lsof - list open files
lsof [ __-?abChlnNOPRstUvVX__? [ __-A__ '' A''? [ __-c__ '' c''? [ __+? [ __+? [ __+?__ ] [ __-F__ '' [[f? ] [ __-g__ '' [[s? ] [ __-i__ '' [[i? ] [ __-k__ '' k''? [ __+? ] [ __-m__ '' m''? [ __+? [ __-o__ '' [[o? ] [ __-p__ '' s''? [ __+? ] [ __-S__ '' [[t? ] [ __-T__ '' [[t? ] [ __-u__ '' s''? [ __+? [ __--__? [''names''?
Lsof revision 4.57 lists information about files opened by processes for the following UNIX dialects:
(See the DISTRIBUTION section of this manual page for information on how to obtain the latest lsof revision.)
An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket.) A specific file or all the files in a file system may be selected by path.
Instead of a formatted display, lsof will produce output that can be parsed by other programs. See the -F , option description, and the OUTPUT FOR OTHER PROGRAMS section for more information.
In addition to producing a single output list, lsof will run in repeat mode. In repeat mode it will produce output, delay, then repeat the output operation until stopped with an interrupt or quit signal. See the +|-r [t? option description for more information.
In the absence of any options, lsof lists all open files belonging to all active processes.
If any list request option is specified, other list requests must be specifically requested - e.g., if -U is specified for the listing of UNIX socket files, NFS files won't be listed unless -N is also specified; or if a user list is specified with the -u option, UNIX domain socket files, belonging to users not in the list, won't be listed unless the -U option is also specified.
Normally list options that are specifically stated are ORed - i.e., specifying the -i option without an address and the -ufoo option produces a listing of all network files OR files belonging to processes owned by user "foo". One exception is the `^' (negated) login name or user ID (UID) specified with the -u option. Since it is an exclusion, it is applied without ORing or ANDing and takes effect before any other selection criteria are applied.
The -a option may be used to AND the selections. For example, specifying -a , -U , and -ufoo produces a listing of only UNIX socket files that belong to processes owned by user "foo".
Caution: the -a option causes all list selection options to be ANDed; it can't be used to cause ANDing of selected pairs of selection options by placing it between them, even though its placement there is acceptable. Wherever -a is placed, it causes the ANDing of all selection options.
Items of the same selection set - command names, file descriptors, network addresses, process identifiers, user identifiers - are joined in a single ORed set and applied before the result participates in ANDing. Thus, for example, specifying -i@aaa.bbb, -i@ccc.ddd, -a , and -ufff,ggg will select the listing of files that belong to either login "fff" OR "ggg" AND have network connections to either host aaa.bbb OR ccc.ddd.
Options may be grouped together following a single prefix -- e.g., the option set "-a -b -C" may be stated as -abC . However, since values are optional following +|-f , -F , -g , -i , +|-L , -o , +|-r , -S , and -T , when you have no values for them be careful that the following character isn't ambiguous. For example, -Fn might represent the -F and -n options, or it might represent the n field identifier character following the -F option. When ambiguity is possible, start a new option with a `-' character - e.g., "-F -n". If the next option is a file name, follow the possibly ambiguous option with "--" - e.g., "-F -- name".
Either the `+' or the `-' prefix may be applied to a group of options. Options that don't take on separate meanings for each prefix - e.g., -i - may be grouped under either prefix. Thus, for example, "+M -i" may be stated as "+Mi" and the group means the same as the separate options. Be careful of prefix grouping when one or more options in the group does take on separate meanings under different prefixes - e.g., +|-M; "-iM" is not the same request as "-i +M". When in doubt, use separate options with appropriate prefixes.
b the regular expression is a basic one.
i ignore the case of letters.
x the regular expression is an extended one
(default).
? - report device cache file paths
b - build the device cache file
i - ignore the device cache file
r - read the device cache file
u - read and update the device cache file
$ lsof +f -- /file/system/name
c file structure use count
f file structure address
g file flag abbreviations
G file flags in hexadecimal
n file structure node address
TCP:25 - TCP and port 25
@1.2.3.4 - Internet IPv4 host address 1.2.3.4
@1ebc::1?:1234 - Internet IPv6 host address
3ffe:1ebc::1, port 1234
UDP:who - UDP who service port
TCP@vic.cc:513 - TCP, port 513 and host name vic.cc
tcp@foo:1-10,smtp,99 - TCP, ports 1 through 10,
service name smtp, port 99, host name foo
tcp@bar:smtp-nameserver - TCP, ports smtp through
nameserver, host bar
:time - either TCP or UDP time service port
or
- oo10
<TCP or TPI state name>
QR=<read queue length>
QS=<send queue length>
WR=<window read length> (not all dialects)
WW=<window write length> (not all dialects)
q selects queue length reporting.
s selects state reporting.
w selects window size reporting (notall dialects).
