# lsof — List Open Files and Network Sockets > Practical guide to lsof: find open files, ports and sockets – who is listening, what blocks an unmount, which deleted file still eats disk space. Source: https://www.jpkc.com/db/en/cheatsheets/shell-system/lsof/ On Unix and Linux almost everything is a file – including network connections, pipes, devices, and directories. `lsof` (List Open Files) surfaces exactly those open files and answers questions other tools can't: Who is listening on a port? Why won't a directory unmount? Which process still holds a long-deleted file open and eats disk space? This guide takes you from the basics to the combined filters you'll reach for in real debugging sessions. ## Basic Usage `lsof` — List all open files for all processes. Very long output. ```bash sudo lsof | head -50 ``` `lsof -p PID` — Show all files opened by a specific process. ```bash lsof -p 1234 ``` `lsof -c COMMAND` — Show files opened by processes whose name starts with COMMAND. ```bash lsof -c nginx ``` `lsof -u USER` — Show files opened by a specific user. ```bash lsof -u www-data ``` `lsof -u ^USER` — Show files NOT opened by a user (exclude user). ```bash lsof -u ^root ``` `lsof +D DIRECTORY` — Show all open files in a directory (recursive). ```bash lsof +D /var/log ``` `lsof +d DIRECTORY` — Show open files in a directory (not recursive). ```bash lsof +d /tmp ``` `lsof FILE` — Show which processes have a specific file open. ```bash lsof /var/log/syslog ``` ## Network Connections `lsof -i` — List all network connections (IPv4 and IPv6). ```bash sudo lsof -i ``` `lsof -i :PORT` — Show which process is using a specific port. ```bash sudo lsof -i :80 ``` `lsof -i tcp` — Show only TCP connections. ```bash sudo lsof -i tcp ``` `lsof -i udp` — Show only UDP connections. ```bash sudo lsof -i udp ``` `lsof -i 4` — Show only IPv4 connections. ```bash sudo lsof -i 4 ``` `lsof -i 6` — Show only IPv6 connections. ```bash sudo lsof -i 6 ``` `lsof -i tcp:PORT` — Show TCP connections on a specific port. ```bash sudo lsof -i tcp:443 ``` `lsof -i @HOST` — Show connections to/from a specific host. ```bash sudo lsof -i @192.168.1.1 ``` `lsof -i @HOST:PORT` — Show connections to a specific host and port. ```bash sudo lsof -i @192.168.1.1:22 ``` `lsof -i :PORT1-PORT2` — Show connections on a range of ports. ```bash sudo lsof -i :8000-9000 ``` ## Connection States `lsof -i -sTCP:LISTEN` — Show only listening TCP sockets. ```bash sudo lsof -i -sTCP:LISTEN ``` `lsof -i -sTCP:ESTABLISHED` — Show only established TCP connections. ```bash sudo lsof -i -sTCP:ESTABLISHED ``` `lsof -i -sTCP:CLOSE_WAIT` — Show connections in CLOSE_WAIT state. ```bash sudo lsof -i -sTCP:CLOSE_WAIT ``` `lsof -i -sTCP:TIME_WAIT` — Show connections in TIME_WAIT state. ```bash sudo lsof -i -sTCP:TIME_WAIT ``` ## Display Options `lsof -n` — Numeric output — do not resolve hostnames. Faster. ```bash sudo lsof -i -n ``` `lsof -P` — Do not resolve port numbers to service names. ```bash sudo lsof -i -P ``` `lsof -nP` — Fully numeric — no hostname or port resolution. ```bash sudo lsof -i -nP ``` `lsof -t` — Terse output — only show PIDs. Useful for scripting. ```bash lsof -t -i :80 ``` `lsof -r SECONDS` — Repeat the listing every N seconds (like watch). ```bash sudo lsof -i :80 -r 2 ``` `lsof +r SECONDS` — Repeat until no open files are found, then exit. ```bash lsof +r 1 /path/to/file ``` ## Combining Filters `lsof -a -u USER -i` — AND filters: network connections by a specific user. -a means AND. ```bash sudo lsof -a -u www-data -i ``` `lsof -a -c COMMAND -i :PORT` — Files opened by a command AND on a specific port. ```bash sudo lsof -a -c apache -i :80 ``` `lsof -a -p PID -i` — Network connections of a specific process. ```bash lsof -a -p 1234 -i ``` ## File System & Devices `lsof +f -- /MOUNT` — Show all processes using files on a mounted filesystem. ```bash lsof +f -- /mnt/usb ``` `lsof /dev/DEVICE` — Show processes using a specific device. ```bash lsof /dev/sda1 ``` `lsof -d FD` — Show files by file descriptor number. ```bash lsof -d 0-2 ``` `lsof +L1` — Show files with zero link count (deleted but still open). ```bash sudo lsof +L1 ``` ## Practical Examples `lsof -i -nP -sTCP:LISTEN` — Show all listening ports with numeric addresses. Most common usage. ```bash sudo lsof -i -nP -sTCP:LISTEN ``` `kill -9 $(lsof -t -i :PORT)` — Kill whatever process is using a specific port. ```bash kill -9 $(lsof -t -i :8080) ``` `lsof +L1 | awk '{sum += $7} END {print sum/1024/1024 " MB"}'` — Calculate disk space used by deleted but still-open files. ```bash sudo lsof +L1 | awk '{sum += $7} END {print sum/1024/1024 " MB"}' ``` `lsof -c java -a -i -nP` — Show all network connections of Java processes. ```bash sudo lsof -c java -a -i -nP ``` `lsof -u USER -a +D /home/USER` — Show all files a user has open in their home directory. ```bash lsof -u jpk -a +D /home/jpk ``` `lsof -i @REMOTE_HOST -nP` — Find all connections to a specific remote host. ```bash sudo lsof -i @10.0.0.5 -nP ``` ## Conclusion `lsof` is a read-only command – it changes nothing and only reports, which makes it one of the safest diagnostic tools around. For most jobs a handful of invocations is enough: `lsof -i :` shows who is listening on or connecting to a port, `lsof -p ` and `lsof -u ` narrow things down to a process or user, and `lsof +D ` reveals which process causes a "device busy" error on unmount. Especially valuable is `lsof +L1`: it finds deleted but still-open files whose space the system only reclaims once they are closed – the bridge to `df` and `du` when the disk is full yet the directory looks empty. To inspect files held by other users' processes you usually need `sudo`. ## Further Reading - [lsof man page (man7.org)](https://man7.org/linux/man-pages/man8/lsof.8.html) – the complete reference for every option - [Wikipedia: lsof](https://en.wikipedia.org/wiki/Lsof) – background and overview of the tool ## Related Commands - [ps](https://www.jpkc.com/db/en/cheatsheets/shell-system/ps/) – list running processes and their PIDs - [kill](https://www.jpkc.com/db/en/cheatsheets/shell-system/kill/) – terminate processes by PID or send signals - [strace](https://www.jpkc.com/db/en/cheatsheets/shell-system/strace/) – trace a process's system calls in real time