lsof [ -?abChKlnNOPRtUvVX ]
[ ±r [t[mfmt ]] ]
[ -A A ]
[ -c commandPrefix ]
[ +c commandName width shown ]
[ ±d d ] [ ±D D ] [ ±e s ]
[ ±f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i
[i] ] [ -k k ]
[ ±L [l] ] [ ±m m ] [ ±M ]
[ -o [o] ] [ -p s ]
[ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [
±w ]
[ -x [fl] ] [ -z [z] ] [ -Z [Z] ]
[ -- ] [names]
As with all the documentation available here, this has been tersified and many (confusing, unnecessary) details removed. To get all the gory details see the man page on your system or ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a
library, a stream or a network file (Internet socket, NFS file or UNIX domain socket).
REG|DIR|CHR|PIPE|unix|IPv4|NPOLICY|PSXSHM|KQUEUE|systm|NEXUS
)
A specific file or all the files in a file system may be selected by path.
Runs continuously in repeat mode, -r
.
By default lists all open files belonging to all active processes. lsof | more
(not helpful)
lsof -i -utonys
all network(internet) files OR those belonging to processes owned by user tonys
.
Exceptions (indicated by a ^
prefix),
are applied without ORing or ANDing and take effect before any other selection criteria are applied.
-u
-p
-g
-c
-s [p:s]
-a
ANDs the selections.
For example: lsof -a -unetprgmr -U
produces a listing of
files that belong to processes owned by netprgmr
and are UNIX socket files.
Causes all "list selection"s to be ANDed
Items of the same selection set: command names, file descriptors, network addresses, process identifiers, user identifiers, zone
names, security contexts are joined in a single ORed set and applied before the result participates in ANDing.
For example, lsof -i@mars.cs.upenn.com -i@jupiter.cs.upenn.edu -a -ume,you
will select the listing of files that :
belong to either login me
OR you
AND have network connections to either host mars.cs.upenn.edu
OR jupiter.cs.upenn.edu
.
Multiple options can be conbined for example: -a -b -C
as -abC
.
Since value
s are optional following ±f, -F, -g, -i, ±L, -o, ±r, -s, -S, -T, -x
and -z
,
-Fn
might represent the -F
and -n
options, or it might represent the n
field identifier character following -F
.
-F -n
--
. -F -- fname
.
The +
or -
prefix may be applied to a group of options.
Options that don't take on separate meanings for each prefix ,
For example: -i
(which has no + option) may be grouped under either prefix.
For example, +M -i
may be stated as +Mi
.
When one or more options in the group does take on separate meanings under different prefixes avoid grouping. For example +M; -iM
is not the same as -i +M
Use separate options for clarity.
names |
Increase efficienrcy with options that filter at the process level - for example: -c, -g, -p, -u
.
-Di
-k
and -m
name alternate kernel name list or memory files.
When lsof user declares alternate kernel name list or memory files lsof checks the user's authority to
read them with access(2). This is intended to prevent whatever special power lsof's modes might confer on it from letting it read
files not normally accessible via the authority of the real user ID.
\[bfrnt]
form; the control character ^
form (example ^@
);
or hexadecimal \x
SIZE columns width varies for each run.
PPID |
namefs&
file system, allowing one file to be attached to another with fattach(3C), lsof will add
(FA:)&
to the NAME column. <-&
if ->&
if
Lsof may add two parenthetical notes to the NAME column for open Solaris 10 files: (?)&
if lsof considers the path name of questionable accuracy; and (deleted)&
if the -X option has been specified and lsof detects the open files path name has been deleted.
Consult the lsof FAQ (The FAQ section gives its location.) for more information on these NAME column additions.
Moreover, when a process holds several byte level locks on a file, lsof only reports the status of the first lock it encounters. If
it is a byte level lock, then the lock character will be reported in lower case - i.e., r
, w
, or x
- rather than the upper case
equivalent reported for a full file lock.
Generally lsof can only report on locks held by local processes on local files. When a local process sets a lock on a remotely mounted (e.g., NFS) file, the remote server host usually records the lock state. One exception is Solaris - at some patch levels of 2.3, and in all versions above 2.4, the Solaris kernel records information on remote locks in local structures.
Lsof has trouble reporting locks for some UNIX dialects. Consult the BUGS section of this manual page or the lsof FAQ (The FAQ sec- tion gives its location.) for more information.
