list open files

lsof [ -?abChKlnNOPRtUvVX ]
[ ±r [t[mfmt ]] ]
[ -A A ]
[ -c commandPrefix ]
[ +c commandName width shown ]
[ ±d d ] [ ±D D ] [ ±e s ]
     [ ±f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ ±L [l] ] [ ±m m ] [ ±M ]
     [ -o [o] ] [ -p s ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ ±w ]
     [ -x [fl] ] [ -z [z] ] [ -Z [Z] ]
                        [ -- ] [names]

As with all the documentation available here, this has been tersified and many (confusing, unnecessary) details removed. To get all the gory details see the man page on your system or

An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket).

A specific file or all the files in a file system may be selected by path.

Runs continuously in repeat mode, -r.

By default lists all open files belonging to all active processes. lsof | more (not helpful)

Combining options

"List selection" options are ORed
For example: lsof -i -utonys all network(internet) files OR those belonging to processes owned by user tonys.

Exceptions (indicated by a ^ prefix), are applied without ORing or ANDing and take effect before any other selection criteria are applied.

  • login name or user ID (UID), -u
  • process ID (PID), -p
  • process group ID (PGID), -g
  • command, -c
  • TCP or UDP protocol state names, -s [p:s]

    -a ANDs the selections.
       For example: lsof -a -unetprgmr -U produces a listing of files that belong to processes owned by netprgmr and are UNIX socket files.
    Causes all "list selection"s to be ANDed

    Items of the same selection set: command names, file descriptors, network addresses, process identifiers, user identifiers, zone names, security contexts are joined in a single ORed set and applied before the result participates in ANDing.
       For example, lsof -a -ume,you will select the listing of files that :
       belong to either login me OR you AND have network connections to either host OR

    Multiple options can be conbined for example: -a -b -C as -abC.

    Since values are optional following ±f, -F, -g, -i, ±L, -o, ±r, -s, -S, -T, -x and -z,

    The + or - prefix may be applied to a group of options.
       Options that don't take on separate meanings for each prefix ,
    For example: -i (which has no + option) may be grouped under either prefix.
       For example, +M -i may be stated as +Mi .
        When one or more options in the group does take on separate meanings under different prefixes avoid grouping. For example +M; -iM is not the same as -i +M.
    Use separate options for clarity.

    names Symbolic links are resolved before use.
    The first name may be separated from the preceding options with --.

    • If name is a mounted-point (for example /Volume/DATA) or
      the device of the file system lsof will list all the files open on the file system.

      +f forces name to be considered a file system identifier otherwise name is treated as a regular file - i.e., its listing is restricted to processes that have it open as a file or as a process-specific directory, such as the root or current working directory.
      To request that lsof look for open files inside a directory name, use +d s and +D D .
      -f forces name to be considered a file system identifier

    If name is a UNIX domain socket name, specifying a relative path - example: ./file - (eg., /tmp/file - won't work

    If a name is a Linux UNIX domain socket name, in one case lsof is able to search for it by its device and inode number, allowing name to be a relative path. The case requires that the absolute path (i.e., one beginning with a slash) be used by the process that created the socket, for example, if the path is /dev/log and an lsof search is initiated when the working directory is /dev, then name could be ./log.

    -b the only names are file systems for which mount table supplies alternate device numbers. See the AVOIDING KERNEL BLOCKS and ALTERNATE DEVICE NUMBERS sections

    Multiple file names are joined in a single ORed set before participating in AND option selection.

    -a ands list selections ANDed
    -c cmdprx… processes executing command that begins with the characters of cmdprx.
    Multiple commands may be specified, using multiple -c .
    Are joined in a single ORed set before participating in AND option selection.

