If you are a frequent user of Linux or Unix systems you must have surely heard the phrase, “In Linux, everything is a file”. This may be categorized as the oversimplification of the concept yet it proves to be very helpful to understand how files in the Linux system works.
Not everything that appears in the Linux environment has to be a file. Sometimes it can be a process, it can be a special file representing the hardware information, directories, and other things.
This tutorial will walk you through in finding all the files which are open for a particular process in Linux.
Introduction To lsof Command
The beauty of the Linux system is that you can control and manage your entire system through the terminal, provided that you know the commands well. Once the commands are known then all the tasks on the terminal become a cakewalk.
lsof stands for ‘List Of Open Files‘. Once you know the long version of the command it becomes very easy for you to understand and use the command in a productive way.
The lsof command displays the lists of open files, sockets, and pipes. You can easily search for the open files using this command. When the lsof command is used without any option it displays all the open files with respect to the active processes which are running.
Note: Make sure you use sudo while executing the commands.
Using The lsof Command
We will study the output of the lsof command in detail. Study the following command.
sudo lsof | lessNote: If we directly run the lsof command, the output is going to be very large and might create confusion to proceed further. Hence, here I’ve used lsof | less command for the convenience of the tutorial.
Output:
gaurav@ubuntu:~$ sudo lsof | less
COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME
kdevtmpfs 31 root cwd DIR 0,6 4400 2 /
kdevtmpfs 31 root rtd DIR 0,6 4400 2 /
kdevtmpfs 31 root txt unknown /proc/31/exe
netns 32 root cwd DIR 8,8 4096 2 /
netns 32 root rtd DIR 8,8 4096 2 /
netns 32 root txt unknown /proc/32/exe
rcu_tasks 33 root cwd DIR 8,8 4096 2 /
rcu_tasks 33 root rtd DIR 8,8 4096 2 /
rcu_tasks 33 root txt unknown /proc/33/exe
kauditd 34 root cwd DIR 8,8 4096 2 /
kauditd 34 root rtd DIR 8,8 4096 2 /
kauditd 34 root txt unknown /proc/34/exe
Following are the attributes that are displayed using the lsof command.
| Parameter | Description |
|---|---|
| Command | Shows the name of the command that opens the file. |
| PID | Process identifier number of the process that opens the file. |
| TID | Thread Identifier number. It can either be a thread or a task number. |
| User | User ID or name of the user who is the owner of the process. |
| FD | Shows the file descriptor of the file. |
| Type | Type of node associated with the file. |
| Device | Shows device numbers. |
| Size/Off | Shows the size of the file in bytes. |
| Node | Shows the inode number the directory or the parent directory. |
| Name | Shows the name of the file system where the process is located. |
Listing The Processes
First and foremost it is important for you to obtain the processes that are running and their respective process IDs. Linux provides variety of commands to list the processes along with their attributes like PID, user, directory, etc.
You can use the commands like top, ps, htop, pstree to list the processes on the terminal.
Throughout the tutorial, I’ll be using the top command to do so. The top command provides a dynamic real-time view of a running system. It also displays all the processes and threads currently being managed by the Linux kernel. Study the below-given block to check the output of the top command.
Syntax:
sudo topOutput:
gaurav@ubuntu:~$sudo top
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2703 gaurav 20 0 4286124 1.142g 103584 R 88.2 30.5 87:48.08 Web Content
1173 mongodb 20 0 288536 6776 3428 S 5.9 0.2 2:34.41 mongod
13765 gaurav 20 0 2931568 131408 47496 S 5.9 3.3 1:42.34 Web Content
1 root 20 0 225904 6824 4900 S 0.0 0.2 0:27.25 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.05 kthreadd
4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H
6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 mm_percpu_wq
7 root 20 0 0 0 0 S 0.0 0.0 0:01.89 ksoftirqd/0
8 root 20 0 0 0 0 I 0.0 0.0 0:22.32 rcu_sched
9 root 20 0 0 0 0 I 0.0 0.0 0:00.00 rcu_bh
10 root rt 0 0 0 0 S 0.0 0.0 0:03.13 migration/0 In the above block, we can see all the process-related information in one place. From here we can find the PID of the process of which we have to display the open files using the lsof command.
But if you want to find out the process ID of only a particular process and avoid other unwanted processes then use the following command.
Syntax:
sudo top | grep [Process_Name]Example:
gaurav@ubuntu:~$ top | grep terminal
13819 gaurav 20 0 803336 19728 9160 S 0.3 0.5 0:53.63 gnome-terminal-
13819 gaurav 20 0 803336 19728 9160 S 1.0 0.5 0:53.66 gnome-terminal-
13819 gaurav 20 0 803336 19728 9160 S 0.3 0.5 0:53.67 gnome-terminal-
gaurav@ubuntu:~$Here we have specifically displayed the process ID of the process which has the string ‘terminal’ in the process name. This method comes handy when you are unaware of the complete process name or the PID.
Displaying The Open Files Related To A Process Using The PID
In the above block, we learned how to obtain the process related information with the help of the top command. Now we will use the PID corresponding to any process on the system and try to display the list of the open files related to that process using the lsof command.
From the above-given output, let us take the process corresponding to the PID 1173 which is highlighted. We will be using the lsof -p [PID] command to do so.
