logo

Linux

How to manage running processes with the lsof command in linux

Introduction

In linux, the lsof command allows us to list all files that are currently open by running processes on your computer. But what exactly is a process? A process is a running instance of a program. Any time you execute a command or open an application, a process is started on your computer that will actively use resources or perform tasks within your operating system. The lsof command is one of the many commands used in linux to manage these running processes. In this tutorial, we will learn the basics behind the lsof command and the most commonly used flags with the lsof command. By the end of this guide, you will have a full grasp on how the lsof command is used in daily tasks.

Basic Usage

To get started with the lsof command, you may need to install the commpand with

apt-get update && apt-get install lsof

Now, all you need to do is open your terminal and type lsof. As you will see, the output is so long that it becomes unmanageable pretty quickly. Let's filter the output down a bit by redirecting the output into a head command like so:

lsof | head

As you can see, this output is much more manageable. But, what exactly do each of these columns mean?

Output Meaning

Well some are more important than others so let's go over some of the important column meanings:

  1. COMMAND - The first column is the command column. This column shows the name of the process associated with the open file. However the name of the process may not be the full command used to run the process. For example npm run dev may start a dev server but the output from the lsof command may just be node.

  2. PID - the PID stands for process id and it represents the id of the process that is opening a given file.

  3. USER - This is the user that owns the open file.

  4. TYPE - There are several different types of files on a linux machine including. The most common file types are REG and DIR, which stand for regular file and direcotry respectively. There are also other file types that are worth being aware of including:

    • A Block Special File is a file that provides buffered access to your computers underlying hardware

    • A Character Special File is a file that provides unbuffered access to your computes underlying hardware. An example use case for a Character special file would be the files necessary to use your mouse.

    • A network file is a file type that : IPV4 or IPV6

  5. NAME -- the last column is the name of the file (i.e example.txt).

Flags

The lsof command has several flags that can help filter the output for the correct open files including:

i - The -i flag will filter for their network address information including protocol, host, and port. For example the following command will list all open files that use the TCP protocol:

lsof -i TCP

If I would like to further filter this output for only TCP connections running on localhost then I might run:

lsof -i TCP@localhost

Finally, I can filter even further by including a port:

lsof -i TCP@localhost:3000

u - Every process has a userid associated to the file. The -u flag will filter by the user associated with that file. For example, lsof -u rob will filter for all open files associated with rob

c - This flag will filter by the COMMAND column of the output. If we want to filter the files that were opened by node, we could run:

lsof -c node

p - If we already know the processid of the open file we are looking for we can filter by process id with the -p flag like so:

lsof -p <PID>

If you would like to filter for other information, there are several other flags you can use with this command; however, I found that these flags are more commonly used in practice. The lsof --help command will allow you to dig deeper into other flags.

Exclude with ^

Another helpful tool is the ^ operator. This operator can be used in combination with any of the flags above to exclude certain files from the output. For example if I wanted to filter for all files that are not TCP connections I could execute:

lsof -i ^TCP

Similarly if I wanted to filter for processes that are not associated with the user rob I could write:

lsof -u ^rob

Conclusion

In conclusion the lsof command stands for list open files and is a critical tool for process monitoring in Linux. In the tutorial we covered the basic usage of the ls command, common flags, and the exclude operator to filter for the open files and processes that we are most concerned about. Hopefully you are now confident and ready to tackle any process monitoring task with this super useful command.

Previous
chown
Next
Why Small Projects