Lsof

Last updated December 25, 2024

lsof

Original author(s)	Victor A. Abell
Initial release	1991;33 years ago (1991)^[1]

Stable release	4.99.4^[2] / 18 November 2024;36 days ago (18 November 2024)

Repository	github.com/lsof-org/lsof
Written in	C
Operating system	Linux, FreeBSD, macOS, Solaris, NetBSD and OpenBSD
Platform	Cross-platform
License	BSD license-compatible^[3]
Website	lsof.readthedocs.io

lsof is a command meaning "list open files", which is used in many Unix-like systems to report a list of all open files and the processes that opened them. This open source utility was developed and supported by Victor A. Abell, the retired Associate Director of the Purdue University Computing Center. It works in and supports several Unix flavors.^[4]

History
Examples
Lsof output
See also
References
External links

A replacement for Linux, lsfd, is included in util-linux.^[5]

History

In 1985, Cliff Spencer publishes the ofiles command. Its man page says: "ofiles – who has a file open [...] displays the owner and id of any process accessing a specified device". Spencer compiled it for 4.2BSD and ULTRIX.^[6] Moreover, in the newsgroup net.unix-wizards, he further remarks:^[7]

With all the chatter about dismounting active file systems, I have posted my program to indicate who is using a particular filesystem, "ofiles" to net.sources.

In 1988, the command fstat ("file status") appears as part of the 4.3BSD-Tahoe release. Its man page says:^[8]

fstat identifies open files. A file is considered open if a process has it open, if it is the working directory for a process, or if it is an active pure text file. If no options are specified, fstat reports on all open files.

In 1989, in comp.sources.unix, Vic Abell publishes ports of the ofiles and fstat commands from 4.3BSD-Tahoe to "DYNIX 3.0.1[24] for Sequent Symmetry and Balance, SunOS 4.0 and ULTRIX 2.2".^[9]^[10] Various people had evolved and ported ofiles over the years. Abell contrasted the commands as follows:^[10]

Fstat is similar to the ofiles program which I recently submitted. Like ofiles, fstat identifies open files. It's orientation differs slightly from that of ofiles: ofiles starts with a file name and paws through the proc and user structures to identify the file; fstat reads all the proc and user structures, displaying information in all files, optionally applying a few filters to the output (including a single file name filter.)
In combination with netstat -aA and grep, fstat will identify the process associated with a network connection, just as will ofiles.

In 1991, Vic Abell publishes lsof version 1.0 to comp.sources.unix. He notes:^[1]

Lsof (for LiSt Open Files) lists files opened by processes on selected Unix systems. It is my answer to those who regularly ask me when I am going to make fstat (comp.sources.unix volume 18, number 107) or ofiles (volume 18, number 57) available on SunOS 4.1.1 or the like.
Lsof is a complete redesign of the fstat/ofiles series, based on the SunOS vnode model. Thus, it has been tested on AIX 3.1.[357], HP-UX [78].x, NeXTStep 2.[01], Sequent Dynix 3.0.12 and 3.1.2, and Sunos 4.1 and 4.1.1. Using available kernel access methods, such as nlist() and kvm_read(), lsof reads process table entries, user areas and file pointers to reach the underlying structures that describe files opened by processes.

In 2018, Vic Abbell publishes lsof version 4.92. The same year, he initiates the transfer of responsibility. He writes:^[11]

I will reach 80 years of age later this year and I think it's time for me to end my work on general lsof revision releases.

The lsof code is put on Github and maintenance is transferred.^[11]^[12]

Examples

Open files in the system include disk files, named pipes, network sockets and devices opened by all processes. One use for this command is when a disk cannot be unmounted because (unspecified) files are in use. The listing of open files can be consulted (suitably filtered if necessary) to identify the process that is using the files.

# lsof/var COMMAND     PID     USER   FD   TYPE DEVICE SIZE/OFF   NODE NAMEsyslogd     350     root    5w  VREG  222,5        0 440818 /var/adm/messagessyslogd     350     root    6w  VREG  222,5   339098   6248 /var/log/syslogcron        353     root  cwd   VDIR  222,5      512 254550 /var -- atjobs

To view the port associated with a daemon:

# lsof-i-n-P|grepsendmail sendmail  31649    root    4u  IPv4 521738       TCP *:25 (LISTEN)

From the above one can see that "sendmail" is listening on its standard port of "25".

-i: Lists IP sockets.
-n: Do not resolve hostnames (no DNS).
-P: Do not resolve port names (list port number instead of its name).

One can also list Unix Sockets by using lsof -U.

