How to Use LSOF for Real‑Time Port Monitoring on Linux

LSOF (List Open Files) is a command‑line utility for Linux/Unix that reports information about active files and the processes that are accessing them, making it valuable for system administrators and developers.

Identify which process is using a specific file or port, useful for resolving port conflicts.

Detect deleted files that are still held open, preventing unnecessary disk space consumption.

Help troubleshoot errors such as “address already in use”.

Track network activity by listing open network connections.

Investigate file‑access patterns to spot potential security issues.

Basic LSOF Syntax

The general form of the command is: $ lsof [options] [name] options are flags that modify the output, and name can be a filename, PID, username, or network identifier (IPv4/IPv6).

Checking LSOF Installation

LSOF is included in many Linux distributions. To verify the installed version, run:

linuxmi@linuxmi ~/www.linuxmi.com> lsof -v

Some information may require super‑user privileges, so you might need to prepend sudo to the command.

Listing Network Process Information

Using the -i option displays processes with network connections (listening sockets or established connections): linuxmi@linuxmi ~/www.linuxmi.com> lsof -i The output includes columns such as COMMAND, PID, USER, FD, TYPE, DEVICE, SIZE/OFF, NODE, and NAME. Example:

COMMAND    PID    USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
gnome-sof 4244   linuxmi 22u  IPv4 121041   0t0   TCP linuxmi:56008->151.101.109.91:https (CLOSE_WAIT)
gnome-sof 4244   linuxmi 54u  IPv4 105799   0t0   TCP linuxmi:47418->151.101.109.91:https (CLOSE_WAIT)
gnome-sof 4244   linuxmi 56u  IPv4 121563   0t0   TCP linuxmi:41626->151.101.109.91:https (CLOSE_WAIT)

Filtering TCP Connections

You can limit the output to TCP connections only, or to specific ports. For example, to list processes using TCP ports 1‑1024: linuxmi@linuxmi ~/www.linuxmi.com> lsof -i TCP:1-1024 This helps identify services bound to well‑known ports.

Real‑Time Monitoring of a Specific Port

To continuously watch a particular port (e.g., HTTPS on port 443) and refresh every 3 seconds:

linuxmi@linuxmi ~/www.linuxmi.com> lsof -i:443 -r3

Real‑Time Monitoring of SSH (Port 22)

To monitor all SSHD connections on port 22 with a 3‑second interval: linuxmi@linuxmi ~/www.linuxmi.com> lsof -i:22 -r3 This displays new SSH connections or disconnections as they occur.

Monitoring a Range of Ports

To watch TCP connections within a range (e.g., ports 1‑1024) in real time:

linuxmi@linuxmi ~/www.linuxmi.com> lsof -i TCP:1-1024 -r3

Monitoring All Ports

To continuously list every network connection every 5 seconds: linuxmi@linuxmi ~/www.linuxmi.com> lsof -i -r5 The output shows detailed information about each process and its associated socket.

Monitoring Only Established Connections

Adding the -E flag filters for established connections only, with a 10‑second refresh:

linuxmi@linuxmi ~/www.linuxmi.com> lsof -i -E -r10

Conclusion

This guide demonstrated how to use LSOF to monitor ports in real time, filter output, and track network activity, providing essential insight for Linux system administrators and developers who need to diagnose port usage, detect hidden file handles, and spot potential security issues.