Field output is process and file sets.
p
(for
process IDentifier (PID)). It extends to the beginning of the next PID field or the beginning of the first file set
f
(for file descriptor). followed by lines that describe the
file's access mode, lock state, type, device, size, offset, inode, protocol, name and stream module names.
With the NUL field terminator , process and file set with a NL (0A).
Lsof always produces one field, the PID (p
) field. All other fields may be declared optionally in the field identifier character
list that follows the -F option. When a field selection character identifies an item lsof does not normally list - e.g., PPID,
selected with -R - specification of the field character - e.g., -FR&
- also selects the listing of the item.
It is entirely possible to select a set of fields that cannot easily be parsed - e.g., if the field descriptor field is not selected, it may be difficult to identify file sets. To help you avoid this difficulty, lsof supports the -F option; it selects the output of all fields with NL terminators (the -F0 option pair selects the output of all fields with NUL terminators). For compatibility reasons neither -F nor -F0 select the raw device field.
a access mode c process command name (all characters from proc or user structure) C structure share count d device character code D major/minor device number (0x) f descriptor F structure address (0x ) G flaGs (0x ; names if +fg follows) g process group ID i inode number K tasK ID k link count l lock status L process login name m marker between repeated output n name, comment, Internet address N node identifier (ox o file's offset (decimal) p process ID (always selected) P protocol name r raw device number (0x ) R parent process ID s size (decimal) S stream identification t type T TCP/TPI information, identified by prefixes (the =
is part of the prefix): QR=queue for Read size QS=queue for Sendsize SO=socket options and values SS=socket states ST=connection state TF=TCP flags and values WR=window read size WW=window write size> u process user ID z Solaris 10 and higher zone name Z SELinux security context (inhibited when SELinux is disabled) 0 use NUL field terminator character in place of NL 1-9 dialect-specific field identifiers (The output of -F? identifies the information to be found in dialect-specific fields.)
help by specifying the -F\?
Additional information on field content can be found in the OUTPUT section.
Example:
Select the process ID (p
), command name (c
), file descriptor (f
) and file name (n
)
fields with an NL field terminator ;
-F pcfn&Selects the same output with a NUL (000) field terminator
-F pcfn0&
Lsof does not produce all fields for every process or file set, only those that are available.
Some fields are mutually exclusive:
file device characters and file major/minor device numbers; file inode number and protocol name; file name and stream identification;
file size and offset. One or the other member of these mutually exclusive sets will appear in field output, but not both.
A NUL terminator may be easier to process with xargs (1), for example, or with programs whose quoting mechanisms may not easily cope with the range of characters in the field output. When the NUL field terminator is in use, lsof ends each process and file set with a NL (012).
lsof_fields.h
contains symbols for the field identification characters,
-t
and -w
.
The default timeout, displayed with -h
The minimum for t
is two seconds, but you should avoid small values, since slow system responsiveness can cause short timeouts to expire unexpectedly
and perhaps stop lsof before it can produce any output.
When lsof has to break a block during its access of mounted file system information, it normally continues, although with less infor- mation available to display about open files.
Lsof can also be directed to avoid the protection of timers and child processes when using the kernel functions that might block by specifying the -O option. While this will allow lsof to start up with less overhead, it exposes lsof completely to the kernel situa- tions that might block it. Use this option cautiously.
First, using this option usually requires that your system supply alternate device numbers in place of the device numbers that lsof would normally obtain with the lstat(2) and stat(2) kernel functions. See the ALTERNATE DEVICE NUMBERS section for more information on alternate device numbers.
Second, you cant specify names for lsof to locate unless theyre file system names. This is because lsof needs to know the device and inode numbers of files listed with names in the lsof options, and the -b option prevents lsof from obtaining them. Moreover, since lsof only has device numbers for the file systems that have alternates, its ability to locate files on file systems depends com- pletely on the availability and accuracy of the alternates. If no alternates are available, or if theyre incorrect, lsof wont be able to locate files on the named file systems.
Third, if the names of your file system directories that lsof obtains from your system's mount table are symbolic links, lsof wont be able to resolve the links. This is because the -b option causes lsof to avoid the kernel readlink(2) function it uses to resolve sym- bolic links.
