Today we are going to use the terminal to
list the files opened by a process in Linux
. This is a very common task, which we will have to face sooner or later if we manage Linux servers, so better be prevented.
In my case, the need to list the files opened by a process has arisen because I
needed to find out where a demon was recording its activity
. This activity knew that he recorded it in a file, but he did not know its location. So I got down to work and it was when the
command appeared to fix the problem.
How to list the files opened by a process in Linux with the lsof command.
As I anticipated, the command we will use will be
, which is available in all Linux distributions, * BSD, etc. It is a very flexible command and that can get us out of more than a hurry.
The most basic use is to execute the
command and we will have a
list with all the files opened by processes
. This list is usually very extensive, so we will need to filter it to find what we are looking for, but we will see this later.
Basis for understanding the output of the lsof command.
If we look at the output of the
command, we see that it shows us the information organized in different columns. Most of the columns will recognize its meaning intuitively
(pid, user, name, etc)
, but others
(FD, Type, etc.)
may be somewhat strange, so we will explain its meaning quickly.
column shows the
. The possible values "‹"‹of FD are:
: refers to the current
: refers to a text file.
: reference to a memory mapping file.
: refers to a mapped memory device.
: sometimes a number will be displayed that refers to the file descriptor. This number will be followed by the letters
(open file for read only)
(open file for write)
(open file for read and write)
On the other hand, the
column can display the following values:
: regular file.
: First In First Out
(first in, first out)
: special character file.
There are more values "‹"‹that FD and TYPE coulmnas can adopt, but in this tutorial I only collect the most common ones. If you need more information, do not hesitate to go to the help page with the
Practical examples of using the lsof command.
We are going to see a series of examples that are used regularly during system administration tasks.
List the files opened by a specific process.
list the files opened by a specific process we will
need to first find out your PID. The easiest way to
find out the PID of a process by
knowing its name is with the
As an example we are going to imagine that we want to find out the PID of the MySQL server process, for which I execute the
command. This command returns the number of the PID, which as an example we will assume is
Once I have found out the PID, I just have to execute the
lsof -p PID
command, which by transferring it to our example would be
sudo lsof -p 1009
This command is the one I use most and allows me to
quickly find out the paths of the log files
(it is necessary to run lsof with root permissions)
List the files opened by a specific user.
Thanks to this command we can also
list the files opened by a specific user
. In this case the command to execute would be
lsof -u nombre_usuario
As an example, we will list all files opened by the user
, commonly used on Apache servers, with the
sudo lsof -u www-data
List the processes that have opened a specific file.
Sometimes we will know the path of the open file and we will need to find out which process has opened that file. In this case, the command would be
We will give an example in which we will find out which process has opened the file
, which as we can expect will be the process or processes corresponding to an Apache server. In this case the command would be
sudo lsof /var/log/apache2/access.log
List open files in a directory.
Another interesting option is to list all open files that are under the same directory. The command to execute would be
lsof +D /ruta/ejemplo/directorio/
In this way, we can execute a very useful command to find out the open log files of the system. For this, we just have to execute the
sudo lsof +D /var/log/
List all network and internet files.
A process can not only open a file or folder, it can also open a connection, a socket, a stream, etc. With the following command we can list all open network and internet files:
sudo lsof -i