lsof (list open files) shows which processes have which files open. Since Unix treats everything as a file — including network connections, devices, and pipes — lsof is incredibly powerful for system debugging.
Basic Usage# 1
2
3
4
5
6
7
8
9
10
11
# List all open files (overwhelming)
lsof
# List open files for specific file
lsof /var/log/syslog
# List open files for user
lsof -u username
# List open files for process
lsof -p 1234
Find What’s Using a File# 1
2
3
4
5
6
7
8
# Who has this file open?
lsof /path/to/file
# Who has files open in this directory?
lsof +D /var/log
# Recursive directory search
lsof +D /var/log/
“Device or resource busy” Debugging# 1
2
3
4
5
# Can't unmount? Find what's using it
lsof +D /mnt/usb
# Find open files on filesystem
lsof /dev/sda1
Find What’s Using a Port# 1
2
3
4
5
6
7
8
9
10
11
12
13
14
# What's on port 8080?
lsof -i :8080
# What's on port 80 or 443?
lsof -i :80 -i :443
# All network connections
lsof -i
# TCP only
lsof -i TCP
# UDP only
lsof -i UDP
Specific Protocol and Port# 1
2
3
4
5
6
7
8
# TCP port 22
lsof -i TCP:22
# UDP port 53
lsof -i UDP:53
# Port range
lsof -i :1-1024
Filter by Process# 1
2
3
4
5
6
7
8
9
10
11
# By PID
lsof -p 1234
# By process name
lsof -c nginx
# By multiple process names
lsof -c nginx -c apache
# Exclude process
lsof -c ^nginx
Filter by User# 1
2
3
4
5
6
7
8
9
10
11
# By username
lsof -u www-data
# By UID
lsof -u 1000
# Multiple users
lsof -u user1,user2
# Exclude user
lsof -u ^root
Network Connections# List All Connections# 1
2
3
4
5
6
7
8
# All internet connections
lsof -i
# Established connections only
lsof -i | grep ESTABLISHED
# Listening sockets
lsof -i | grep LISTEN
Connections to Specific Host# 1
2
3
4
5
6
7
8
# Connections to specific IP
lsof -i @192.168.1.100
# Connections to hostname
lsof -i @example.com
# Connections to specific host and port
lsof -i @192.168.1.100:22
IPv4 vs IPv6# 1
2
3
4
5
# IPv4 only
lsof -i 4
# IPv6 only
lsof -i 6
1
2
3
4
5
6
7
8
9
10
# Terse output (parseable)
lsof -t /path/to/file
# Returns just PIDs
# No header
lsof +D /var/log | tail -n +2
# Specific fields
lsof -F p /path/to/file # PID only
lsof -F c /path/to/file # Command only
Combining Filters# By default, filters are OR’d. Use -a to AND them:
1
2
3
4
5
# Files by nginx AND network connections (AND)
lsof -a -c nginx -i
# Files by user1 OR user2 (OR, default)
lsof -u user1 -u user2
Practical Examples# Find and Kill Process Using Port# 1
2
3
4
5
6
7
8
9
# Find PID using port 3000
lsof -t -i :3000
# Returns: 12345
# Kill it
kill $( lsof -t -i :3000)
# Force kill
kill -9 $( lsof -t -i :3000)
Debug “Address Already in Use”# 1
2
3
4
5
6
# What's already using port 8080?
lsof -i :8080
# Sample output:
# COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
# node 1234 user 21u IPv4 12345 0t0 TCP *:http-alt (LISTEN)
Find Deleted Files Still Open# 1
2
3
4
5
# Files marked deleted but still open (disk space won't free)
lsof | grep deleted
# Or more specifically
lsof +L1
This is common when log files are deleted but the process still has them open.
Check What’s Writing to a File# 1
2
3
4
5
# Who's writing to this log?
lsof /var/log/app.log
# Follow file descriptor
lsof -p $( pgrep app) | grep log
Debug NFS Issues# 1
2
3
4
5
# Find processes using NFS mount
lsof +D /nfs/share
# Find stale NFS handles
lsof | grep -i nfs
Monitor Network Activity# 1
2
3
4
5
# Watch connections in real-time
watch 'lsof -i -n | head -20'
# Count connections per process
lsof -i | awk '{print $1}' | sort | uniq -c | sort -rn
Find Open Files by Process Name# 1
2
3
4
5
6
7
8
# All files nginx has open
lsof -c nginx
# Count open files
lsof -c nginx | wc -l
# Just regular files
lsof -c nginx | grep REG
Debug “Too Many Open Files”# 1
2
3
4
5
6
7
8
# Count open files per process
lsof -u username | awk '{print $2}' | sort | uniq -c | sort -rn | head
# Check process limit
cat /proc/1234/limits | grep "open files"
# Count for specific PID
lsof -p 1234 | wc -l
Understanding Output# C n n n n O g g g g M i i i i M n n n n A x x x x N D 1 1 1 1 P 2 2 2 2 I 3 3 3 3 D 4 4 4 4 U r r r r S o o o o E o o o o R t t t t c r t F w t x 6 D d d t u T I Y D D R P P I I E v E R R G 4 D E 2 2 2 1 V 5 5 5 2 I 3 3 3 3 C , , , 4 E 1 1 1 5 S I 1 Z 2 E 3 / 4 4 4 O 0 0 5 0 F 9 9 6 t F 6 6 7 0 1 2 N 3 O 4 T D 5 C E 2 2 6 P N / / / * A u : M s 8 E r 0 / s ( b L i I n S / T n E g N i ) n x
FD (File Descriptor):
cwd = current working directoryrtd = root directorytxt = program text (executable)mem = memory-mapped file0u, 1u, 2u = stdin, stdout, stderrNumbers = file descriptors (u=read/write, r=read, w=write) TYPE:
REG = regular fileDIR = directoryCHR = character deviceBLK = block deviceFIFO = named pipeUNIX = Unix domain socketIPv4/IPv6 = network connectionlsof can be slow on systems with many open files. Use filters to narrow scope:
1
2
3
4
5
6
7
8
# Slow (scans everything)
lsof | grep pattern
# Fast (only checks specific file)
lsof /specific/file
# Fast (only checks network)
lsof -i :8080
Quick Reference# Task Command Who’s using file lsof /path/to/fileWho’s using port lsof -i :portProcess’s open files lsof -p PIDUser’s open files lsof -u usernameJust PIDs lsof -t ...Network only lsof -iTCP listeners lsof -i TCP | grep LISTENDeleted but open lsof +L1
lsof answers “what’s using this?” — whether “this” is a file, port, or filesystem. Combine it with kill, and you can quickly resolve “resource busy” and “address in use” errors. It’s one of those tools that seems unnecessary until you need it, then becomes indispensable.