    ^ prefix excludes commands
    If cmdprx begins and ends with a slash (/), a regular expression.
    Shell meta-characters in the regular expression must be quoted.
    i ignore case
    b regular expression is a basic one.
    x the regular expression is an extended one (default).
    See FAQ The simple command specification is tested first.
    If that test fails, the command regular expression is applied.
    This may result in no command found for regex: messages with -V

    +c width width of characters of the command displayed (default:9, min 7 ), 0 all.
    -C kernel's name Cache entries are not. See KERNEL NAME CACHE
    +d dir directory dir and the files and directories it contains at its top level.
    Does NOT descend the directory tree.
    +D Dirifull-Descent directory tree search, rooted at directory Dir.
    +d does not follow symbolic links within dir without -x or -x of l.
    Nor does it search for open files on file system mount points on subdirectories of dir unless -x or -x f is also specified.
    Permissions limit searching to files accessable via stat(2).
    -d set list of file descriptors
    ^ before all entries specifies an exclusion list. Mixed lists are not permitted.

    Example: 1,3 or ^6,^2.

    For a range use lowLimit-highLimit. For example: 3-5 or ^7-9.
    File descriptors are ORed before participating in AND option selections.

    +D dir all open instances of directory dir and all the files and directories it contains.

    Does not follow symbolic links unless the -x or -x l is also specified.
    Does not search for open files on file system mount points on unless the -x or -x f is also specified.
    Permissions limit searching for files to those accessable via stat

    Slow and requires a large amount of memory, as it descends the entire directory tree, beginning at dir

    -D func device cache file usage,

    ? - report paths, build , ignore , read or update the device cache file

    may be followed by a path name.
    Reports the read-only and write paths that can be used for the device cache file, environment variables and the format for the personal device cache file path. (Escape ? as shell requires.)

    The b, r, and u functions may be followed by the device cache files path. The standard default is .lsof_hostname in the home directory of the real user ID that executes lsof, but this could have been changed when lsof was configured and compiled. (The output of the -h and -? options show the current default prefix - e.g., .lsof&.) The suffix, hostname, is the first component of the hosts name returned by gethostname(2).

    b build a new device cache file at the default or specified path.
    i ignore the default device cache file and obtain its information about devices via direct calls to the kernel.
    r read the device cache at the default or specified path, but prevents it from creating a new device cache file when none exists or the existing one is improperly structured. The r function, when specified without a path name, prevents lsof from updating an incorrect or outdated device cache file, or creating a new one in its place. The r function is always available when it is specified without a path name argument; it may be restricted by the permissions of the lsof process.
    u read the device cache file at the default or specified path, if possible, and to rebuild it, if necessary. This is the default device cache file function when no -D option has been specified.

    -x [fl ] With +d and +D to direct processing to cross over symbolic links and|or file system mount points encountered when scanning the directory or directory tree / -x by itself enables both symbolic links and mount points
    when -x is specified without a parameter, the next argument must begin with - or +. f enables file system mount point cross-over processing;
    l symbolic link cross-over
    ±e fs exempts file system fs from being subjected to kernel function calls that might block. The +e option exempts stat(2), lstat(2) and most readlink(2) kernel function calls. The -e option exempts only stat(2) and lstat(2) kernel function calls. Multiple file systems may be specified with separate ±e specifications and each may have readlink(2) calls exempted or not.

    CAUTION: this option can easily be mis-applied to other than the file system of interest, because it uses path name rather than the more reliable device and inode numbers. (Device and inode numbers are acquired via the potentially blocking stat(2) kernel call and are thus not available, but see the ±m m option as a possible alternative way to supply device numbers.) Use this option with great care and fully specify the path name of the file system to be exempted.

    When open files on exempted file systems are reported, it may not be possible to obtain all their information. Therefore, some information columns will be blank, the characters UNKN& preface the values in the TYPE column, and the applicable exemption option is added in parentheses to the end of the NAME column. (Some device number information might be made avail- able via the ±m m option.)

    ±f [cfgGn] f path name arguments are to be interpreted as …. When followed by c, f, g, G, or n in any combination the listing of kernel file structure information is to be enabled (+) or inhibited (-).

