Mastering lsof: Essential Linux Commands to Inspect Open Files and Processes

Common Options

-a Combine options with logical AND.

-c <process_name> Show files opened by processes matching the name.

-d <fd> List processes using the specified file descriptor.

+d <directory> Show files opened in the directory (non‑recursive).

+D <directory> Recursively show files opened in the directory.

-i <criteria> Show network‑related files.

-n Do not resolve hostnames.

-p <pid> Show files opened by the given PID.

-P Do not resolve port numbers.

-t Output only PIDs.

-u <user> Show files opened by the specified user.

-U Show opened UNIX domain socket files.

-h Display help information.

-v Display version information.

Basic Output

Running

lsof

without options lists every open file for all active processes, which is usually overwhelming. A typical filtered example shows columns such as COMMAND, PID, USER, FD, TYPE, DEVICE, SIZE, NODE, and NAME.

COMMAND : program name PID : process identifier USER : process owner FD : file descriptor used by the program TYPE : file type (DIR, REG, etc.) DEVICE : device numbers SIZE : size in bytes NODE : inode number NAME : exact file name

FD and TYPE Columns

Common FD values include

cwd

(current working directory),

rtd

(root directory),

txt

(executable),

mem

(memory‑mapped file), and numeric descriptors for standard streams. The mode letters (e.g.,

u

,

r

,

w

,

W

) indicate read/write/lock status.

TYPE values:

REG

(regular file),

DIR

(directory),

CHR

(character device),

BLK

(block device),

unix

(UNIX domain socket),

fifo

(FIFO),

IPv4

/

IPv6

(network sockets).

Typical lsof Use Cases

Find processes that opened a specific file

<code>sudo lsof /bin/bash</code>

Find processes that opened a device

<code>sudo lsof /dev/sda1</code>

List processes that opened a directory (non‑recursive)

<code>sudo lsof +d /var/log</code>

Recursively list a directory

<code>sudo lsof +D /var/log</code>

Use this before unmounting a filesystem to identify processes that would block the unmount.

Show files opened by a specific PID

<code>sudo lsof -p 1152</code>

Combine multiple options with AND

<code>sudo lsof -a -p $$ -d0,1,2</code>

The

-a

flag forces all specified options to be satisfied.

Find files opened by programs matching a name pattern

<code>sudo lsof -c cr</code>

Negate with

-c ^cr

or use regular expressions, e.g.,

sudo lsof -c /cr[ao]/

.

Show network‑related files

<code>sudo lsof -i</code>

Filter by IP version, protocol, host, or port, e.g.,

sudo lsof -i4

(IPv4 only) or

sudo lsof -i:22

(port 22).

Show UNIX domain sockets opened by sshd

<code>sudo lsof -a -c sshd -U</code>

Show files opened by a specific user

<code>sudo lsof -u syslog</code>

Kill all processes of a user that hold open files

<code>kill -9 $(lsof -t -u nick)</code>

Count total open files on the system

<code>sudo lsof -P -n | wc -l</code>

The

-P

and

-n

options speed up execution by skipping hostname and port resolution.

Recover a deleted file

If a process still holds a deleted file open, you can retrieve its contents via the file descriptor in

/proc/<pid>/fd

.

<code>sudo rm /var/log/syslog</code>

Identify the PID and descriptor (e.g., PID 1141, FD 7) and view the content:

<code>sudo tail -n 5 /proc/1141/fd/7</code>

Recreate the file by redirecting the descriptor output:

<code>sudo sh -c 'cat /proc/1141/fd/7 > /var/log/syslog'</code>

Restore ownership and restart the logging service:

<code>sudo chown syslog:adm /var/log/syslog
sudo systemctl restart rsyslog.service</code>

Help

Use

-h

to display the built‑in help, which typically points you to the man page for full details.

Summary

lsof is a comprehensive tool; starting with the examples above helps you move beyond the lengthy manual and gradually master its many capabilities.