Finally, using the -b option causes lsof to issue warning messages when it needs to use the kernel functions that the -b option directs it to avoid. You can suppress these messages by specifying the -w option, but if you do, you wont see the alternate device numbers reported in the warning messages.
You can assist this process if your mount table is supported with an /etc/mtab or /etc/mnttab file that contains an options field by
adding a dev=xxxx&
field for mount points that do not have one in their options strings. Note: you must be able to edit the file -
i.e., some mount tables like recent Solaris /etc/mnttab or Linux /proc/mounts are read-only and cant be modified.
You may also be able to supply device numbers using the +m and +m m options, provided they are supported by your dialect. Check the output of lsof's -h or -? options to see if the +m and +m m options are available.
The xxxx&
portion of the field is the hexadecimal value of the file system's device number. (Consult the st_dev field of the output of the lstat(2) and stat(2) functions for the appropriate values for your file systems.) Heres an example from a Sun Solaris 2.6
/etc/mnttab
for a file system remotely mounted via NFS:
nfs ignore,noquota,dev=2a40001
There's an advantage to having dev=xxxx&
entries in your mount table file, especially for file systems that are mounted from remote
NFS servers. When a remote server crashes and you want to identify its users by running lsof on one of its clients, lsof probably
wont be able to get output from the lstat(2) and stat(2) functions for the file system. If it can obtain the file system's device
number from the mount table, it will be able to display the files open on the crashed NFS server.
Some dialects that do not use an ASCII /etc/mtab or /etc/mnttab file for the mount table may still provide an alternative device num-
ber in their internal mount tables. This includes AIX, Apple Darwin, FreeBSD, NetBSD, OpenBSD, and Tru64 UNIX. Lsof knows how to
obtain the alternative device number for these dialects and uses it when its attempt to lstat(2) or stat(2) the file system is
blocked.
If youre not sure your dialect supplies alternate device numbers for file systems from its mount table, use this lsof incantation to
see if it reports any alternate device numbers:
lsof -b
Look for standard error file warning messages that begin assuming "dev=xxxx" from ...&
.
-
characters, another space, and the name components it has located, separated
by the /
character.
When lsof is run in repeat mode - i.e., with the -r option specified - the extent to which it can report path name components for the same file may vary from cycle to cycle. That's because other running processes can cause the kernel to remove entries from its name cache and replace them with others.
Lsof's use of the kernel name cache to identify the paths of files can lead it to report incorrect components under some circum- stances. This can happen when the kernel name cache uses device and node number as a key (e.g., SCO OpenServer) and a key on a rapidly changing file system is reused. If the UNIX dialect's kernel doesnt purge the name cache entry for a file when it is unlinked, lsof may find a reference to the wrong entry in the cache. The lsof FAQ (The FAQ section gives its location.) has more information on this situation.
/dev
informationPersonal path (default); -D option; environment variable; System-wide path; Personal path, modified by an environment variable.
-h, -D?
displays device cache support.
default read-mode device cache file path that is in effect for the current invocation of lsof.
The -D? output lists the
read-only and write device cache file paths, the names of any applicable environment variables, and the personal device cache path
.
The path from which a lsof process may attempt to read a device cache file may not be the same as the path to which it can legiti- mately write. Thus when lsof senses that it needs to update the device cache file, it may choose a different path for writing it from the path from which it read an incorrect or outdated version.
If available, the -Dr option will inhibit the writing of a new device cache file. (It's always available when specified without a path name argument.)
When a new device is added to the system, the device cache file may need to be recreated. Since lsof compares the mtime of the device cache file with the mtime and ctime of the /dev (or /devices) directory, it usually detects that a new device has been added; in that case lsof issues a warning message and attempts to rebuild the device cache file.
Whenever lsof writes a device cache file, it sets its ownership to the real UID of the executing process, and its permission modes to 0600, this restricting its reading and writing to the file's owner.
LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS Two permissions of the lsof executable affect its ability to access device cache files. The permissions are set by the local system administrator when lsof is installed.
The first and rarer permission is setuid-root. It comes into effect when lsof is executed; its effective UID is then root, while its real (i.e., that of the logged-on user) UID is not. The lsof distribution recommends that versions for these dialects run setuid-root.
