be simple files. Thus, for example, the -f / arguments direct lsof to search for open files with a / path name, not all open files in the / (root) file system. Be careful to make sure +f is properly terminated and isn't followed by a character (e.g., of the file or file system name) that might be taken as a parameter. For example, use `--' after +f as in this example. $ lsof +f -- /file/system/name The listing of information from kernel file structures, requested with the +f [cfgGn] option form, is normally inhibited, and is not available for some dialects - e.g., /proc-based Linux. When the prefix to f is a plus sign (`+'), these characters request file structure information: c file structure use count f file structure address g file flag abbreviations G file flags in hexadecimal n file structure node address When the prefix is minus (`-') the same characters disable the listing of the indicated values. File structure addresses, use counts, flags, and node addresses can be used to detect more readily identical files inherited by child processes and identical files in use by different processes. Lsof column output can be sorted by output columns holding the values and listed to identify identical file use, or lsof field output can be parsed by an AWK or Perl post-filter script, or by a C program. -F f This option specifies a character list, f, that selects the fields to be output for processing by another program, and the character that terminates each output field. Each field to be output is specified with a single character in f. The field terminator defaults to NL, but can be changed to NUL (000). See the OUTPUT FOR OTHER PROGRAMS section for a description of the field identification characters and the field output process. When the field selection character list is empty, all fields are selected (except the raw device field for compatibility reasons) and the NL field terminator is used. When the field selection character list contains only a zero (`0'), all fields are selected (except the raw device field for compatibility reasons) and the NUL terminator character is used. Other combinations of fields and their associated field terminator character must be set with explicit entries in f, as described in the OUTPUT FOR OTHER PROGRAMS section. When a field selection character identifies an item lsof does not normally list - e.g., PPID, selected with -R - specification of the field character - e.g., ``-FR'' - also selects the listing of the item. When the field selection character list contains the single character `?', lsof will display a help list of the field identification characters. (Escape the `?' character as your shell requires.) -g [s] This option selects the listing of files for the processes whose optional process group IDentification (PGID) numbers are in the comma-separated set s - e.g., `123' or `123,456'. (There should be no spaces in the set.) Multiple PGID numbers are joined in a single ORed set before participating in AND option selection. The -g option also enables the output display of PGID numbers. When specified without a PGID set that's all it does. -i [i] This option selects the listing of files any of whose Internet address matches the address specified in i. If no address is specified, this option selects the listing of all Internet and x.25 (HP-UX) network files. If -i4 or -i6 is specified with no following address, only files of the indicated IP version, IPv4 or IPv6, are displayed. Multiple addresses can be specified with multiple -i options. An Internet address is specified in the form: [protocol][@hostname|hostaddr][:service|port] where: 46 specifies the IP version, IPv4 or IPv6 that applies to the following address. '6' can be be specified only if the UNIX dialect supports IPv6. If neither '4' nor '6' is specified, the following address applies to all IP versions. protocol is a protocol name - TCP or UDP. hostname is an Internet host name. Unless a specific IP version is specified, open network files associated with host names of all versions will be selected. hostaddr is a numeric Internet IPv4 address in dot form; or an IPv6 numeric address in colon form, enclosed in brackets, if the UNIX dialect supports IPv6. When an IP version is selected, only its numeric addresses can be specified. service is an /etc/services name - e.g., smtp - or a list of them. port is a port number, or a list of them. At least one address component - 4, 6, protocol, ,IR hostname , hostaddr, or service - must be supplied. Some sample addresses: -i6 - IPv6 only TCP:25 - TCP and port 25 @126.96.36.199 - Internet IPv4 host address 188.8.131.52 @[3ffe:1e<file_system>bc::1]:1234 - Internet IPv6 host address 3ffe:1ebc::1, port 1234 UDP:who - UDP who service port TCP@lsof.itap:513 - TCP, port 513 and host name lsof.itap tcp@foo:1-10,smtp,99 - TCP, ports 1 through 10, service name smtp, port 99, host name foo tcp@bar:smtp-nameserver - TCP, ports smtp through nameserver, host bar :time - either TCP or UDP time service port -k k This option specifies a kernel name list file, k, in place of /vmunix, /mach, etc. -l This option inhibits the conversion of user ID numbers to login names. It is also useful when login name lookup is working improperly or slowly. +|-L [l] This option enables (`+') or disables (`-') the listing of file link counts, where they are available - e.g., they aren't available for sockets, or most FIFOs and pipes. When +L is specified without a following number, all link counts will be listed. When -L is specified (the default), no link counts will be listed. When +L is followed by a number, only files having a link count less than that number will be listed. (No number can follow -L.) A specification of the form `+L1' will select open files that have been unlinked. A specification of the form `+aL1 ' will select unlinked open files on the specified file system. For other link count comparisons, use field output (-F) and a post-processing script or program. -m m This option specifies a kernel memory file, c, in place of /dev/kmem or /dev/mem - e.g., a crash dump file. +|-M Enables (+) or disables (-) the reporting of portmapper registrations for local TCP and UDP ports. See the lsof FAQ for more detail. -n This option inhibits the conversion of network numbers to host names for network files. Inhibiting conversion can make lsof run faster. It is also useful when host name lookup is not working properly. -N This option selects the listing of NFS files. -o This option directs lsof to display file offset at all times. Consult the lsof FAQ for more information. The -o and -s options are mutually exclusive. -o o This option defines the number of decimal digits (o) to be printed after the `0t' for a file offset before the form is switched to `0x...'