lsof — List Open Files and Network Sockets
Practical guide to lsof: find open files, ports and sockets – who is listening, what blocks an unmount, which deleted file still eats disk space.
On Unix and Linux almost everything is a file – including network connections, pipes, devices, and directories. lsof (List Open Files) surfaces exactly those open files and answers questions other tools can't: Who is listening on a port? Why won't a directory unmount? Which process still holds a long-deleted file open and eats disk space? This guide takes you from the basics to the combined filters you'll reach for in real debugging sessions.
Basic Usage
lsof — List all open files for all processes. Very long output.
sudo lsof | head -50lsof -p PID — Show all files opened by a specific process.
lsof -p 1234lsof -c COMMAND — Show files opened by processes whose name starts with COMMAND.
lsof -c nginxlsof -u USER — Show files opened by a specific user.
lsof -u www-datalsof -u ^USER — Show files NOT opened by a user (exclude user).
lsof -u ^rootlsof +D DIRECTORY — Show all open files in a directory (recursive).
lsof +D /var/loglsof +d DIRECTORY — Show open files in a directory (not recursive).
lsof +d /tmplsof FILE — Show which processes have a specific file open.
lsof /var/log/syslogNetwork Connections
lsof -i — List all network connections (IPv4 and IPv6).
sudo lsof -ilsof -i :PORT — Show which process is using a specific port.
sudo lsof -i :80lsof -i tcp — Show only TCP connections.
sudo lsof -i tcplsof -i udp — Show only UDP connections.
sudo lsof -i udplsof -i 4 — Show only IPv4 connections.
sudo lsof -i 4lsof -i 6 — Show only IPv6 connections.
sudo lsof -i 6lsof -i tcp:PORT — Show TCP connections on a specific port.
sudo lsof -i tcp:443lsof -i @HOST — Show connections to/from a specific host.
sudo lsof -i @192.168.1.1lsof -i @HOST:PORT — Show connections to a specific host and port.
sudo lsof -i @192.168.1.1:22lsof -i :PORT1-PORT2 — Show connections on a range of ports.
sudo lsof -i :8000-9000Connection States
lsof -i -sTCP:LISTEN — Show only listening TCP sockets.
sudo lsof -i -sTCP:LISTENlsof -i -sTCP:ESTABLISHED — Show only established TCP connections.
sudo lsof -i -sTCP:ESTABLISHEDlsof -i -sTCP:CLOSE_WAIT — Show connections in CLOSE_WAIT state.
sudo lsof -i -sTCP:CLOSE_WAITlsof -i -sTCP:TIME_WAIT — Show connections in TIME_WAIT state.
sudo lsof -i -sTCP:TIME_WAITDisplay Options
lsof -n — Numeric output — do not resolve hostnames. Faster.
sudo lsof -i -nlsof -P — Do not resolve port numbers to service names.
sudo lsof -i -Plsof -nP — Fully numeric — no hostname or port resolution.
sudo lsof -i -nPlsof -t — Terse output — only show PIDs. Useful for scripting.
lsof -t -i :80lsof -r SECONDS — Repeat the listing every N seconds (like watch).
sudo lsof -i :80 -r 2lsof +r SECONDS — Repeat until no open files are found, then exit.
lsof +r 1 /path/to/fileCombining Filters
lsof -a -u USER -i — AND filters: network connections by a specific user. -a means AND.
sudo lsof -a -u www-data -ilsof -a -c COMMAND -i :PORT — Files opened by a command AND on a specific port.
sudo lsof -a -c apache -i :80lsof -a -p PID -i — Network connections of a specific process.
lsof -a -p 1234 -iFile System & Devices
lsof +f -- /MOUNT — Show all processes using files on a mounted filesystem.
lsof +f -- /mnt/usblsof /dev/DEVICE — Show processes using a specific device.
lsof /dev/sda1lsof -d FD — Show files by file descriptor number.
lsof -d 0-2lsof +L1 — Show files with zero link count (deleted but still open).
sudo lsof +L1Practical Examples
lsof -i -nP -sTCP:LISTEN — Show all listening ports with numeric addresses. Most common usage.
sudo lsof -i -nP -sTCP:LISTENkill -9 $(lsof -t -i :PORT) — Kill whatever process is using a specific port.
kill -9 $(lsof -t -i :8080)lsof +L1 | awk '{sum += $7} END {print sum/1024/1024 " MB"}' — Calculate disk space used by deleted but still-open files.
sudo lsof +L1 | awk '{sum += $7} END {print sum/1024/1024 " MB"}'lsof -c java -a -i -nP — Show all network connections of Java processes.
sudo lsof -c java -a -i -nPlsof -u USER -a +D /home/USER — Show all files a user has open in their home directory.
lsof -u jpk -a +D /home/jpklsof -i @REMOTE_HOST -nP — Find all connections to a specific remote host.
sudo lsof -i @10.0.0.5 -nPConclusion
lsof is a read-only command – it changes nothing and only reports, which makes it one of the safest diagnostic tools around. For most jobs a handful of invocations is enough: lsof -i :<port> shows who is listening on or connecting to a port, lsof -p <pid> and lsof -u <user> narrow things down to a process or user, and lsof +D <directory> reveals which process causes a "device busy" error on unmount. Especially valuable is lsof +L1: it finds deleted but still-open files whose space the system only reclaims once they are closed – the bridge to df and du when the disk is full yet the directory looks empty. To inspect files held by other users' processes you usually need sudo.
Further Reading
- lsof man page (man7.org) – the complete reference for every option
- Wikipedia: lsof – background and overview of the tool