Syntax:
sudo lsof -p [PID]This command takes the PID of the process as the input and lists all the files corresponding to this PID.
Output:
gaurav@ubuntu:~$ sudo lsof -p 1173
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mongod 1173 mongodb cwd DIR 8,8 4096 2 /
mongod 1173 mongodb rtd DIR 8,8 4096 2 /
mongod 1173 mongodb txt REG 8,8 38379496 2885608 /usr/bin/mongod
mongod 1173 mongodb mem REG 8,8 71776 2624380 /lib/x86_64-linux-gnu/libnss_myhostname.so.2
mongod 1173 mongodb mem REG 8,8 101168 2624643 /lib/x86_64-linux-gnu/libresolv-2.27.so
mongod 1173 mongodb mem REG 8,8 26936 2624439 /lib/x86_64-linux-gnu/libnss_dns-2.27.so
mongod 1173 mongodb mem REG 8,8 10160 2626002 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2
mongod 1173 mongodb mem REG 8,8 47568 2624441 /lib/x86_64-linux-gnu/libnss_files-2.27.so
mongod 1173 mongodb mem REG 8,8 3004224 2909671 /usr/lib/locale/locale-archive
mongod 1173 mongodb mem REG 8,8 2030544 2621501 /lib/x86_64-linux-gnu/libc-2.27.so
mongod 1173 mongodb mem REG 8,8 144976 2624627 /lib/x86_64-linux-gnu/libpthread-2.27.so
mongod 1173 mongodb mem REG 8,8 96616 2624649 /lib/x86_64-linux-gnu/libgcc_s.so.1
mongod 1173 mongodb mem REG 8,8 1700792 2622735 /lib/x86_64-linux-gnu/libm-2.27.so
mongod 1173 mongodb mem REG 8,8 14560 2621535 /lib/x86_64-linux-gnu/libdl-2.27.so
mongod 1173 mongodb mem REG 8,8 31680 2624646 /lib/x86_64-linux-gnu/librt-2.27.so
mongod 1173 mongodb mem REG 8,8 2357760 2890079 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0
gaurav@ubuntu:~$The files which are open for the process with process ID 1713 are displayed using the lsof command.
Note: GNOME users may encounter the below warning. You can safely ignore it.
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.Listing Open Files Related To A Process Using The Process Name
The lsof command also provides you with an option to list the open files using the names of the processes. The names should be provided to the command as an input string. See the syntax below to use this option.
Syntax:
sudo lsof -c [Process name]Example:
sudo lsof -c mysqlOutput:
gaurav@ubuntu:~$ sudo lsof -c mysql
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mysqld 1266 mysql cwd DIR 8,8 4096 3154135 /var/lib/mysql
mysqld 1266 mysql rtd DIR 8,8 4096 2 /
mysqld 1266 mysql txt REG 8,8 24691368 2889411 /usr/sbin/mysqld
mysqld 1266 mysql mem REG 8,8 6288 5505444 /usr/lib/mysql/plugin/auth_socket.so
mysqld 1266 mysql DEL REG 0,18 28127 /[aio]
mysqld 1266 mysql DEL REG 0,18 28126 /[aio]
mysqld 1266 mysql DEL REG 0,18 28125 /[aio]
mysqld 1266 mysql mem REG 8,8 47568 2624441 /lib/x86_64-linux-gnu/libnss_files-2.27.so
mysqld 1266 mysql mem REG 8,8 47576 2624592 /lib/x86_64-linux-gnu/libnss_nis-2.27.so
mysqld 1266 mysql mem REG 8,8 39744 2624438 /lib/x86_64-linux-gnu/libnss_compat-2.27.so
The output will be as that of the one in which the Process ID is used instead of the Process name.
Listing files Opened By Network Connections
In Linux, files can also be in the form of information about your network connections, hardware connections etc. We can use lsof command to list the files opened by the network connection. Use the following method.
sudo lsof -iOutput:
gaurav@ubuntu:~$ sudo lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-r 969 systemd-resolve 12u IPv4 17357 0t0 UDP localhost:domain
systemd-r 969 systemd-resolve 13u IPv4 17358 0t0 TCP localhost:domain (LISTEN)
systemd-r 969 systemd-resolve 15u IPv4 1685575 0t0 UDP ubuntu:48090->_gateway:domain
avahi-dae 1028 avahi 12u IPv4 23810 0t0 UDP *:mdns
avahi-dae 1028 avahi 13u IPv6 23811 0t0 UDP *:mdns
avahi-dae 1028 avahi 14u IPv4 23812 0t0 UDP *:58999
avahi-dae 1028 avahi 15u IPv6 23813 0t0 UDP *:37512
mongod 1173 mongodb 6u IPv4 28149 0t0 TCP localhost:27017 (LISTEN)
mysqld 1266 mysql 19u IPv4 25992 0t0 TCP localhost:mysql (LISTEN)
apache2 1283 root 4u IPv6 28140 0t0 TCP *:http (LISTEN)
gaurav@ubuntu:~$Here we can see the information about the files which are open by the network connection using the lsof -i command.
Conclusion
In this simple tutorial, we have learned how to list open files for a process in Linux using various methods that are easy to use. For more uses of the lsof command, see the lsof man page.
Member discussion