Lsof

Last updated November 13, 2023

lsof

Original author(s)	Victor A. Abell
Initial release	1991;32 years ago (1991)^[1]

Stable release	4.99^[2] / 10 November 2023;2 days ago (10 November 2023)

Repository	github.com/lsof-org/lsof
Written in	C
Operating system	Linux, FreeBSD, macOS, Solaris, NetBSD and OpenBSD
Platform	Cross-platform
License	BSD license-compatible^[3]
Website	lsof.readthedocs.io

lsof is a command meaning "list open files", which is used in many Unix-like systems to report a list of all open files and the processes that opened them. This open source utility was developed and supported by Victor A. Abell, the retired Associate Director of the Purdue University Computing Center. It works in and supports several Unix flavors.^[4]

History
Examples
Lsof output
See also
References
External links

A replacement for Linux, lsfd, is included in util-linux.^[5]

History

In 1985, Cliff Spencer publishes the ofiles command. Its man page says: "ofiles – who has a file open [...] displays the owner and id of any process accessing a specified device". Spencer compiled it for 4.2BSD and ULTRIX.^[6] Moreover, in the newsgroup net.unix-wizards, he further remarks:^[7]

With all the chatter about dismounting active file systems, I have posted my program to indicate who is using a particular filesystem, "ofiles" to net.sources.

In 1988, the command fstat ("file status") appears as part of the 4.3BSD-Tahoe release. Its man page says:^[8]

fstat identifies open files. A file is considered open if a process has it open, if it is the working directory for a process, or if it is an active pure text file. If no options are specified, fstat reports on all open files.

In 1989, in comp.sources.unix, Vic Abell publishes ports of the ofiles and fstat commands from 4.3BSD-Tahoe to "DYNIX 3.0.1[24] for Sequent Symmetry and Balance, SunOS 4.0 and ULTRIX 2.2".^[9]^[10] Various people had evolved and ported ofiles over the years. Abell contrasted the commands as follows:^[10]

Fstat is similar to the ofiles program which I recently submitted. Like ofiles, fstat identifies open files. It's orientation differs slightly from that of ofiles: ofiles starts with a file name and paws through the proc and user structures to identify the file; fstat reads all the proc and user structures, displaying information in all files, optionally applying a few filters to the output (including a single file name filter.)
In combination with netstat -aA and grep, fstat will identify the process associated with a network connection, just as will ofiles.

In 1991, Vic Abell publishes lsof version 1.0 to comp.sources.unix. He notes:^[1]

Lsof (for LiSt Open Files) lists files opened by processes on selected Unix systems. It is my answer to those who regularly ask me when I am going to make fstat (comp.sources.unix volume 18, number 107) or ofiles (volume 18, number 57) available on SunOS 4.1.1 or the like.
Lsof is a complete redesign of the fstat/ofiles series, based on the SunOS vnode model. Thus, it has been tested on AIX 3.1.[357], HP-UX [78].x, NeXTStep 2.[01], Sequent Dynix 3.0.12 and 3.1.2, and Sunos 4.1 and 4.1.1. Using available kernel access methods, such as nlist() and kvm_read(), lsof reads process table entries, user areas and file pointers to reach the underlying structures that describe files opened by processes.

In 2018, Vic Abbell publishes lsof version 4.92. The same year, he initiates the transfer of responsibility. He writes:^[11]

I will reach 80 years of age later this year and I think it's time for me to end my work on general lsof revision releases.

The lsof code is put on Github and maintenance is transferred.^[11]^[12]

Examples

Open files in the system include disk files, named pipes, network sockets and devices opened by all processes. One use for this command is when a disk cannot be unmounted because (unspecified) files are in use. The listing of open files can be consulted (suitably filtered if necessary) to identify the process that is using the files.

# lsof/var COMMAND     PID     USER   FD   TYPE DEVICE SIZE/OFF   NODE NAMEsyslogd     350     root    5w  VREG  222,5        0 440818 /var/adm/messagessyslogd     350     root    6w  VREG  222,5   339098   6248 /var/log/syslogcron        353     root  cwd   VDIR  222,5      512 254550 /var -- atjobs

To view the port associated with a daemon:

# lsof-i-n-P|grepsendmail sendmail  31649    root    4u  IPv4 521738       TCP *:25 (LISTEN)

From the above one can see that "sendmail" is listening on its standard port of "25".