. An o value of zero (unlimited) directs lsof to use the `0t' form for all offset output. The default number is normally 8. -O This option directs lsof to bypass the strategy it uses to avoid being blocked by some kernel operations. Use this option cautiously. -p s This option selects the listing of files for the processes whose ID numbers are in the comma-separated set s - e.g., `123' or `123,456'. (There should be no spaces in the set.) Multiple process ID numbers are joined in a single ORed set before participating in AND option selection. -P This option inhibits the conversion of port numbers to port names for network files. Inhibiting the conversion can make lsof run a little faster. It is also useful when host name lookup is not working properly. +|-r [t] This option puts lsof in repeat mode. There lsof lists open files as selected by other options, delays t seconds (default fifteen), then repeats the listing, delaying and listing repetitively until stopped by a condition defined by the prefix to the option. If the prefix is a `-', repeat mode is endless. Lsof must be terminated with an interrupt or quit signal. If the prefix is `+', repeat mode will end the first cycle no open files are listed - and of course when lsof is stopped with an interrupt or quit signal. When repeat mode ends because no files are listed, the process exit code will be zero if any open files were ever listed; one, if none were ever listed. Lsof marks the end of each listing: if field output is in progress (the -F, option has been specified), the marker is 'm'; otherwise the marker is '========'. The marker is followed by a NL character. Repeat mode reduces lsof startup overhead, so it is more efficient to use this mode than to call lsof repetitively from a shell script, for example. To use repeat mode most efficiently, accompany +|-r with specification of other lsof selection options, so the amount of kernel memory access lsof does will be kept to a minimum. Options that filter at the process level - e.g., -c, -g, -p, -u - are the most efficient selectors. Repeat mode is useful when coupled with field output (see the -F, option description) and a supervising awk or Perl script, or a C program. -R List the Parent Process IDentification number in the PPID column. -s This option directs lsof to display file size at all times. It causes the SIZE/OFF output column title to be changed to SIZE. If the file does not have a size, nothing is displayed. The -o (without a following decimal digit count) and -s options are mutually exclusive. Since some types of files don't have true sizes - sockets, FIFOs, pipes, etc. - lsof displays for their sizes the content amounts in their associated kernel buffers, if possible. -S [t] This option specifies an optional time-out seconds value for kernel functions - lstat(2), readlink(2), and stat(2) - that might otherwise deadlock. The minimum for t is two; the default is fifteen. -T [t] Display TCP/TPI information -T with no following key characters disables TCP/TPI info. -T with following character(s) selects the reporting info: q selects queue length reporting. s selects state reporting. w selects window size reporting (not all dialects). -t Terse output with process identifiers only and no header - e.g., so that the output can be piped to kill(1). This option selects the -w option. -u s This option selects the listing of files for the user whose login names or user ID numbers are in the comma-separated set s - e.g., `abe', or `548,root'. (There should be no spaces in the set.) Multiple login names or user ID numbers are joined in a single ORed set before participating in AND option selection. If a login name or user ID is preceded by a `^', it becomes a negation - i.e., files of processes owned by the login name or user ID will never be listed. For example, to direct lsof to exclude the listing of files belonging to root processes specify `-u^root' or `-u^0'. -U This option selects the listing of UNIX domain socket files. -v This option selects the listing of lsof version information, including: revision number; when the lsof binary was constructed; who constructed the binary and where; the name of the compiler used to construct the lsof binary; the version number of the compiler when readily available; the compiler and loader flags used to construct the lsof binary; and system information, typically the output of uname's -a option. -V This option directs lsof to indicate the items it was asked to list and failed to find - command names, file names, Internet addresses or files, login names, NFS files, PIDs, PGIDs, and UIDs. When other options are ANDed to search options, or compile-time options restrict the listing of some files, lsof might not report that it failed to find a search item when an ANDed option or compile-time option prevents the listing of the open file containing the located search item. +|-w Enables (+) or disables (-) the suppression of warning messages. The -t option selects the -w option. -X This is a dialect-specific option. -- The double minus sign option is a marker that signals the end of the keyed options. It can be used, for example, when the first file name begins with a minus sign. It can also be used when the absence of a value for the last keyed option must be signified by the presence of a minus sign in the following option and before the start of the file names. names These are path names of specific files to list. Symbolic links are resolved before use. The first name can be separated from the preceding options with the -- option. Multiple file names are joined in a single ORed set before participating in AND option selection.