HP-UX 11.11 and 11.23 Linux
The second and more common permission is setgid. It comes into effect when the effective group IDentification number (GID) of the
lsof process is set to one that can access kernel memory devices - e.g., kmem&
, sys&
, or system&
.
An lsof process that has setgid permission usually surrenders the permission after it has accessed the kernel memory devices. When it does that, lsof can allow more liberal device cache path formations. The lsof distribution recommends that versions for these dialects run setgid and be allowed to surrender setgid permission.
AIX 5.[12] and 5.3-ML1 Apple Darwin 7.x Power Macintosh systems FreeBSD 4.x, 4.1x, 5.x and [6789].x for x86-based systems FreeBSD 5.x and [6789].x for Alpha, AMD64 and Sparc64-based systems HP-UX 11.00 NetBSD 1.[456], 2.x and 3.x for Alpha, x86, and SPARC-based systems NEXTSTEP 3.[13] for NEXTSTEP architectures OpenBSD 2.[89] and 3.[0-9] for x86-based systems OPENSTEP 4.x SCO OpenServer Release 5.0.6 for x86-based systems SCO|Caldera UnixWare 7.1.4 for x86-based systems Solaris 2.6, 8, 9 and 10 Tru64 UNIX 5.1
(Note: lsof for AIX 5L and above needs setuid-root permission if its -X option is used.)
Lsof for these dialects does not support a device cache, so the permissions given to the executable dont apply to the device cache file.
Linux
When the -D b, r, and u functions are available, you can use them to request that the cache file be built in a specific location (b[path]); read but not rebuilt (r[path]); or read and rebuilt (u[path]). The b, r, and u functions are restricted under some condi- tions. They are restricted when the lsof process is setuid-root. The path specified with the r function is always read-only, even when it is available.
The b, r, and u functions are also restricted when the lsof process runs setgid and lsof doesnt surrender the setgid permission. (See the LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for a list of implementations that normally dont surrender their setgid permission.)
A further -D function, i (for ignore), is always available.
When available, the b function tells lsof to read device information from the kernel with the stat(2) function and build a device cache file at the indicated path.
When available, the r function tells lsof to read the device cache file, but not update it. When a path argument accompanies -Dr, it names the device cache file path. The r function is always available when it is specified without a path name argument. If lsof is not running setuid-root and surrenders its setgid permission, a path name argument may accompany the r function.
When available, the u function tells lsof to attempt to read and use the device cache file. If it cant read the file, or if it finds the contents of the file incorrect or outdated, it will read information from the kernel, and attempt to write an updated version of the device cache file, but only to a path it considers legitimate for the lsof process effective and real UIDs.
A further restriction applies to a device cache file path taken from the LSOFDEVCACHE environment variable: lsof will not write a device cache file to the path if the lsof process doesnt surrender its setgid permission. (See the LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for information on implementations that dont surrender their setgid permission.)
The local system administrator can disable the use of the LSOFDEVCACHE environment variable or change its name when building lsof. Consult the output of -D? for the environment variable's name.
You can tell that a system-wide device cache file is in effect for your local installation by examining the lsof help option output - i.e., the output from the -h or -? option.
Lsof will never write to the system-wide device cache file path by default. It must be explicitly named with a -D function in a root-owned procedure. Once the file has been written, the procedure must change its permission modes to 0644 (owner-read and owner-write, group-read, and other-read).
This is lsof's fourth device cache file path choice, and is usually the default. If a system-wide device cache file path was defined when lsof was built, this fourth choice will be applied when lsof cant find the system-wide device cache file. This is the only time lsof uses two paths when reading the device cache file.
The hostname part of the second component is the base name of the executing host, as returned by gethostname(2). The base name is
defined to be the characters preceding the first .
in the gethostname(2) output, or all the gethostname(2) output if it contains no
.
.
The device cache file belongs to the user ID and is readable and writable by the user ID alone - i.e., its modes are 0600. Each dis- tinct real user ID on a given host that executes lsof has a distinct device cache file. The hostname part of the path distinguishes device cache files in an NFS-mounted home directory into which device cache files are written from several different hosts.
The personal device cache file path formed by this method represents a device cache file that lsof will attempt to read, and will attempt to write should it not exist or should its contents be incorrect or outdated.
The -Dr option without a path name argument will inhibit the writing of a new device cache file.
