The lsof command (list open files) is a powerful utility on Unix-like operating systems that displays information about files opened by processes. This includes regular files, directories, network sockets, pipes, devices, and more. Understanding lsof is crucial for system administration, debugging, and security analysis.

Understanding Lsof Output

The output of lsof typically includes columns such as:

• COMMAND: The name of the command that owns the process.
• PID: The process ID.
• TID: The task (thread) ID.
• USER: The user who owns the process.
• FD: The file descriptor.
• TYPE: The type of the node associated with the file.
• DEVICE: The device numbers.
• SIZE/OFF: The size of the file or the file offset.
• NODE: The node number.
• NAME: The name of the mount point and file system.

Essential Lsof Commands for System Monitoring

Here are some common and useful lsof commands:

List All IPv4 Network Files

sudo lsof -i4

List All IPv6 Network Files

sudo lsof -i6

List All Open Sockets

lsof -i

List All Listening Ports

lsof -Pnl +M -i4

Find Program Using a Specific Port

To find which program is using TCP port 80:

lsof -i TCP:80

List Connections to a Specific Host

lsof -i@192.168.1.5

Lsof for File and Process Analysis

List Processes Accessing a Particular File or Directory

lsof <path>

List Files Open by a Specific User

lsof -u <username>

List Files and Network Connections for a Command

lsof -c <command>

List All Files Open by a Process ID (PID)

lsof -p <pid>

List Files Open on a Mount Point

This is particularly useful for identifying processes using a mounted USB stick or CD/DVD.

lsof +f -- <mount-point>

Further Resources

• Lsof man page
• Lsof questions on Stack Overflow
• Linux Basics: Understanding the Lsof Command