-i: Lists IP sockets.
-n: Do not resolve hostnames (no DNS).
-P: Do not resolve port names (list port number instead of its name).

One can also list Unix Sockets by using lsof -U.

Lsof output

The lsof output describes:

the identification number of the process (PID) that has opened the file;
the process group identification number (PGID) of the process (optional);
the process identification number of the parent process (PPID) (optional);
the command the process is executing;
the owner of the process;
for all files in use by the process, including the executing text file and the shared libraries it is using:
- the file descriptor number of the file, if applicable;
- the file's access mode;
- the file's lock status;
- the file's device numbers;
- the file's inode number;
- the file's size or offset;
- the name of the file system containing the file;
- any available components of the file's path name;
- the names of the file's stream components;
- the file's local and remote network addresses;
- the TLI network (typically UDP) state of the file;
- the TCP state, read queue length, and write queue length of the file;
- the file's TCP window read and write lengths (Solaris only); and
- other file or dialect-specific values.

For a complete list of options, see the Lsof(8) Linux manual page.^[13]

Related Research Articles

In computing, traceroute and tracert are computer network diagnostic commands for displaying possible routes (paths) and measuring transit delays of packets across an Internet Protocol (IP) network. The history of the route is recorded as the round-trip times of the packets received from each successive host in the route (path); the sum of the mean times in each hop is a measure of the total time spent to establish the connection. Traceroute proceeds unless all sent packets are lost more than twice; then the connection is lost and the route cannot be evaluated. Ping, on the other hand, only computes the final round-trip times from the destination point.

Berkeley sockets is an application programming interface (API) for Internet sockets and Unix domain sockets, used for inter-process communication (IPC). It is commonly implemented as a library of linkable modules. It originated with the 4.2BSD Unix operating system, which was released in 1983.

<span class="mw-page-title-main">Ultrix</span> Series of discontinued Unix operating systems by DEC

Ultrix is the brand name of Digital Equipment Corporation's (DEC) discontinued native Unix operating systems for the PDP-11, VAX, MicroVAX and DECstations.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

Unix System V is one of the first commercial versions of the Unix operating system. It was originally developed by AT&T and first released in 1983. Four major versions of System V were released, numbered 1, 2, 3, and 4. System V Release 4 (SVR4) was commercially the most successful version, being the result of an effort, marketed as Unix System Unification, which solicited the collaboration of the major Unix vendors. It was the source of several common commercial Unix features. System V is sometimes abbreviated to SysV.

The Berkeley r-commands are a suite of computer programs designed to enable users of one Unix system to log in or issue commands to another Unix computer via TCP/IP computer network. The r-commands were developed in 1982 by the Computer Systems Research Group at the University of California, Berkeley, based on an early implementation of TCP/IP.

In computing, netstat is a command-line network utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics. It is available on Unix, Plan 9, Inferno, and Unix-like operating systems including macOS, Linux, Solaris and BSD. It is also available on IBM OS/2 and on Microsoft Windows NT-based operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10.

The seven standard Unix file types are regular, directory, symbolic link, FIFO special, block special, character special, and socket as defined by POSIX. Different OS-specific implementations allow more types than what POSIX requires. A file's type can be identified by the ls -l command, which displays the type in the first character of the file-system permissions field.

rm is a basic command on Unix and Unix-like operating systems used to remove objects such as computer files, directories and symbolic links from file systems and also special files such as device nodes, pipes and sockets, similar to the del command in MS-DOS, OS/2, and Microsoft Windows. The command is also available in the EFI shell.

In Unix-based computer operating systems, init is the first process started during booting of the operating system. Init is a daemon process that continues running until the system is shut down. It is the direct or indirect ancestor of all other processes and automatically adopts all orphaned processes. Init is started by the kernel during the booting process; a kernel panic will occur if the kernel is unable to start it, or it should die for any reason. Init is typically assigned process identifier 1.

inetd is a super-server daemon on many Unix systems that provides Internet services. For each configured service, it listens for requests from connecting clients. Requests are served by spawning a process which runs the appropriate executable, but simple services such as echo are served by inetd itself. External executables, which are run on request, can be single- or multi-threaded. First appearing in 4.3BSD, it is generally located at /usr/sbin/inetd. inetd is based on the (service) activator pattern

In computer networking, xinetd is an open-source super-server daemon which runs on many Unix-like systems, and manages Internet-based connectivity.

