How to use lsof command to Find Open Files
The lsof utility can help identify which files are being used by any given application, which network ports are open, and much more.
A process would show up in top or ps aux, but the executable may not seem to exist. Using lsof, we could hunt down the scripts or executables used to run the program. If we run just lsof, it will attempt to show all files (which includes network sockets, pipes and special files) that are open.
If we want to see all the open files owned by a process, we can use the -p option (for PID) like so:
Just replace XXXXX with the process ID (PID) of the process you want to see. The output will show the command that has the file open, the PID, the user, the file descriptor, type, size of the file and the name of the file.
We can also see what files are open by users. Running lsof -u user will show all open files by processes owned by the user. You can also substitute the user ID (UID) for the username. If you want to eliminate a user from the listing, use ^user instead. The preceding caret will negate the selection, so the user will be ignored.
If we want to see what network sockets are owned by a particular user or process? Try ..
That will show only the open TCP and UDP sockets. If we want to see what files are open over the network, use -i. This will show you which files and sockets are open, and their respective protocols, hostnames and so on. We can narrow network parameters down by IP version (-i4 for IPv4, -i6 for IPv6), protocol (UDP or TCP), and even hostname or port.
By default, lsof will look up hostnames, but we can turn this off using the -n option. It will run faster without needing to do name lookups.
lsof 4.81
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