The -D? option will list the format specification for constructing the personal device cache file. The conversions used in the for- mat specification are described in the 00DCACHE file of the lsof distribution.
%p&
conversion in the HASPERSDC format specification of the dialect's machine.h header file. (Its placed right after the home directory
in the default lsof distribution.)
Thus, for example, if LSOFPERSDCPATH contains LSOF&
, the home directory is /Homes/abe&
, the host name is lsof.itap.pur-
due.edu&
, and the HASPERSDC format is the default (%h/%p.lsof_%L&
), the modified personal device cache file path is:
/Homes/abe/LSOF/.lsof_vic
The LSOFPERSDCPATH environment variable is ignored when the lsof process is setuid-root or when the real UID of the process is root.
Lsof will not write to a modified personal device cache file path if the lsof process doesnt surrender setgid permission. (See the
LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for a list of implementations that normally dont surrender their setgid
permission.)
If, for example, you want to create a sub-directory of personal device cache file paths by using the LSOFPERSDCPATH environment vari-
able to name it, and lsof doesnt surrender its setgid permission, you will have to allow lsof to create device cache files at the
standard personal path and move them to your subdirectory with shell commands.
The local system administrator may: disable this option when lsof is built; change the name of the environment variable from LSOFPERS-
DCPATH to something else; change the HASPERSDC format to include the personal path component in another place; or exclude the personal
path component entirely. Consult the output of the -D? option for the environment variable's name and the HASPERSDC format specifi-
cation.
DIAGNOSTICS
Errors are identified with messages on the standard error file.
Lsof returns a one (1) if any error was detected, including the failure to locate command names, file names, Internet addresses or
files, login names, NFS files, PIDs, PGIDs, or UIDs it was asked to list. If the -V option is specified, lsof will indicate the
search items it failed to list.
It returns a zero (0) if no errors were detected and if it was able to list some information about all the specified search arguments.
When lsof cannot open access to /dev (or /devices) or one of its subdirectories, or get information on a file in them with stat(2), it
issues a warning message and continues. That lsof will issue warning messages about inaccessible files in /dev (or /devices) is indi-
cated in its help output - requested with the -h or >B -? options - with the message:
Inaccessible /dev warnings are enabled.
The warning message may be suppressed with the -w option. It may also have been suppressed by the system administrator when lsof was
compiled by the setting of the WARNDEVACCESS definition. In this case, the output from the help options will include the message:
Inaccessible /dev warnings are disabled.
Inaccessible device warning messages usually disappear after lsof has created a working device cache file.
all open files: lsof
Internet, x.25 (HP-UX), and UNIX domain files: lsof -i -U
IPv4 network files in use by the process whose PID is 1234: lsof -i 4 -a -p 1234
IPv6 network files: lsof -i 6
files using any protocol on ports 513, 514, or 515 of host wonderland.cc.purdue.edu, use: lsof -i @wonderland.cc.purdue.edu:513-515
any protocol on any port of this host :
For login name
On device
The process that has
Send SIGHUP to the processes that have
A open UNIX domain socket file, with the name
Processes with open files on the NFS file system named
suppress warning messages :
Ignore the device cache file:
Obtain PID and command name field output for each process, file descriptor, file device number, and file inode number for each file
of each process:
List the files at descriptors 1 and 3 of every process running the lsof command for login ID
list the current working directory of processes running a command that is exactly four characters long and has an lsof -i
or O in
character three, use this regular expression form of the hostname
o > lsof -i @
to Another hosthostname
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ssh 1401 dgerman 3u IPv4 0x976a838ec8af3acf 0t0 TCP smackerpro.germans:50978->real-world-systems.com:ssh (ESTABLISHED)
ftp> !lsof -i @real-world-systems.com
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