WARNING: use of this option on a busy AIX system might cause an application process to hang so completely that it can neither be killed nor stopped. I have never seen this happen or had a report of it, but I think the possibility exists.
This Sequent PTX -X option directs lsof to list the file use count and inode address from the file structure. Its effect is equivalent to +fcf with these exceptions: the NODE-ID column title will be changed to INODE-ADDR; and the only value listed in the INODE-ADDR column will be the kernel inode structure address for files that use an inode.
AIX 4.1.4 (AFS 3.4a)
HP-UX 9.0.5 (AFS 3.4a)
Linux 1.2.13 (AFS 3.3)
Solaris 2.[56? (AFS 3.4a)
Ultrix 4.2 RISC (AFS 3.2b) (no longer available)
It may recognize AFS files on other versions of these dialects, but has not been tested there. Depending on how AFS is implemented, lsof may recognize AFS files in other dialects, or may have difficulties recognizing AFS files in the supported dialects.
Lsof may have trouble identifying all aspects of AFS files in supported dialects when AFS kernel support is implemented via dynamic modules whose addresses do not appear in the kernel's variable name list. In that case, lsof may have to guess at the identity of AFS files, and might not be able to obtain volume information from the kernel that is needed for calculating AFS volume node numbers. When lsof can't compute volume node numbers, it reports blank in the NODE column.
The -A A option is available in some dialect implementations of lsof for specifying the name list file where dynamic module kernel addresses may be found. When this option is available, it will be listed in the lsof help output, presented in response to the -h or -?
See the lsof FAQ (The FAQ section gives its location.) for more information about dynamic modules, their symbols, and how they affect lsof options.
Because AFS path lookups don't seem to participate in the kernel's name cache operations, lsof can't identify path name components for AFS files.
Lsof has three features that may cause security concerns. First, its default compilation mode allows anyone to list all open files with it. Second, by default it creates a user-readable and user-writable device cache file in the home directory of the real user ID that executes lsof . (The list-all-open-files and device cache features may be disabled when lsof is compiled.) Third, its -k and -m options name alternate kernel name list or memory files.
Restricting the listing of all open files is controlled by the compile-time HASSECURITY option. When HASSECURITY is defined, lsof will allow only the root user to list all open files. The non-root user may list only open files of processes with the same user IDentification number as the real user ID number of the lsof process (the one that its user logged on with). When HASSECURITY is not defined, anyone may list all open files.
Help output, presented in response to the -h or -? option, gives the HASSECURITY definition status.
See the Security section of the 0README file of the lsof distribution for information on building lsof with the HASSECURITY option enabled.
Creation and use of a user-readable and user-writable device cache file is controlled by the compile-time HASDCACHE option. See the DEVICE CACHE FILE section and the sections that follow it for details on how its path is formed. For security considerations it is important to note that in the default lsof distribution, if the real user ID under which lsof is executed is root, the device cache file will be written in root's home directory - e.g., / or /root . When HASDCACHE is not defined, lsof does not write or attempt to read a device cache file.
When HASDCACHE is defined, the lsof help output, presented in response to the -h , -D? , or -? options, will provide device cache file handling information. When HASDCACHE is not defined, the -h or -? output will have no -D option description.
Before you decide to disable the device cache file feature - enabling it improves the performance of lsof by reducing the startup overhead of examining all the nodes in /dev (or /devices ) - read the discussion of it in the 00DCACHE file of the lsof distribution and the lsof FAQ (The FAQ section gives its location.)
WHEN IN DOUBT, YOU CAN TEMPORARILY DISABLE THE USE OF THE DEVICE CACHE FILE WITH THE -Di OPTION.
When lsof user declares alternate kernel name list or memory files with the -k and -m options, lsof checks the user's authority to read them with access(2). This is intended to prevent whatever special power lsof's modes might confer on it from letting it read files not normally accessible via the authority of the real user ID.
This section describes the information lsof lists for each open file. See the OUTPUT FOR OTHER PROGRAMS section for additional information on output that can be processed by another program.
Lsof only outputs printable (declared so by isprint(3)) ASCII characters. Non-printable characters are printed in one of three forms: the C "\[bfrnt?" form; the control character `^' form (e.g., "^@"); or hexadecimal leading "\x" form (e.g., "\xab"). Space is non-printable in the COMMAND column ("\x20") and printable elsewhere.
