lsof or LiS Open Files is a very powerful command available on most of Unix-like systems, it lists all open files (in *nix everything is a file, drives, sockets, inodes, etc.). The listing can filtered using various parameters like process id, owner of the process, etc. In this article we'll discuss using example to use lsof command in various ways which you might useful according to your needs. Usage The most basic usage of lsof command is to list all open files. Code: [pradeep@deepz-desktop]$ lsof | wc -l 63 [pradeep@deepz-desktop]$ lsof COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 4853 pradeep cwd unknown /proc/4853/cwd (readlink: Permission denied) sshd 4853 pradeep rtd unknown /proc/4853/pradeep (readlink: Permission denied) sshd 4853 pradeep txt unknown /proc/4853/exe (readlink: Permission denied) bash 4857 pradeep cwd DIR 8,17 4096 300947057 /home/pradeep bash 4857 pradeep rtd DIR 8,1 4096 2 / bash 4857 pradeep txt REG 8,1 926536 130055 /bin/bash bash 4857 pradeep mem REG 8,1 26048 2030 /usr/lib/gconv/gconv-modules.cache bash 4857 pradeep 0u CHR 136,2 0t0 5 /dev/pts/2 bash 4857 pradeep 1u CHR 136,2 0t0 5 /dev/pts/2 bash 4857 pradeep 2u CHR 136,2 0t0 5 /dev/pts/2 bash 4857 pradeep 255u CHR 136,2 0t0 5 /dev/pts/2 lsof 5103 pradeep cwd DIR 8,17 4096 300947057 /home/pradeep lsof 5103 pradeep rtd DIR 8,1 4096 2 / lsof 5103 pradeep txt REG 8,1 125736 9780 /usr/bin/lsof lsof 5103 pradeep mem REG 8,1 108805904 32010 /usr/lib/locale/locale-archive lsof 5103 pradeep mem REG 8,1 1437064 130089 /lib/libc-2.11.3.so lsof 5103 pradeep mem REG 8,1 128744 130085 /lib/ld-2.11.3.so lsof 5103 pradeep 0u CHR 136,2 0t0 5 /dev/pts/2 lsof 5103 pradeep 1u CHR 136,2 0t0 5 /dev/pts/2 lsof 5103 pradeep 2u CHR 136,2 0t0 5 /dev/pts/2 lsof 5103 pradeep 3r DIR 0,3 0 1 /proc lsof 5103 pradeep 4r DIR 0,3 0 343402229 /proc/5103/fd lsof 5103 pradeep 5w FIFO 0,7 0t0 343402234 pipe lsof 5103 pradeep 6r FIFO 0,7 0t0 343402235 pipe lsof 5104 pradeep cwd DIR 8,17 4096 300947057 /home/pradeep lsof 5104 pradeep rtd DIR 8,1 4096 2 / lsof 5104 pradeep txt REG 8,1 125736 9780 /usr/bin/lsof lsof 5104 pradeep mem REG 8,1 108805904 32010 /usr/lib/locale/locale-archive lsof 5104 pradeep mem REG 8,1 1437064 130089 /lib/libc-2.11.3.so lsof 5104 pradeep mem REG 8,1 128744 130085 /lib/ld-2.11.3.so We can find out files/executables/partion is being used by whom, here's how: Code: [pradeep@deepz-desktop:~] lsof /usr/sbin/httpd COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME httpd 8790 pradeep txt REG 8,1 312020 68594 /usr/sbin/httpd httpd 16682 apache txt REG 8,1 312020 68594 /usr/sbin/httpd httpd 16683 apache txt REG 8,1 312020 68594 /usr/sbin/httpd [pradeep@deepz-desktop:~] lsof /dev/sda2 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mysqld 6564 mysql cwd DIR 8,2 4096 18382849 /mnt/mysql mysqld 6564 mysql 3uW REG 8,2 18874368 18382956 /mnt/mysql/ibdata1 mysqld 6564 mysql 8uW REG 8,2 5242880 18382943 /mnt/mysql/ib_logfile0 mysqld 6564 mysql 9uW REG 8,2 5242880 18382949 /mnt/mysql/ib_logfile1 Now, let see what files have been opened by processes by matching their name, say "k" or "bash". Code: [pradeep@deepz-desktop:~] lsof -c k COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME ksoftirqd 3 pradeep cwd DIR 8,1 4096 2 / ksoftirqd 3 pradeep rtd DIR 8,1 4096 2 / ksoftirqd 3 pradeep txt unknown /proc/3/exe khelper 6 pradeep cwd DIR 8,1 4096 2 / kthread 7 pradeep rtd DIR 8,1 4096 2 / [pradeep@deepz-desktop:~] lsof -c bash COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME bash 10537 pradeep cwd DIR 8,1 4096 589825 /pradeep bash 10537 pradeep rtd DIR 8,1 4096 2 / bash 10537 pradeep txt REG 8,1 716972 1228822 /bin/bash bash 10537 pradeep 0u CHR 3,0 2470 /dev/ttyp0 bash 10537 pradeep 1u CHR 3,0 2470 /dev/ttyp0 bash 10537 pradeep 2u CHR 3,0 2470 /dev/ttyp0 We can also see which processes have opened what internet related port to where and the state of the connection. Code: pradeep@deepz-desktop:~$ lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ubuntu-ge 2310 pradeep 12u IPv4 12690 0t0 TCP deepz-desktop.local:39763->mistletoe.canonical.com:http (CLOSE_WAIT) firefox 2747 pradeep 61u IPv4 81682 0t0 TCP deepz-desktop.local:44721->68.232.44.111:https (ESTABLISHED) firefox 2747 pradeep 66u IPv4 82132 0t0 TCP deepz-desktop.local:42470->159.111.233.72.static.reverse.ltdomains.com:http (ESTABLISHED) firefox 2747 pradeep 68u IPv4 82080 0t0 TCP deepz-desktop.local:42301->.:http (ESTABLISHED) firefox 2747 pradeep 69u IPv4 81797 0t0 TCP deepz-desktop.local:55607->.:https (ESTABLISHED) firefox 2747 pradeep 71u IPv4 82197 0t0 TCP deepz-desktop.local:55608->.:https (ESTABLISHED) firefox 2747 pradeep 74u IPv4 82135 0t0 TCP deepz-desktop.local:42841->68.232.44.121:https (ESTABLISHED) firefox 2747 pradeep 75u IPv4 82137 0t0 TCP deepz-desktop.local:42842->68.232.44.121:https (ESTABLISHED) firefox 2747 pradeep 76u IPv4 81690 0t0 TCP deepz-desktop.local:44729->68.232.44.111:https (ESTABLISHED) firefox 2747 pradeep 87u IPv4 81710 0t0 TCP deepz-desktop.local:42341->.:http (ESTABLISHED) chrome 4140 pradeep 63u IPv4 80009 0t0 TCP deepz-desktop.local:49836->maa03s04-in-f16.1e100.net:http (ESTABLISHED) chrome 4140 pradeep 73u IPv4 80074 0t0 TCP deepz-desktop.local:39526->ni-in-f95.1e100.net:https (ESTABLISHED) chrome 4140 pradeep 79u IPv4 79365 0t0 TCP deepz-desktop.local:45406->maa03s04-in-f14.1e100.net:https (ESTABLISHED) chrome 4140 pradeep 81u IPv4 80874 0t0 TCP deepz-desktop.local:36206->maa03s04-in-f14.1e100.net:http (ESTABLISHED) chrome 4140 pradeep 104u IPv4 80253 0t0 TCP deepz-desktop.local:45039->ni-in-f125.1e100.net:xmpp-client (ESTABLISHED) chrome 4140 pradeep 113u IPv4 80966 0t0 TCP deepz-desktop.local:52340->www.evernote.com:https (ESTABLISHED) chrome 4140 pradeep 117u IPv4 80249 0t0 TCP deepz-desktop.local:55953->maa03s04-in-f16.1e100.net:https (ESTABLISHED) chrome 4140 