Linux lsof command. How to use it

lsof – a linux command stand for LiSt Open Files and this is what this command does.

To get more inform you can type

man lsof

info lsof

type lsof

This will give you some info which I want be explaining here as you can manuals so you use them!

The lsof program can be used to identify what files are open in a directory, find who’s accessing them, and so on.

As everything in Linux is a file and is kept in the file it also means that you can use this command to display network connections.

i parameter will select all the listing of files any of whose Internet address matches the address specified. If no address is specified, this option select the listing of all Internet.

ami@amios:~$ lsof -i
ruby    19379  ami    8u  IPv4 4682378      0t0  TCP localhost:45065 (LISTEN)

You can restrict the output of lsof by including an address after the -i option. The addres takes the following form:


The digit 4 or 6 represent an IPv4 or IPv6 connection, the protocol is the protocl type (TCP or UDP), the hostname or hostaddr is the computer hostname or IP address associated with the remote system.

ami@amios:~$ lsof -i :ftp

Nothing get displayed as I am not running a FTP service on my testbed.

Alternatively, you can replace ftp with 21, because 21 is the port number associated with FTP port.

ami@amios:~$ lsof -i | grep LISTEN
ruby    19379  ami    8u  IPv4 4682378      0t0  TCP localhost:45065 (LISTEN)

Paging through the raw output (without using grep to search for LISTEN) will provide
you with a better idea of your system’s overall network use. You could conceivably spot
something suspicious, such as an outgoing network connection to a sensitive computer
that the client shouldn’t be contacting. This network activity may indicate active cracking
attempts by a user of the client, intrusion by an outsider, or the work of an automated
worm or Trojan horse program.

If you identify programs that shouldn’t be running, such as unnecessary servers, you can
use the command name, PID, and other information to help shut them down. The preceding
section “Disabling Unused Servers” describes how to do this in more detail.
Another use of lsof is in identifying who’s accessing fi les. This might be handy if you
need to unmount a fi lesystem (including a network fi lesystem) but can’t because of in-use
fi les or if you suspect inappropriate activities involving file access.






Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s