Lsof dynamically sizes the output columns each time it runs, guaranteeing that each column is a minimum size. It also guarantees that each column is separated from its predecessor by at least one space.
cwd current working directory;
Lnn library references (AIX);
jld jail directory (FreeBSD);
ltx shared library text (code and data);
Mxx hex memory-mapped type number xx.
m86 DOS Merge mapped file;
mem memory-mapped file;
mmap memory-mapped device;
pd parent directory;
rtd root directory;
txt program text (code and data);
v86 VP/ix mapped file;
r for read access; w for write access; u for read and write access; space if mode unknown and no lock
character follows;
`-' if mode unknown and lock
character follows.
AIO asynchronous I/O (e.g., FAIO)
AP append
ASYN asynchronous I/O (e.g., FASYNC)
BAS block, test, and set in use
BKIU block if in use
BL use block offsets
BSK block seek
CA copy avoid
CLON clone
CLRD CL read
CR create
DF defer
DFI defer IND
DFLU data flush
DIR direct
DLY delay
DOCL do clone
DSYN data-only integrity
EX open for exec
EXCL exclusive open
FSYN synchronous writes
GCDF defer during unp_gc() (AIX)
GCMK mark during unp_gc() (AIX)
GTTY accessed via /dev/tty
HUP HUP in progress
KERN kernel
KIOC kernel-issued ioctl
LCK has lock
LG large file
MBLK stream message block
MK mark
MNT mount
MSYN multiplex synchronization
NB non-blocking I/O
NBDR no BDRM check
NBIO SYSV non-blocking I/O
NBF n-buffering in effect
NC no cache
ND no delay
NDSY no data synchronization
NET network
NMFS NM file system
NOTO disable background stop
NSH no share
NTTY no controlling TTY
OLRM OLR mirror
PAIO POSIX asynchronous I/O
PP POSIX pipe
R read
RAIO Reliant UNIX RAIO request
RC file and record locking cache
REV revoked
RSH shared read
RSYN read synchronization
SL shared lock
SOCK socket
SQSH Sequent shared set on open
SQSV Sequent SVM set on open
SQR Sequent set repair on open
SQS1 Sequent full shared open
SQS2 Sequent partial shared open
STPI stop I/O
SWR synchronous read
SYN file integrity while writing
TCPM avoid TCP collision
TR truncate
W write
WKUP parallel I/O synchronization
WTG parallel I/O synchronization
VH vhangup pending
VTXT virtual text
XL exclusive lock
ALLC allocated
BR the file has been read
BHUP activity stopped by SIGHUP
BW the file has been written
CLSG closing
CX close-on-exec (see fcntl(F_SETFD))
MP memory-mapped
LCK lock was applied
RSVW reserved wait
SHMT UF_FSHMAT set (AIX)
USE in use (multi-threaded)
For dialects that support a "namefs" file system, allowing one file to be attached to another with fattach(3C), lsof will add "(FA:<address1><direction><address2>)" to the NAME column. <address1> and <address2> are hexadecimal vnode addresses. <direction> will be "<-" if <address2> has been fattach'ed to this vnode whose address is <address1>; and "->" if <address1>, the vnode address of this vnode, has been fattach'ed to <address2>. <address1> may be omitted if it already appears in the DEVICE column.
Lsof can't adequately report the wide variety of UNIX dialect file locks in a single character. What it reports in a single character is a compromise between the information it finds in the kernel and the limitations of the reporting format.
Moreover, when a process holds several byte level locks on a file, lsof only reports the status of the first lock it encounters. If it is a byte level lock, then the lock character will be reported in lower case - i.e., `r', `w', or `x' - rather than the upper case equivalent reported for a full file lock.
Generally lsof can only report on locks held by local processes on local files. When a local process sets a lock on a remotely mounted (e.g., NFS) file, the remote server host usually records the lock state. One exception is Solaris - at some patch levels of 2.3, and in all versions above 2.4, the Solaris kernel records information on remote locks in local structures.
Lsof has trouble reporting locks for some UNIX dialects. Consult the BUGS section of this manual page or the lsof FAQ (The FAQ section gives its location.) for more information.
When the -F option is specified, lsof produces output that is suitable for processing by another program - e.g, an awk or Perl script.
Each unit of information is output in a field that is identified with a leading character and terminated by a NL (012) (or a NUL (000) if the 0 (zero) field identifier character is specified.) The data of the field follows immediately after the field identification character and extends to the field terminator.
It is possible to think of field output as process and file sets. A process set begins with a field whose identifier is `p' (for process IDentifier (PID)). It extends to the beginning of the next PID field or the beginning of the first file set of the process, whichever comes first. Included in the process set are fields that identify the command, the process group IDentification (PGID) number, and the user ID (UID) number or login name.
A file set begins with a field whose identifier is `f' (for file descriptor). It is followed by lines that describe the file's access mode, lock state, type, device, size, offset, inode, protocol, name and stream module names. It extends to the beginning of the next file or process set, whichever comes first.