ssh 1621 dgerman 3u IPv4 0x976a838edb41aeaf 0t0 TCP smackerpro.germans:51186->real-world-systems.com:ssh (ESTABLISHED)
ftp 1650 dgerman 3u IPv4 0x976a838ec8af55b7 0t0 TCP smackerpro.germans:51194->real-world-systems.com:ftp (ESTABLISHED)
abe
, user ID 1234, process 456, process 123, or process 789: lsof -p 456,123,789 -u 1234,abe
/dev/hd4 lsof /dev/hd4
/u/abe/foo
open: lsof /u/abe/foo
/u/abe/bar
open: kill -HUP lsof -t /u/abe/bar
/dev/log: lsof /dev/log
/nfs/mount/point
whose server is inaccessible, and
presuming your mount table supplies the device number for /nfs/mount/point: lsof -b /nfs/mount/point
lsof -bw /nfs/mount/point
lsof -Di
lsof -FpcfDi
abe
every 10 seconds: lsof -c lsof -a -d 1 -d 3 -u abe -r10
-c
: lsof -c /^..o.$/i -a -d cwd
an IP version 4 socket file by its associated numeric dot-form address: lsof -i@128.210.15.17
find an IP version 6 socket file (when the UNIX dialect supports IPv6) by its associated numeric colon-form address: lsof -i@[0:1:2:3:4:5:6:7]
IP version 6 socket file (when the UNIX dialect supports IPv6) by an associated numeric colon-form address that has a run
of zeroes in it - e.g., the loop-back address: lsof -i@[::1]
obtain a repeat mode marker line that contains the current time: lsof -rm====%T====
add spaces to the previous marker line: lsof -r "m==== %T ===="
When a file has multiple record locks, the lock status character (following the file descriptor) is derived from a test of the first lock structure, not from any combination of the individual record locks that might be described by multiple lock structures.
Lsof cant search for files with restrictive access permissions by name unless it is installed with root set-UID permission. Otherwise it is limited to searching for files to which its user or its set-GID group (if any) has access permission.
The display of the destination address of a raw socket (e.g., for ping) depends on the UNIX operating system. Some dialects store the destination address in the raw socket's protocol control block, some do not.
Lsof cant always represent Solaris device numbers in the same way that ls(1) does. For example, the major and minor device numbers that the lstat(2) and stat(2) functions report for the directory on which CD-ROM files are mounted (typically /cdrom) are not the same as the ones that it reports for the device on which CD-ROM files are mounted (typically /dev/sr0). (Lsof reports the directory numbers.)
The support for /proc file systems is available only for BSD and Tru64 UNIX dialects, Linux, and dialects derived from SYSV R4 - e.g., FreeBSD, NetBSD, OpenBSD, Solaris, UnixWare.
Some /proc file items - device number, inode number, and file size - are unavailable in some dialects. Searching for files in a /proc file system may require that the full path name be specified.
No text (txt) file descriptors are displayed for Linux processes. All entries for files other than the current working directory, the root directory, and numerical file descriptors are labeled mem descriptors.
Lsof can't search for Tru64 UNIX named pipes by name, because their kernel implementation of lstat(2) returns an improper device number for a named pipe.
Lsof can't report fully or correctly on HP-UX 9.01, 10.20, and 11.00 locks because of insufficient access to kernel data or errors in the kernel data. See the lsof FAQ (The FAQ section gives its location.) for details.
The ±f[cfgGn]
is not supported under /proc-based
Linux lsof, because it doesn't read kernel structures from kernel memory.
$LANG
defines a language locale. See setlocale e.g., LC_ALL, LC_TYPE, etc.$LSOFDEVCACHE
the path to a device cache file. See the DEVICE CACHE PATH FROM AN ENVIRONMENT VARIABLE section for more
information.
$LSOFPERSDCPATH
the middle component of a modified personal device cache file path. See the MODIFIED PERSONAL DEVICE CACHE
PATH section for more information.
00FAQ
file of the lsof distribution.
available via anonymous ftp from lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
/dev/kmem
kernel virtual memory device/dev/mem
physical memory device/dev/swap
system paging devicelsof_hostname
lsof's device cache file (The suffix, hostname
, is the first component of the host's name returned by gethostname(2).)
See
access(2), awk(1), crash(1), fattach(3C), ff(1), fstat(8), fuser(1), gethostname(2), isprint(3), kill(1), localtime(3), lstat(2), modload(8), mount(8), netstat(1), ofiles(8L), perl(1), ps(1), readlink(2), setlocale(3), stat(2), strftime(3), time(2), uname(1).