    Normally a path name argument is taken to be a file system name if it matches a mounted-on directory name reported by mount(8), or if it represents a block device, named in the mount output and associated with a mounted directory name. When +f is specified, all path name arguments will be taken to be file system names, and lsof will complain if any are not. This can be useful, for example, when the file system name (mounted-on device) isnt a block device. This happens for some CD-ROM file systems.

    When -f is specified by itself, all path name arguments will be taken to be simple files. Thus, for example, the -f -- /& arguments direct lsof to search for open files with a / path name, not all open files in the / (root) file system.

    Be careful to make sure +f and -f are properly terminated and arent followed by a character (e.g., of the file or file sys- tem name) that might be taken as a parameter. For example, use --& after +f and -f as in these examples. $ lsof +f -- /file/system/name $ lsof -f -- /file/name

    The listing of information from kernel file structures, requested with the +f [cfgGn] option form, is normally inhibited, and is not available in whole or part for some dialects - e.g., /proc-based Linux kernels below 2.6.22. When the prefix to f is a plus sign (+), these characters request file structure information: c file structure use count (not Linux) f file structure address (not Linux) g file flag abbreviations (Linux 2.6.22 and up) G file flags in hexadecimal (Linux 2.6.22 and up) n file structure node address (not Linux) When the prefix is minus (-) the same characters disable the listing of the indicated values. File structure addresses, use counts, flags, and node addresses may be used to detect more readily identical files inherited by child processes and identical files in use by different processes. Lsof column output can be sorted by output columns holding the values and listed to identify identical file use, or lsof field output can be parsed by an AWK or Perl post-fil- ter script, or by a C program.

    -F [f] fields to be output is specified with a single character
    output for processing by another program, and the character that terminates each output field.
    The field terminator defaults to NL, or NUL (000).
    See the output for other programs the field identification characters and the field output process.

    With no fields all fields are selected (except the raw deviceField, security context and zone field ) and NL terminator is used.
    For -F 0 NULL teminatxior.

    Other combinations of fields and their associated field terminator character must be set with explicit entries in field, as described in the Output for Other Programs .

    When a field selection character identifies an item - e.g., PPID, selected with -R - specification of the field character - e.g., -FR& - also selects the listing of the item. When the field selection character list contains the single character ?, lsof will display a help list of the field identi- fication characters. (Escape the ? character as your shell requires.)

    -g [s] excludes or selects the listing of files for the processes whose optional process group IDentification (PGID) numbers are in the comma-separated set s - e.g., 123& or 123,^456&. (There should be no spaces in the set.) PGID numbers that begin with ^ (negation) represent exclusions. Multiple PGID numbers are joined in a single ORed set before participating in AND option selection. However, PGID exclusions are applied without ORing or ANDing and take effect before other selection criteria are applied. The -g option also enables the output display of PGID numbers. When specified without a PGID set thats all it does.
    -i [i] files any of whose Internet address matches the address specified in i. If no address is specified, this option selects the listing of all Internet and x.25 (HP-UX) network files.

    If -i4 or -i6 is specified with no following address, only files of the indicated IP version, IPv4 or IPv6, are displayed. (An IPv6 specification may be used only if the dialects supports IPv6, as indicated by [46]& and IPv[46]& in lsofs -h or -? output.) Sequentially specifying -i4, followed by -i6 is the same as specifying -i, and vice-versa. Specifying -i4, or -i6 after -i is the same as specifying -i4 or -i6 by itself.

    Multiple addresses (up to a limit of 100) may be specified with multiple -i options. (A port number or service name range is counted as one address.) They are joined in a single ORed set before participating in AND option selection.

    An Internet address is specified in the form (Items in square brackets are optional.):


    where: 46 specifies the IP version, IPv4 or IPv6 that applies to the following address. 6 may be be specified only if the UNIX dialect supports IPv6. If neither 4 nor 6 is specified, the following address applies to all IP versions. protocol is a protocol name - TCP, UDP hostname is an Internet host name. Unless a specific IP version is specified, open network files associated with host names of all versions will be selected. hostaddr is a numeric Internet IPv4 address in dot form; or an IPv6 numeric address in colon form, enclosed in brackets, if the UNIX dialect supports IPv6. When an IP version is selected, only its numeric addresses may be specified. service is an /etc/services name - e.g., smtp - or a list of them. port is a port number, or a list of them.

