Mastering lsof: Essential Commands to Inspect Open Files and Network Connections

Introduction

The lsof (list open files) command is a powerful system‑administration and security tool on Unix/Linux that reports every open file, including network sockets, because in Unix everything is a file.

Key Options

When no options are supplied, lsof lists all open files for all active processes. Options can be combined (e.g., -abc) but be aware of which require arguments. Important switches include: -a: Perform an AND operation on multiple criteria instead of the default OR. -l: Show numeric user IDs instead of usernames. -h: Display help. -t: Output only process IDs. -U: Show UNIX domain socket addresses. -F: Produce machine‑readable output; fields can be selected (e.g., -F pcfn for PID, command, file descriptor, and name).

Getting Network Information

Use the -i option to filter by network criteria. The syntax is lsof -i[46] [protocol][@hostname|hostaddr][:service|port]. Examples: # lsof -i Lists all network connections. To restrict to IPv6 only: # lsof -i 6 To show only TCP connections: # lsof -iTCP To find processes listening on a specific port (e.g., 22): # lsof -i :22 Or to locate connections to a particular host: # lsof [email protected] Combining host and port: # lsof [email protected]:22 To list only listening sockets: # lsof -i -sTCP:LISTEN Or only established connections:

# lsof -i -sTCP:ESTABLISHED

User‑Centric Queries

Show everything a specific user is doing: # lsof -u daniel Show activity of all users except a given one: # lsof -u ^daniel Terminate all processes owned by a user (use with caution):

# kill -9 `lsof -t -u daniel`

Process and Command Inspection

Filter by command name: # lsof -c syslog-ng Filter by process ID: # lsof -p 10075 Combine -t and -c to send a signal to matching processes:

# kill -HUP `lsof -t -c sshd`

Advanced Usage

Show files with link count less than 1 (often indicates deleted but still‑open files): # lsof +L1 Display all files opened under a directory (recursively may be slow): # lsof +D /usr/local/ Show files opened by a specific file descriptor: # lsof -d 4 Continuously repeat lsof every 15 seconds (default) or control repeat interval with +r / -r options.

Common One‑Liners

lsof abc.txt               # Show processes that have abc.txt open
lsof -i :22                # Identify the program listening on port 22
lsof -c abc                # List files opened by processes named abc
lsof -g 1000               # Show processes belonging to GID 1000
lsof +d /usr/local/        # Files opened under /usr/local (non‑recursive)
lsof +D /usr/local/        # Recursive search under /usr/local (slow)
lsof -p 12                # Files opened by PID 12
lsof -i                    # All network‑related open files

For a complete reference, consult the manual page ( man lsof) or the online documentation.