The history of Unix dates back to the mid-1960s, when the Massachusetts Institute of Technology, AT&T Bell Labs, and General Electric were jointly developing an experimental time-sharing operating system called Multics for the GE-645 mainframe. Multics introduced many innovations, but also had many problems. Bell Labs, frustrated by the size and complexity of Multics but not its aims, slowly pulled out of the project. Their last researchers to leave Multics – among them Ken Thompson, Dennis Ritchie, Doug McIlroy, and Joe Ossanna – decided to redo the work, but on a much smaller scale.

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

The Unix command fuser is used to show which processes are using a specified computer file, file system, or Unix socket.

The Berkeley Software Distribution or Berkeley Standard Distribution (BSD) is a discontinued operating system based on Research Unix, developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berkeley. The term "BSD" commonly refers to its open-source descendants, including FreeBSD, OpenBSD, NetBSD, and DragonFly BSD.

The program ttcp is a utility for measuring network throughput, popular on Unix systems. It measures the network throughput between two systems using the TCP or optionally UDP protocols. It was written by Mike Muuss and Terry Slattery at BRL sometime before December 1984, to compare the performance of TCP stacks by the Computer Systems Research Group (CSRG) of the University of California, Berkeley and Bolt, Beranek and Newman (BBN) to help DARPA decide which version to place in 4.3BSD.

In Unix and operating systems inspired by it, the file system is considered a central component of the operating system. It was also one of the first parts of the system to be designed and implemented by Ken Thompson in the first experimental version of Unix, dated 1969.

The History of the Berkeley Software Distribution begins in the 1970s.

References

1 2 "v25i002: lsof - a successor to fstat and ofiles". comp.sources.unix.
↑ "Release lsof-4.99.0 · lsof-org/lsof".
↑ lsof FAQ, 1.9 Is there an lsof license?
↑ W. Richard Stevens; Bill Fenner; Andrew M. Rudoff (2003), Unix Network Programming: the Sockets networking API, Addison-Wesley Professional, ISBN 978-0-13-141155-5
↑ RFC: lsfd, a brand new Linux specific replacement for lsof #1418
↑ Spencer, Cliff. "ofiles(8)". groups.google.com. net.sources.
↑ Spencer, Cliff. ""ofiles" posted to net.sources". groups.google.com. net.unix-wizards.
↑ "FSTAT(8)". www.tuhs.org. 4.3BSD-Tahoe.
↑ "v18i057: REVISED ofiles, doesn't need Sun source". comp.sources.unix.
1 2 "v18i107: Show all open files status". comp.sources.unix.
1 2 "lsof has moved to GitHub and has a new release · Issue #39572 · Homebrew/homebrew-core". GitHub.
↑ "lsof maintaining.md". GitHub. lsof-org. 10 April 2023.
↑ "lsof" . Retrieved 16 July 2020.

External links

Old site
lsof-l mailing list
mirror of legacy sources
lsof(8) – Linux Administration and Privileged Commands Manual
lsof(8) – Darwin and macOS System Manager's Manual
Using lsof
Lsof FAQ
Sam Nelson's PCP script, an alternative to "lsof -i" for Solaris.
Glsof is two separate utilities (Queries and Filemonitor) based on lsof.
Sloth is a macOS graphical interface for lsof
Manpage of LSOF

v t e Unix command-line interface programs and shell builtins
File system	cat chattr chmod chown chgrp cksum cmp cp dd du df file fuser ln ls mkdir mv pax pwd rm rmdir split tee touch type umask
Processes	at bg crontab fg kill nice ps time
User environment	env exit logname mesg talk tput uname who write
Text processing	awk basename comm csplit cut diff dirname ed ex fold head iconv join m4 more nl paste patch printf read sed sort strings tail tr troff uniq vi wc xargs
Shell builtins	alias cd echo test unset wait
Searching	find grep
Documentation	man
Software development	ar ctags lex make nm strip yacc
Miscellaneous	bc cal expr lp od sleep true and false
Categories Standard Unix programs Unix SUS2008 utilities List

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.