When the NUL (000) field terminator has been selected with the 0 (zero) field identifier character, lsof ends each process and file set with a NL (012) character.
Lsof always produces one field, the PID (`p') field. All other fields may be declared optionally in the field identifier character list that follows the -F option. When a field selection character identifies an item lsof does not normally list - e.g., PPID, selected with -R - specification of the field character - e.g., "-FR" - also selects the listing of the item.
It is entirely possible to select a set of fields that cannot easily be parsed - e.g., if the field descriptor field is not selected, it may be difficult to identify file sets. To help you avoid this difficulty, lsof supports the -F option; it selects the output of all fields with NL terminators (the -F0 option pair selects the output of all fields with NUL terminators).
These are the fields that lsof will produce. The single character listed first is the field identifier.
a file access mode
c process command name (all characters from proc oruser structure)
C file structure share count
d file's device character code
D file's major/minor device number (0x<hexadecimal>)
f file descriptor
F file structure address (0x<hexadecimal>)
G file flaGs (0x<hexadecimal>; names if +fg follows)
i file's inode number
l file's lock status
L process login name
m marker between repeated output
n file name, comment, Internet address
N node identifier (ox<hexadecimal>
- file's offset (decimal)
p process ID (always selected)
g process group ID
P protocol name
R parent process ID
s file's size (decimal)
S file's stream identification
t file's type
T TCP/TPI information, identified by prefixes (the`=' is part of the prefix):
ST=<state>
QR=<read queue size>
QS=<write queue size>
WR=<window read size> (not all dialects)
WW=<window write size> (not all dialects)(TPI state information and window sizes aren't
reported for all supported UNIX dialects. The
-h or -? help output for the -T option will
show whether window size reporting can be
requested.)u process user ID
0 use NUL field terminator character in place of NL
1-\9 dialect-specific field identifiers (The outputof -F? identifies the information to be found
in dialect-specific fields.)
You can get on-line help information on these characters and their descriptions by specifying the -F? option pair. (Escape the `?' character as your shell requires.) Additional information on field content can be found in the OUTPUT section.
As an example, "-F pcfn" will select the process ID (`p'), command name (`c'), file descriptor (`f') and file name (`n') fields with an NL field terminator character; "-F pcfn0" selects the same output with a NUL (000) field terminator character.
Lsof doesn't produce all fields for every process or file set, only those that are available. Some fields are mutually exclusive: file device characters and file major/minor device numbers; file inode number and protocol name; file name and stream identification; file size and offset. One or the other member of these mutually exclusive sets will appear in field output, but not both.
Normally lsof ends each field with a NL (012) character. The 0 (zero) field identifier character may be specified to change the field terminator character to a NUL (000). A NUL terminator may be easier to process with xargs (1), for example, or with programs whose quoting mechanisms may not easily cope with the range of characters in the field output. When the NUL field terminator is in use, lsof ends each process and file set with a NL (012).
Two aids to producing programs that can process lsof field output are included in the lsof distribution. The first is a C header file, lsof_fields.h , that contains symbols for the field identification characters, indexes for storing them in a table, and explanation strings that may be compiled into programs. Lsof uses this header file.
The second aid is a set of sample scripts that process field output, written in awk , Perl 4, and Perl 5. They're located in the scripts subdirectory of the lsof distribution.
Lsof can be blocked by some kernel functions that it uses - lstat(2), readlink(2), and stat(2). These functions are stalled in the kernel, for example, when the hosts where mounted NFS file systems reside become inaccessible.
Lsof attempts to break these blocks with timers and child processes, but the techniques are not wholly reliable. When lsof does manage to break a block, it will report the break with an error message. The messages may be suppressed with the -t and -w options.
The default timeout value may be displayed with the -h or -? option, and it may be changed with the -S [t? option. The minimum for t is two seconds, but you should avoid small values, since slow system responsiveness can cause short timeouts to expire unexpectedly and perhaps stop lsof before it can produce any output.
When lsof has to break a block during its access of mounted file system information, it normally continues, although with less information available to display about open files.
Lsof can also be directed to avoid the protection of timers and child processes when using the kernel functions that might block by specifying the -O option. While this will allow lsof to start up with less overhead, it exposes lsof completely to the kernel situations that might block it. Use this option cautiously.
You can use the -b option to tell lsof to avoid using kernel functions that would block. Some cautions apply.
First, using this option usually requires that your system supply alternate device numbers in place of the device numbers that lsof would normally obtain with the lstat(2) and stat(2) kernel functions. See the ALTERNATE DEVICE NUMBERS section for more information on alternate device numbers.
