BestHub
Sign in
Information Security 13 min read

Master lsof: Unlock Hidden Files and Network Connections on Unix

This comprehensive guide explains how to use the powerful lsof command to list open files, inspect network connections, filter by users, processes, ports, and hosts, and apply advanced options for system monitoring and security troubleshooting on Unix-like systems.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Master lsof: Unlock Hidden Files and Network Connections on Unix

lsof is a quintessential system administration and security tool, primarily used to retrieve network‑connection information but capable of much more. Its name stands for “list open files”, reflecting the Unix principle that everything—including network sockets—is a file.

lsof offers an extensive set of switches, many of which accept - or + prefixes. The usage synopsis is:

usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]
[-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]

Key options include:

Default : without options, lsof lists all open files for active processes.

Combination : options can be combined (e.g., -abc) but watch for those requiring arguments.

-a : performs a logical AND on results instead of the default OR.

-l : displays numeric user IDs instead of usernames.

-h : shows help.

-t : outputs only process IDs.

-U : shows UNIX socket addresses.

-F : formats output for parsing by other commands.

Getting Network Information

lsof can replace tools like netstat for network inspection.

Show all connections

# lsof -i

COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
dhcpcd 6061 root 4u IPv4 4510 UDP *:bootpc
sshd 7703 root 3u IPv6  6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u IPv6  6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)

Show only IPv6 traffic

# lsof -i 6

Show only TCP (or UDP) connections

# lsof -iTCP

COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
sshd 7703 root 3u IPv6 6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)

Filter by port

# lsof -i :22

COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
sshd 7703 root 3u  IPv6 6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u  IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)

Show connections to a specific host

# lsof [email protected]

sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->172.16.12.5:49901 (ESTABLISHED)

Find listening ports

# lsof -i -sTCP:LISTEN

Or pipe through grep:

# lsof -i | grep -i LISTEN

iTunes     400 daniel   16u  IPv4 0x4575228  0t0 TCP *:daap (LISTEN)

Find established connections

# lsof -i -sTCP:ESTABLISHED

Or grep for “ESTABLISHED”:

# lsof -i | grep -i ESTABLISHED

firefox-b 169 daniel  49u IPv4 0t0 TCP 1.2.3.3:1863->1.2.3.4:http (ESTABLISHED)

User Information

lsof can reveal what files and network resources a specific user is using.

Show files opened by a user

# lsof -u daniel
-- snipped --
Dock 155 daniel  txt REG   14,2   2798436   823208 /usr/lib/libicucore.A.dylib
-- snipped --

Show everything except a user

# lsof -u ^daniel
-- snipped --
Dock 155 jim  txt REG   14,2   2798436   823208 /usr/lib/libicucore.A.dylib
-- snipped --

Kill everything a user is running

# kill -9 `lsof -t -u daniel`

Commands and Processes

Filter by command name or PID to see associated files and sockets.

By command name

# lsof -c syslog-ng

COMMAND    PID USER   FD   TYPE     DEVICE    SIZE       NODE NAME
syslog-ng 7547 root  cwd    DIR    3,3    4096   2 /
-- snipped --

By PID

# lsof -p 10075
-- snipped --
sshd    10068 root  mem    REG    3,3   34808 850407 /lib/libnss_files-2.4.so
-- snipped --

Only return PIDs

# lsof -t -c Mail

350

Files and Directories

Inspect which processes are accessing a particular file or directory.

Directory example

# lsof /var/log/messages/

COMMAND    PID USER   FD   TYPE DEVICE   SIZE   NODE NAME
syslog-ng 7547 root    4w   REG    3,3 217309 834024 /var/log/messages

File example

# lsof /home/daniel/firewall_whitelist.txt

Advanced Usage

Combine options for powerful queries, similar to tcpdump.

Show everything a user does to a remote host

# lsof -u daniel -i @1.1.1.1

bkdr   1893 daniel 3u  IPv6 3456 TCP 10.10.1.10:1234->1.1.1.1:31337 (ESTABLISHED)

Send HUP to processes matching criteria

# kill -HUP `lsof -t -c sshd`

Find files with link count less than 1

This often indicates an attacker trying to hide a file.

# lsof +L1

(hopefully nothing)

Show connections in a port range

# lsof -i @fw.google.com:2150=2180

Conclusion

This primer only scratches the surface of lsof’s capabilities; consult the manual page ( man lsof) or online documentation for a complete reference.

Resources

lsof manual page: http://www.netadmintools.com/html/lsof.man.html

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

UnixNetwork Monitoringlsof
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment