Mastering lsof: Essential Linux Commands to Inspect Open Files and Processes

Common Options

-a Combine options with logical AND.

-c <process_name> Show files opened by processes matching the name.

-d <fd> List processes using the specified file descriptor.

+d <directory> Show files opened in the directory (non‑recursive).

+D <directory> Recursively show files opened in the directory.

-i <criteria> Show network‑related files.

-n Do not resolve hostnames.

-p <pid> Show files opened by the given PID.

-P Do not resolve port numbers.

-t Output only PIDs.

-u <user> Show files opened by the specified user.

-U Show opened UNIX domain socket files.

-h Display help information.

-v Display version information.

Basic Output

Running lsof without options lists every open file for all active processes, which is usually overwhelming. A typical filtered example shows columns such as COMMAND, PID, USER, FD, TYPE, DEVICE, SIZE, NODE, and NAME.

COMMAND : program name PID : process identifier USER : process owner FD : file descriptor used by the program TYPE : file type (DIR, REG, etc.) DEVICE : device numbers SIZE : size in bytes NODE : inode number NAME : exact file name

FD and TYPE Columns

Common FD values include cwd (current working directory), rtd (root directory), txt (executable), mem (memory‑mapped file), and numeric descriptors for standard streams. The mode letters (e.g., u, r, w, W) indicate read/write/lock status.

TYPE values: REG (regular file), DIR (directory), CHR (character device), BLK (block device), unix (UNIX domain socket), fifo (FIFO), IPv4 / IPv6 (network sockets).

Typical lsof Use Cases

Find processes that opened a specific file

sudo lsof /bin/bash

Find processes that opened a device

sudo lsof /dev/sda1

List processes that opened a directory (non‑recursive)

sudo lsof +d /var/log

Recursively list a directory

sudo lsof +D /var/log

Use this before unmounting a filesystem to identify processes that would block the unmount.

Show files opened by a specific PID

sudo lsof -p 1152

Combine multiple options with AND

sudo lsof -a -p $$ -d0,1,2

The -a flag forces all specified options to be satisfied.

Find files opened by programs matching a name pattern

sudo lsof -c cr

Negate with -c ^cr or use regular expressions, e.g., sudo lsof -c /cr[ao]/.

Show network‑related files

sudo lsof -i

Filter by IP version, protocol, host, or port, e.g., sudo lsof -i4 (IPv4 only) or sudo lsof -i:22 (port 22).

Show UNIX domain sockets opened by sshd

sudo lsof -a -c sshd -U

Show files opened by a specific user

sudo lsof -u syslog

Kill all processes of a user that hold open files

kill -9 $(lsof -t -u nick)

Count total open files on the system

sudo lsof -P -n | wc -l

The -P and -n options speed up execution by skipping hostname and port resolution.

Recover a deleted file

If a process still holds a deleted file open, you can retrieve its contents via the file descriptor in /proc/<pid>/fd.

sudo rm /var/log/syslog

Identify the PID and descriptor (e.g., PID 1141, FD 7) and view the content:

sudo tail -n 5 /proc/1141/fd/7

Recreate the file by redirecting the descriptor output:

sudo sh -c 'cat /proc/1141/fd/7 > /var/log/syslog'

Restore ownership and restart the logging service:

sudo chown syslog:adm /var/log/syslog
sudo systemctl restart rsyslog.service

Help

Use -h to display the built‑in help, which typically points you to the man page for full details.

Summary

lsof is a comprehensive tool; starting with the examples above helps you move beyond the lengthy manual and gradually master its many capabilities.