Second, you can't specify names for lsof to locate unless they're file system names. This is because lsof needs to know the device and inode numbers of files listed with names in the lsof options, and the -b option prevents lsof from obtaining them. Moreover, since lsof only has device numbers for the file systems that have alternates, its ability to locate files on file systems depends completely on the availability and accuracy of the alternates. If no alternates are available, or if they're incorrect, lsof won't be able to locate files on the named file systems.
Third, if the names of your file system directories that lsof obtains from your system's mount table are symbolic links, lsof won't be able to resolve the links. This is because the -b option causes lsof to avoid the kernel readlink(2) function it uses to resolve symbolic links.
Finally, using the -b option causes lsof to issue warning messages when it needs to use the kernel functions that the -b option directs it to avoid. You can suppress these messages by specifying the -w option, but if you do, you won't see the alternate device numbers reported in the warning messages.
On some dialects, when lsof has to break a block because it can't get information about a mounted file system via the lstat(2) and stat(2) kernel functions, or because you specified the -b option, lsof can obtain some of the information it needs - the device number and possibly the file system type - from the system mount table. When that is possible, lsof will report the device number it obtained. (You can suppress the report by specifying the -w option.)
You can assist this process if your mount table is supported with an /etc/mtab or /etc/mnttab file that contains an options field by adding a "dev=xxxx" field for mount points that do not have one in their options strings.
nfs ignore,noquota,dev=2a40001
There's an advantage to having "dev=xxxx" entries in your mount table file, especially for file systems that are mounted from remote NFS servers. When a remote server crashes and you want to identify its users by running lsof on one of its clients, lsof probably won't be able to get output from the lstat(2) and stat(2) functions for the file system. If it can obtain the file system's device number from the mount table, it will be able to display the files open on the crashed NFS server.
Some dialects that do not use an ASCII /etc/mtab or /etc/mnttab file for the mount table may still provide an alternative device number in their internal mount tables. This includes AIX, Apple Darwin, DEC OSF/1, Digital UNIX, FreeBSD, NetBSD, OpenBSD, and Tru64 UNIX. Lsof knows how to obtain the alternative device number for these dialects and uses it when its attempt to lstat(2) or stat(2) the file system is blocked.
If you're not sure your dialect supplies alternate device numbers for file systems from its mount table, use this lsof incantation to see if it reports any alternate device numbers:
Look for standard error file warning messages that begin "assuming "dev=xxxx" from ...".
Lsof is able to examine the kernel's name cache or use other kernel facilities (e.g., the ADVFS 4.x tag_to_path() function under Digital UNIX or Tru64 UNIX) on some dialects for most file system types, excluding AFS, and extract recently used path name components from it. (AFS file system path lookups don't use the kernel's name cache.)
Lsof reports the complete paths it finds in the NAME column. If lsof can't report all components in a path, it reports in the NAME column the file system name, followed by a space, two `-' characters, another space, and the name components it has located, separated by the `/' character.
When lsof is run in repeat mode - i.e., with the -r option specified - the extent to which it can report path name components for the same file may vary from cycle to cycle. That's because other running processes can cause the kernel to remove entries from its name cache and replace them with others.
Lsof's use of the kernel name cache to identify the paths of files can lead it to report incorrect components under some circumstances. This can happen when the kernel name cache uses device and node number as a key (e.g., Linux and SCO !OpenServer?) and a key on a rapidly changing file system is reused. If the UNIX dialect's kernel doesn't purge the name cache entry for a file when it is unlinked, lsof may find a reference to the wrong entry in the cache. The lsof FAQ (The FAQ section gives its location.) has more information on this situation.
BSDI BSD/OS
DC/OSx
DEC OSF/1, Digital UNIX, Tru64 UNIX
FreeBSD
HP-UX
Linux
NetBSD
NEXTSTEP
OpenBSD
PTX
Reliant UNIX
SCO !OpenServer?
SCO !UnixWare?
Solaris
Ultrix (no longer available)
AIX
If you want to know why lsof can't report path name components for some dialects, see the lsof FAQ (The FAQ section gives its location.)
Examining all members of the /dev (or /devices ) node tree with stat(2) functions can be time consuming. What's more, the information that lsof needs - device number, inode number, and path - rarely changes.
Path from the -D option;
Path from an environment variable;
System-wide path;
Personal path (the default);
Personal path, modified by an environment variable.
Consult the output of the -h , -D? , or -? help options for the current state of device cache support. The help output lists the default read-mode device cache file path that is in effect for the current invocation of lsof . The -D? option output lists the read-only and write device cache file paths, the names of any applicable environment variables, and the personal device cache path format.
Lsof can detect that the current device cache file has been accidentally or maliciously modified by integrity checks, including the computation and verification of a sixteen bit Cyclic Redundancy Check (CRC) sum on the file's contents. When lsof senses something wrong with the file, it issues a warning and attempts to remove the current cache file and create a new copy, but only to a path that the process can legitimately write.