Lsof output

The lsof output describes:

the identification number of the process (PID) that has opened the file;
the process group identification number (PGID) of the process (optional);
the process identification number of the parent process (PPID) (optional);
the command the process is executing;
the owner of the process;
for all files in use by the process, including the executing text file and the shared libraries it is using:
- the file descriptor number of the file, if applicable;
- the file's access mode;
- the file's lock status;
- the file's device numbers;
- the file's inode number;
- the file's size or offset;
- the name of the file system containing the file;
- any available components of the file's path name;
- the names of the file's stream components;
- the file's local and remote network addresses;
- the TLI network (typically UDP) state of the file;
- the TCP state, read queue length, and write queue length of the file;
- the file's TCP window read and write lengths (Solaris only); and
- other file or dialect-specific values.

For a complete list of options, see the Lsof(8) Linux manual page.^[13]

Related Research Articles

The Portable Operating System Interface is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines application programming interfaces (APIs), along with command line shells and utility interfaces, for software compatibility (portability) with variants of Unix and other operating systems. POSIX is also a trademark of the IEEE. POSIX is intended to be used by both application and system developers.

In computing, traceroute and tracert are diagnostic command-line interface commands for displaying possible routes (paths) and transit delays of packets across an Internet Protocol (IP) network.

A Berkeley (BSD) socket is an application programming interface (API) for Internet domain sockets and Unix domain sockets, used for inter-process communication (IPC). It is commonly implemented as a library of linkable modules. It originated with the 4.2BSD Unix operating system, which was released in 1983.

rsync File synchronization protocol and software

rsync is a utility for transferring and synchronizing files between a computer and a storage drive and across networked computers by comparing the modification times and sizes of files. It is commonly found on Unix-like operating systems and is under the GPL-3.0-or-later license.

Unix System V is one of the first commercial versions of the Unix operating system. It was originally developed by AT&T and first released in 1983. Four major versions of System V were released, numbered 1, 2, 3, and 4. System V Release 4 (SVR4) was commercially the most successful version, being the result of an effort, marketed as Unix System Unification, which solicited the collaboration of the major Unix vendors. It was the source of several common commercial Unix features. System V is sometimes abbreviated to SysV.

The Berkeley r-commands are a suite of computer programs designed to enable users of one Unix system to log in or issue commands to another Unix computer via TCP/IP computer network. The r-commands were developed in 1982 by the Computer Systems Research Group at the University of California, Berkeley, based on an early implementation of TCP/IP.

In computing, netstat is a command-line network utility that displays open network sockets, routing tables, and a number of network interface and network protocol statistics. It is available on Unix, Plan 9, Inferno, and Unix-like operating systems including macOS, Linux, Solaris and BSD. It is also available on IBM OS/2 and on Microsoft Windows NT-based operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10.

In Unix-based computer operating systems, init is the first process started during booting of the operating system. Init is a daemon process that continues running until the system is shut down. It is the direct or indirect ancestor of all other processes and automatically adopts all orphaned processes. Init is started by the kernel during the booting process; a kernel panic will occur if the kernel is unable to start it, or it should die for any reason. Init is typically assigned process identifier 1.

inetd is a super-server daemon on many Unix systems that provides Internet services. For each configured service, it listens for requests from connecting clients. Requests are served by spawning a process which runs the appropriate executable, but simple services such as echo are served by inetd itself. External executables, which are run on request, can be single- or multi-threaded. First appearing in 4.3BSD, it is generally located at /usr/sbin/inetd. inetd is based on the (service) activator pattern

In computer networking, xinetd is an open-source super-server daemon which runs on many Unix-like systems, and manages Internet-based connectivity.

The history of Unix dates back to the mid-1960s, when the Massachusetts Institute of Technology, Bell Labs, and General Electric were jointly developing an experimental time-sharing operating system called Multics for the GE-645 mainframe. Multics introduced many innovations, but also had many problems. Bell Labs, frustrated by the size and complexity of Multics but not its aims, slowly pulled out of the project. Their last researchers to leave Multics – among them Ken Thompson, Dennis Ritchie, Doug McIlroy, and Joe Ossanna – decided to redo the work, but on a much smaller scale.

The NetWare Core Protocol (NCP) is a network protocol used in some products from Novell, Inc. It is usually associated with the client-server operating system Novell NetWare which originally supported primarily MS-DOS client stations, but later support for other platforms such as Microsoft Windows, the classic Mac OS, Linux, Windows NT, Mac OS X, and various flavors of Unix was added.

In computer networking, STREAMS is the native framework in Unix System V for implementing character device drivers, network protocols, and inter-process communication. In this framework, a stream is a chain of coroutines that pass messages between a program and a device driver. STREAMS originated in Version 8 Research Unix, as Streams.