pradeep 119u IPv4 80247 0t0 TCP deepz-desktop.local:52342->www.evernote.com:https (ESTABLISHED) chrome 4140 pradeep 126u IPv4 81303 0t0 TCP deepz-desktop.local:54104->maa03s04-in-f31.1e100.net:http (ESTABLISHED) chrome 4140 pradeep 134u IPv4 80294 0t0 TCP deepz-desktop.local:52350->www.evernote.com:https (ESTABLISHED) chrome 4140 pradeep 141u IPv4 80292 0t0 TCP deepz-desktop.local:59960->maa03s04-in-f31.1e100.net:https (ESTABLISHED) chrome 4140 pradeep 160u IPv4 80867 0t0 TCP deepz-desktop.local:45433->maa03s04-in-f14.1e100.net:https (ESTABLISHED) chrome 4140 pradeep 161u IPv4 81495 0t0 TCP deepz-desktop.local:51164->maa03s04-in-f15.1e100.net:https (ESTABLISHED) We can list processes by user, list files opened by PID. Code: pradeep@deepz-desktop:~$ lsof +p 4140 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME chrome 4140 pradeep cwd DIR 8,21 16384 39321601 /home/pradeep chrome 4140 pradeep rtd DIR 8,17 4096 2 / chrome 4140 pradeep txt REG 8,17 89143496 2234872 /opt/google/chrome/chrome chrome 4140 pradeep mem REG 8,17 10384 1048629 /lib/libnss_mdns4.so.2 chrome 4140 pradeep DEL REG 0,18 80275 /run/shm/.com.google.Chrome.KY4bCi chrome 4140 pradeep mem REG 8,21 524656 39977018 /home/pradeep/.cache/google-chrome/Profile 1/Cache/index chrome 4140 pradeep mem REG 8,17 18282384 1707495 /usr/lib/libicudata.so.48.1.1 chrome 4140 pradeep mem REG 8,17 1465096 1707509 /usr/lib/libicuuc.so.48.1.1 chrome 4140 pradeep mem REG 8,17 1866528 1707497 /usr/lib/libicui18n.so.48.1.1 chrome 4140 pradeep mem REG 8,17 217312 1706904 /usr/lib/libdee-1.0.so.4.1.1 chrome 4140 pradeep DEL REG 0,4 17301519 /SYSV00000000 chrome 4140 pradeep mem REG 8,17 331864 1713573 /usr/lib/x86_64-linux-gnu/libgee.so.2.0.0 chrome 4140 pradeep mem REG 8,17 422512 1707407 /usr/lib/libunity.so.9.0.2 chrome 4140 pradeep mem REG 8,17 139240 1713599 /usr/lib/x86_64-linux-gnu/libgnome-keyring.so.0.2.0 chrome 4140 pradeep mem REG 8,21 125837312 39976993 /home/pradeep/.cache/google-chrome/Profile 1/Cache/data_3 ... Code: pradeep@deepz-desktop:~$ sudo lsof -u www-data COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME apache2 1224 www-data cwd DIR 8,17 4096 2 / apache2 1224 www-data rtd DIR 8,17 4096 2 / apache2 1224 www-data txt REG 8,17 474744 1975911 /usr/lib/apache2/mpm-worker/apache2 apache2 1224 www-data mem REG 8,17 52120 1061321 /lib/x86_64-linux-gnu/libnss_files-2.15.so apache2 1224 www-data mem REG 8,17 47680 1061317 /lib/x86_64-linux-gnu/libnss_nis-2.15.so apache2 1224 www-data mem REG 8,17 97248 1061330 /lib/x86_64-linux-gnu/libnsl-2.15.so apache2 1224 www-data mem REG 8,17 35680 1061322 /lib/x86_64-linux-gnu/libnss_compat-2.15.so apache2 1224 www-data mem REG 8,17 22528 1975854 /usr/lib/apache2/modules/mod_status.so apache2 1224 www-data mem REG 8,17 14336 1975885 /usr/lib/apache2/modules/mod_setenvif.so I hope this will be helpful in debugging programs, troubleshooting & security of *nix systems. Enjoy.