The path from which a lsof process may attempt to read a device cache file may not be the same as the path to which it can legitimately write. Thus when lsof senses that it needs to update the device cache file, it may choose a different path for writing it from the path from which it read an incorrect or outdated version.
If available, the -Dr option will inhibit the writing of a new device cache file. (It's always available when specified without a path name argument.)
When a new device is added to the system, the device cache file may need to be recreated. Since lsof compares the mtime of the device cache file with the mtime and ctime of the /dev (or /devices ) directory, it usually detects that a new device has been added; in that case lsof issues a warning message and attempts to rebuild the device cache file.
Whenever lsof writes a device cache file, it sets its ownership to the real UID of the executing process, and its permission modes to 0600, this restricting its reading and writing to the file's owner.
Two permissions of the lsof executable affect its ability to access device cache files. The permissions are set by the local system administrator when lsof is installed.
The first and rarer permission is setuid-root. It comes into effect when lsof is executed; its effective UID is then root, while its real (i.e., that of the logged-on user) UID is not. The lsof distribution recommends that versions for these dialects run setuid-root.
DC/OSx 1.1 for Pyramid systems
Reliant UNIX 5.4[34? for Pyramid systems
The second and more common permission is setgid. It comes into effect when the effective group IDentification number (GID) of the lsof process is set to one that can access kernel memory devices - e.g., "kmem", "sys", or "system".
An lsof process that has setgid permission usually surrenders the permission after it has accessed the kernel memory devices. When it does that, lsof can allow more liberal device cache path formations. The lsof distribution recommends that versions for these dialects run setgid and be allowed to surrender setgid permission.
AIX 4.3.[23?, 5L, and 5.1
Apple Darwin 1.[23? for Power Macintosh systems
BSDI BSD/OS 4.1 for Intel-based systems
DEC OSF/1, Digital UNIX, Tru64 UNIX 4.0, and 5.[01?
FreeBSD 4.[23? and 5.0 for Intel-based systems
HP-UX 11.00
NetBSD 1.5 for Alpha, Intel, and SPARC-based systems
NEXTSTEP 3.[13? for NEXTSTEP architectures
OpenBSD 2.[89? for Intel-based systems
SCO !OpenServer? Release 5.0.[45? for Intel-based systems
SCO !UnixWare? 7.1.1 for Intel-based systems
Sequent PTX 4.4.[46?, 4.5[.1?, and 4.6[.1?
Solaris 2.6, 7, 8, and 9 BETA
(Note: lsof for AIX 5L and above needs setuid-root permission if its -X option is used.)
Lsof for these dialects does not support a device cache, so the permissions given to the executable don't apply to the device cache file.
Linux 2.1.72 and above (/proc-based lsof)
The -D option provides limited means for specifying the device cache file path. Its ? function will report the read-only and write device cache file paths that lsof will use.
When the -D b , r , and u functions are available, you can use them to request that the cache file be built in a specific location (b[''path''?); read but not rebuilt (r[''path''?); or read and rebuilt (u[''path''?). The b , r , and u functions are restricted under some conditions. They are restricted when the lsof process is setuid-root. The path specified with the r function is always read-only, even when it is available.
The b , r , and u functions are also restricted when the lsof process runs setgid and lsof doesn't surrender the setgid permission. (See the LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for a list of implementations that normally don't surrender their setgid permission.)
A further -D function, i (for ignore), is always available.
When available, the b function tells lsof to read device information from the kernel with the stat(2) function and build a device cache file at the indicated path.
When available, the r function tells lsof to read the device cache file, but not update it. When a path argument accompanies -Dr , it names the device cache file path. The r function is always available when it is specified without a path name argument. If lsof is not running setuid-root and surrenders its setgid permission, a path name argument may accompany the r function.
When available, the u function tells lsof to attempt to read and use the device cache file. If it can't read the file, or if it finds the contents of the file incorrect or outdated, it will read information from the kernel, and attempt to write an updated version of the device cache file, but only to a path it considers legitimate for the lsof process effective and real UIDs.
Lsof's second choice for the device cache file is the contents of the LSOFDEVCACHE environment variable. It avoids this choice if the lsof process is setuid-root, or the real UID of the process is root.
A further restriction applies to a device cache file path taken from the LSOFDEVCACHE environment variable: lsof will not write a device cache file to the path if the lsof process doesn't surrender its setgid permission. (See the LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for information on implementations that don't surrender their setgid permission.)
The local system administrator can disable the use of the LSOFDEVCACHE environment variable or change its name when building lsof . Consult the output of -D? for the environment variable's name.