An open file can be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket.) A specific file or all the files in a file system can be selected by path.
On MacOS, lsof only shows your own processes unless running as root with sudo.
Instead of a formatted display, lsof can produce output that can be parsed by other programs. See the -F, option.
In addition to producing a single output list, lsof will run in repeat mode. In repeat mode it will produce output, delay, then repeat the output operation until stopped with an interrupt or quit signal. See the +|-r [t] option.
List all open files, if you need to filter the output, pipe this into grep:
Show who is using a file, list all the processes that are using a file, or several files:
$ lsof /path/to/file1
$ lsof /path/to/file1 /path/to/file2
To list all open files on a device:
$ lsof /dev/hd4
List all open files by a user, or users:
$ lsof -u ashley
$ lsof -u ashley, pete
$ lsof -u ashley -u pete
Options can be combined, the default is to OR between options unless you also specify -a which will AND the options.
List all open files for login name ''ashley'', or user ID 6464, or process 123, or process 456:
$ lsof -p 123,456 -u 6464,ashley
Find the files opened by a program/process whose command name begins with 'apache':
$ lsof -c apache
List all network connections:
$ lsof -i
List the files opened by all users except root. The caret here ^ specifies NOT:
$ lsof -u ^root
List the processes that are using port 80 (HTTP activity):
$ lsof -i :80
lsof repeat mode, add -r and a number in seconds to any lsof command to make it repeat.
Monitoring port 80 can be useful to spot processes or websites that are constantly dialling home (cough facebook):
$ lsof -i :80 -r 2
To list all open files whose PID is 1234 AND are in use via the IPv4 network:
$ lsof -i 4 -a -p 1234
List only open IPv6 network files:
$ lsof -i 6
List all files using any protocol on ports 513, 514, or 515 of host ss64.com:
$ lsof -i @ss64.com:513-515
To list all files using any protocol on any port of mace.cc.purdue.edu (cc.purdue.edu is the default domain), use:
$ lsof -i @mace
Lists memory-mapped files with the special value mem:
$ lsof -d mem
List programs loaded in memory and executing with the special value txt:
$ lsof -d txt
To send a SIGHUP to the processes that have /u/abe/bar open, use:
$ kill -HUP 'lsof -t /u/abe/bar'
To find any open file, including an open UNIX domain socket file, with the name /dev/log, use:
$ lsof /dev/log
Find processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible, and presuming your mount table supplies the device number for /nfs/mount/point:
$ lsof -b /nfs/mount/point
To do the preceding search with warning messages suppressed:
$ lsof -bw /nfs/mount/point
Ignore the device cache file:
$ lsof -Di
Obtain PID and command name field output for each process, file descriptor, file device number, and file inode number for each file of each process:
$ lsof -FpcfDi
List the files at descriptors 1 and 3 of every process running the lsof command for login ID ''abe'' every 10 seconds:
$ lsof -c lsof -a -d 1 -d 3 -u abe -r10
To list the current working directory of processes running a command that is exactly four characters long and has an 'o' or 'O' in character three, use this regular expression form of the -c c option:
$ lsof -c /^..o.$/i -a -d cwd
To find an IP version 4 socket file by its associated numeric dot-form address, use:
$ lsof -firstname.lastname@example.org
"It is when we all play safe that we create a world of the utmost insecurity" ~ Dag Hammarskjold, United Nations secretary general
lsof FAQ - full documentation.
lsof man page - Apple.com
sudo - Execute a command as another user
kill - Stop a process from running
opensnoop - Snoop file opens as they occur
ps - List running processes (returns PID)
uname - Print system information