Revision-4.87
lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME UserEvent 204 dgerman 7u IPv4 0x5c086aaa24351191 0t0 UDP *:* SystemUIS 213 dgerman 7u IPv4 0x5c086aaa24350439 0t0 UDP *:* sharingd 231 dgerman 12u IPv4 0x5c086aaa24350809 0t0 UDP *:* ssh 5246 dgerman 3u IPv4 0x5c086aaa256a0e69 0t0 TCP 10.0.0.11:49769->real-world-systems.com:ssh (CLOSED) ssh 19420 dgerman 3u IPv4 0x5c086aaa39cb4e69 0t0 TCP slammerfox.germans:61435->real-world-systems.com:ssh (CLOSED) ssh 37304 dgerman 3u IPv4 0x5c086aaa2b76ce69 0t0 TCP smackerpro.germans:63625->real-world-systems.com:ssh (ESTABLISHED) ssh 40559 dgerman 3u IPv4 0x5c086aaa2b701651 0t0 TCP 192.168.1.12:63157->real-world-systems.com:ssh (CLOSED) com.apple 45247 dgerman 12u IPv4 0x5c086aaa2a94be69 0t0 TCP smackerpro.germans:49670->a23-11-217-54.deploy.static.akamaitechnologies.com:https (ESTABLISHED) com.apple 45247 dgerman 13u IPv4 0x5c086aaa2a959651 0t0 TCP smackerpro.germans:49671->appleglobal.102.112.2o7.net:https (ESTABLISHED) com.apple 45247 dgerman 17u IPv4 0x5c086aaa2a94be69 0t0 TCP smackerpro.germans:49670->a23-11-217-54.deploy.static.akamaitechnologies.com:https (ESTABLISHED) com.apple 45247 dgerman 18u IPv4 0x5c086aaa2a959651 0t0 TCP smackerpro.germans:49671->appleglobal.102.112.2o7.net:https (ESTABLISHED) com.apple 45247 dgerman 20u IPv4 0x5c086aaa2a958e69 0t0 TCP smackerpro.germans:49672->a23-11-217-54.deploy.static.akamaitechnologies.com:https (ESTABLISHED) com.apple 45247 dgerman 21u IPv4 0x5c086aaa2a958e69 0t0 TCP smackerpro.germans:49672->a23-11-217-54.deploy.static.akamaitechnologies.com:https (ESTABLISHED) ssh 45269 dgerman 3u IPv4 0x5c086aaa2a288e69 0t0 TCP 192.168.1.5:51851->real-world-systems.com:ssh (CLOSED) ssh 52305 dgerman 3u IPv4 0x5c086aaa26ca2e69 0t0 TCP 192.168.1.3:52101->real-world-systems.com:ssh (CLOSED) thunderbi 55630 dgerman 59u IPv4 0x5c086aaa2b979e69 0t0 TCP smackerpro.germans:63616->slmp-550-13.slc.westdc.net:imaps (ESTABLISHED) thunderbi 55630 dgerman 60u IPv4 0x5c086aaa24794e69 0t0 TCP smackerpro.germans:63617->slmp-550-13.slc.westdc.net:imaps (ESTABLISHED) ssh 60693 dgerman 3u IPv4 0x5c086aaa2ba8d651 0t0 TCP smackerpro.germans:51281->real-world-systems.com:ssh (CLOSED) ssh 65768 dgerman 3u IPv4 0x5c086aaa257d8651 0t0 TCP kitchen.germans:58667->real-world-systems.com:ssh (CLOSED) ssh 68409 dgerman 3u IPv4 0x5c086aaa2b353651 0t0 TCP smackerpro.germans:58718->real-world-systems.com:ssh (CLOSED) CIJScanne 77133 dgerman 4u IPv4 0x5c086aaa2a5469f1 0t0 UDP *:58348 CIJScanne 77133 dgerman 5u IPv4 0x5c086aaa2ba9f379 0t0 UDP *:59373 ssh 82907 dgerman 3u IPv4 0x5c086aaa257d7e69 0t0 TCP smackerpro.germans:55109->real-world-systems.com:ssh (CLOSED) ssh 94640 dgerman 3u IPv4 0x5c086aaa2ba8ce69 0t0 TCP smackerpro.germans:53255->real-world-systems.com:ssh (CLOSED) WakeOnLan 99904 dgerman 19u IPv4 0x5c086aaa29f97621 0t0 UDP *:63967 WakeOnLan 99904 dgerman 30u IPv4 0x5c086aaa2b60a191 0t0 UDP *:56540