The local system administrator may choose to have a system-wide device cache file when building lsof . That file will generally be constructed by a special system administration procedure when the system is booted or when the contents of /dev or /devices ) changes. If defined, it is lsof's third device cache file path choice.
You can tell that a system-wide device cache file is in effect for your local installation by examining the lsof help option output - i.e., the output from the -h or -? option.
Lsof will never write to the system-wide device cache file path by default. It must be explicitly named with a -D function in a root-owned procedure. Once the file has been written, the procedure must change its permission modes to 0644 (owner-read and owner-write, group-read, and other-read).
The default device cache file path of the lsof distribution is one recorded in the home directory of the real UID that executes lsof . Added to the home directory is a second path component of the form .lsof_hostname .
This is lsof's fourth device cache file path choice, and is usually the default. If a system-wide device cache file path was defined when lsof was built, this fourth choice will be applied when lsof can't find the system-wide device cache file. This is the only time lsof uses two paths when reading the device cache file.
The hostname part of the second component is the base name of the executing host, as returned by gethostname(2). The base name is defined to be the characters preceding the first `.' in the gethostname(2) output, or all the gethostname(2) output if it contains no `.'.
The device cache file belongs to the user ID and is readable and writable by the user ID alone - i.e., its modes are 0600. Each distinct real user ID on a given host that executes lsof has a distinct device cache file. The hostname part of the path distinguishes device cache files in an NFS-mounted home directory into which device cache files are written from several different hosts.
The personal device cache file path formed by this method represents a device cache file that lsof will attempt to read, and will attempt to write should it not exist or should its contents be incorrect or outdated.
The -Dr option without a path name argument will inhibit the writing of a new device cache file.
The -D? option will list the format specification for constructing the personal device cache file. The conversions used in the format specification are described in the 00DCACHE file of the lsof distribution.
If this option is defined by the local system administrator when lsof is built, the LSOFPERSDCPATH environment variable contents may be used to add a component of the personal device cache file path.
The LSOFPERSDCPATH variable contents are inserted in the path at the place marked by the local system administrator with the "%p" conversion in the HASPERSDC format specification of the dialect's machine.h header file. (It's placed right after the home directory in the default lsof distribution.)
/Homes/abe/LSOF/.lsof_vic
The LSOFPERSDCPATH environment variable is ignored when the lsof process is setuid-root or when the real UID of the process is root.
Lsof will not write to a modified personal device cache file path if the lsof process doesn't surrender setgid permission. (See the LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for a list of implementations that normally don't surrender their setgid permission.)
If, for example, you want to create a sub-directory of personal device cache file paths by using the LSOFPERSDCPATH environment variable to name it, and lsof doesn't surrender its setgid permission, you will have to allow lsof to create device cache files at the standard personal path and move them to your subdirectory with shell commands.
The local system administrator may: disable this option when lsof is built; change the name of the environment variable from LSOFPERSDCPATH to something else; change the HASPERSDC format to include the personal path component in another place; or exclude the personal path component entirely. Consult the output of the -D? option for the environment variable's name and the HASPERSDC format specification.
Errors are identified with messages on the standard error file.
Lsof returns a one (1) if any error was detected, including the failure to locate command names, file names, Internet addresses or files, login names, NFS files, PIDs, PGIDs, or UIDs it was asked to list. If the -V option is specified, lsof will indicate the search items it failed to list.
It returns a zero (0) if no errors were detected and if it was able to list some information about all the specified search arguments.
Inaccessible /dev warnings are enabled.
Inaccessible /dev warnings are disabled.
Inaccessible device warning messages usually disappear after lsof has created a working device cache file.
For a more extensive set of examples, documented more fully, see the 00QUICKSTART file of the lsof distribution.
To list all open files, use:
To list all open Internet, x.25 (HP-UX), and UNIX domain files, use:
To list all files using any protocol on ports 513, 514, or 515 of host wonderland.cc.purdue.edu, use:
To list all files using any protocol on any port of mace.cc.purdue.edu (cc.purdue.edu is the default domain), use:
To list all open files for login name "abe", or user ID 1234, or process 456, or process 123, or process 789, use:
To list all open files on device /dev/hd4, use:
To find the process that has /u/abe/foo open, use:
To send a SIGHUP to the processes that have /u/abe/bar open, use:
To find any open file, including an open UNIX domain socket file, with the name /dev/log , use:
To find processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible, and presuming your mount table supplies the device number for /nfs/mount/point , use:
To do the preceding search with warning messages suppressed, use:
To ignore the device cache file, use:
To obtain PID and command name field output for each process, file descriptor, file device number, and file inode number for each file of each process, use:
To list the files at descriptors 1 and 3 of every process running the lsof command for login ID "abe" every 10 seconds, use:
To list the current working directory of processes running a command that is exactly four characters long and has an 'o' or 'O' in character three, use this regular expression form of the -c c option:
To find an IP version 4 socket file by its associated numeric dot-form address, use:
To find an IP version 6 socket file (when the UNIX dialect supports IPv6) by its associated numeric colon-form address, use:
To find an IP version 6 socket file (when the UNIX dialect supports IPv6) by an associated numeric colon-form address that has a run of zeroes in it - e.g., the loop-back address - use:
Since lsof reads kernel memory in its search for open files, rapid changes in kernel memory may produce unpredictable results.