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

The Unix command fuser is used to show which processes are using a specified computer file, file system, or Unix socket.

The Berkeley Software Distribution (BSD), also known as Berkeley Unix or BSD Unix, is a discontinued Unix operating system developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berkeley beginning in 1978. It began as an improved derivative of AT&T's original Unix that was developed at Bell Labs, based on the source code but over time diverging into its own code. BSD would become a pioneer in the advancement of Unix and computing.

A Unix-like operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Unix-like application is one that behaves like the corresponding Unix command or shell. Although there are general philosophies for Unix design, there is no technical standard defining the term, and opinions can differ about the degree to which a particular operating system or application is Unix-like. Some well-known examples of Unix-like operating systems include Linux, FreeBSD and OpenBSD. These systems are often used on servers as well as on personal computers and other devices. Many popular applications, such as the Apache web server and the Bash shell, are also designed to be used on Unix-like systems.

In Unix and operating systems inspired by it, the file system is considered a central component of the operating system. It was also one of the first parts of the system to be designed and implemented by Ken Thompson in the first experimental version of Unix, dated 1969.

The history of the Berkeley Software Distribution began in the 1970s when University of California, Berkeley received a copy of Unix. Professors and students at the university began adding software to the operating system and released it as BSD to select universities. Since it contained proprietary Unix code, it originally had to be distributed subject to AT&T licenses. The bundled software from AT&T was then rewritten and released as free software under the BSD license. However, this resulted in a lawsuit with Unix System Laboratories, the AT&T subsidiary responsible for Unix. Eventually, in the 1990s, the final versions of BSD were publicly released without any proprietary licenses, which led to many descendants of the operating system that are still maintained today.

References

1 2 "v25i002: lsof - a successor to fstat and ofiles". comp.sources.unix. Archived from the original on 2023-01-10. Retrieved 2023-04-13.
↑ "Release lsof 4.99.4 · lsof-org/lsof" . Retrieved 18 November 2024.
↑ lsof FAQ, 1.9 Is there an lsof license?
↑ W. Richard Stevens; Bill Fenner; Andrew M. Rudoff (2003), Unix Network Programming: the Sockets networking API, Addison-Wesley Professional, ISBN 978-0-13-141155-5
↑ "RFC: lsfd, a brand new Linux specific replacement for lsof #1418". Archived from the original on 2023-02-19. Retrieved 2023-02-19.
↑ Spencer, Cliff. "ofiles(8)". groups.google.com. net.sources. Archived from the original on 2023-04-13. Retrieved 2023-04-13.
↑ Spencer, Cliff. ""ofiles" posted to net.sources". groups.google.com. net.unix-wizards. Archived from the original on 2023-04-13. Retrieved 2023-04-13.
↑ "FSTAT(8)". www.tuhs.org. 4.3BSD-Tahoe.
↑ "v18i057: REVISED ofiles, doesn't need Sun source". comp.sources.unix.
1 2 "v18i107: Show all open files status". comp.sources.unix.
1 2 "lsof has moved to GitHub and has a new release · Issue #39572 · Homebrew/homebrew-core". GitHub. Archived from the original on 2023-04-13. Retrieved 2023-04-13.
↑ "lsof maintaining.md". GitHub. lsof-org. 10 April 2023. Archived from the original on 13 April 2023. Retrieved 13 April 2023.
↑ "lsof" . Retrieved 16 July 2020.

External links

Old site
lsof-l mailing list
mirror of legacy sources
lsof(8) – Linux Administration and Privileged Commands Manual
lsof(8) – Darwin and macOS System Manager's Manual
Using lsof
Lsof FAQ
Sam Nelson's PCP script, an alternative to "lsof -i" for Solaris.
Glsof is two separate utilities (Queries and Filemonitor) based on lsof.
Sloth is a macOS graphical interface for lsof
Manpage of LSOF

v t e Unix command-line interface programs and shell builtins
File system	cat chattr chmod chown chgrp cksum cmp cp dd du df file fuser ln ls mkdir mv pax pwd rm rmdir split tee touch type umask
Processes	at bg crontab fg kill nice ps time
User environment	env exit logname mesg talk tput uname who write
Text processing	awk basename comm csplit cut diff dirname ed ex fold head iconv join m4 more nl paste patch printf read sed sort strings tail tr troff uniq vi wc xargs
Shell builtins	alias cd echo test unset wait
Searching	find grep
Documentation	man
Software development	ar ctags lex make nm strip yacc
Miscellaneous	bc cal expr lp od sleep true and false
Categories Standard Unix programs Unix SUS2008 utilities List

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.