When a file has multiple record locks, the lock status character (following the file descriptor) is derived from a test of the first lock structure, not from any combination of the individual record locks that might be described by multiple lock structures.
Lsof can't search for files with restrictive access permissions by name unless it is installed with root set-UID permission. Otherwise it is limited to searching for files to which its user or its set-GID group (if any) has access permission.
The display of the destination address of a raw socket (e.g., for ping ) depends on the UNIX operating system. Some dialects store the destination address in the raw socket's protocol control block, some do not.
Lsof can't always represent Solaris device numbers in the same way that ls(1) does. For example, the major and minor device numbers that the lstat(2) and stat(2) functions report for the directory on which CD-ROM files are mounted (typically /cdrom ) are not the same as the ones that it reports for the device on which CD-ROM files are mounted (typically /dev/sr0 ). (Lsof reports the directory numbers.)
The support for /proc file systems is available only for BSD, DEC OSF/1, Digital UNIX, and Tru64 UNIX dialects, Linux, and dialects derived from SYSV R4 - e.g., FreeBSD, NetBSD, OpenBSD, Solaris, !UnixWare?.
Some /proc file items - device number, inode number, and file size - are unavailable in some dialects. Searching for files in a /proc file system may require that the full path name be specified.
No text (txt) file descriptors are displayed for Linux processes. All entries for files other than the current working directory, the root directory, and numerical file descriptors are labeled mem descriptors.
Lsof can't search for DEC OSF/1, Digital UNIX, and Tru64 UNIX named pipes by name, because their kernel implementation of lstat(2) returns an improper device number for a named pipe.
Lsof can't report fully or correctly on HP-UX 9.01, 10.20, and 11.00 locks because of insufficient access to kernel data or errors in the kernel data. See the lsof FAQ (The FAQ section gives its location.) for details.
The AIX SMT file type is a fabrication. It's made up for file structures whose type (15) isn't defined in the AIX /usr/include/sys/file.h header file. One way to create such file structures is to run X clients with the DISPLAY variable set to ":0.0".
The +|-f [cfgGn? option is not supported under /proc-based Linux lsof , because it doesn't read kernel structures from kernel memory.
Lsof may access these environment variables.
Frequently-asked questions and their answers (an FAQ) are available in the 00FAQ file of the lsof distribution.
That file is also available via anonymous ftp from vic.cc.purdue.edu at pub/tools/unix/lsof FAQ . The URL is:
Lsof was written by Victor A. Abell <abe@purdue.edu> of the Purdue University Computing Center (PUCC). Many others have contributed to lsof . They're listed in the 00CREDITS file of the lsof distribution.
The latest distribution of lsof is available via anonymous ftp from the host vic.cc.purdue.edu . You'll find the lsof distribution in the pub/tools/unix/lsof directory.
You can also use this URL:
Lsof is also mirrored elsewhere. When you access vic.cc.purdue.edu and change to its pub/tools/unix/lsof directory, you'll be given a list of some mirror sites. The pub/tools/unix/lsof directory also contains a more complete list in its mirrors file. Use mirrors with caution - not all mirrors always have the latest lsof revision.
Some pre-compiled Lsof executables are available on vic.cc.purdue.edu , but their use is discouraged - it's better that you build your own from the sources. If you feel you must use a pre-compiled executable, please read the cautions that appear in the README files of the pub/tools/unix/lsof/binaries subdirectories and in the 00* files of the distribution.
More information on the lsof distribution can be found in its README.lsof_<version> file. If you intend to get the lsof distribution and build it, please read README.lsof_<version> and the other 00* files of the distribution before sending questions to the author.
Lsof versions 2 and 3 have been tested under older UNIX dialects. They are available via anonymous ftp from vic.cc.purdue.edu in the pub/tools/unix/lsof/OLD directory.
access(2), awk(1), crash(1)?, fattach(3C), ff(1)?, fstat(8)?, fuser(1), gethostname(2), isprint(3), kill(1), lstat(2), modload(8)?, mount(8), netstat(1), ofiles(8L), perl(1), ps(1), readlink(2), stat(2), uname(1).