    At least one address component - 4, 6, protocol, hostname, hostaddr, or service - must be supplied.
    The @ prefix the host specification, is always required; as is the :, leading the port specification.
    Specify either hostname or hostaddr.
    Specify either service name list or port number list.
    If a service name list is specified, the protocol may also need to be specified if the TCP, UDP and UDPLITE port numbers for the service name are different.

    Service names and port numbers may be combined in a comma seperated list or numeric range by minus signs.
    There may be no embedded spaces, service names may contain embedded minus signs, the starting entry of a range cannott be a service name;
    it can be a port number,

    Sample addresses:

           -i6 - IPv6 only
           TCP:25 - TCP and port 25
           @ - Internet IPv4 host address
           @[3ffe:1ebc::1]:1234 - Internet IPv6 host address
           3ffe:1ebc::1, port 1234
           UDP:who - UDP who service port
           TCP@lsof.itap:513 - TCP, port 513 and host name lsof.itap
           tcp@foo:1-10,smtp,99 - TCP, ports 1 through 10,
                service name smtp, port 99, host name foo
           tcp@bar:1-smtp - TCP, ports 1 through smtp, host bar
           :time - either TCP, UDP or UDPLITE time service port 
    -K list of tasks (threads) of processes,

    When -K and -a are both specified and the tasks of a main process are selected by other options, the main process will also be listed as though it were a task, but without a task ID. (See the description of the TID column in the OUTPUT section.)

    Where the FreeBSD version supports threads, all threads will be listed with their IDs.

    -k kernelName in place of /vmunix, /mach, etc.
    ±L [lc] enables(+) or disables(-) the checking and listing of file link counts.
    -L (the default), no link counts
    +L all link counts

    +Llc only files having a link count less than lc will be listed.
    +L1& open files that have been unlinked.
    +aL1 file_system& unlinked open files on the specified file system.

    For other link count comparisons, use field output (-F) and a post-processing script or program.

    -l login user numbers are not converted to names.
    -n network numbers are not converted to host names (runs faster).
    -N NFS files.
    -o [do] number of digits (default 8) after 0t for a offset before the for m is switched to 0x….
    -o0 use 0t form for all offset output.
    display offset at all times with a decimal digit count of 10, use:
    -o -o 10
    description of the -o o in the output of the -h or -? option to determine the default that is in effect.
    -o and -s are mutually exclusive;

    -o always display offset, in either mixed size and offset or offset-only output.
    -s display file size at all times and causes the SIZE/OFF output column title to be changed to SIZE.
    -s [TCP|UDP]:-i|[^]state,…] ^ indicates files to be excluded.

    If only TCP and UDP files are to be listed, -i must be specified, .
    If only a single protocol files are to be listed, add its name as an argument to the -i Examples:
    List only network files with TCP state LISTEN, :

    lsof -s -iTCP -sTCP:LISTEN
    List network files with all UDP states except Idle :
    -iUDP -sUDP:Idle
    UDP states nclude: Unbound and Idle.

    See the FAQ for some types of files - sockets, FIFOs, pipes, etc. - sizes refers to in their kernel buffers

    -S [t] time-out seconds for kernel functions - lstat(2), readlink(2), and stat(2) - that might otherwise cause blockiing. Minimun 2.
    -O bypass the strategy to avoid being blocked by kernel operations. This will reduce startup overhead, it may also cause hang when the kernel does not respond to a function. Use this option cautiously.
    -p [^]pid[,…] excludes or selects the listing of files for the processes whose optional process IDentification (PID) numbers are in the comma-separated set s - example: 123 or 123,^456. (There should be no spaces in the set.) pids that begin with ^ are excluded. Multiple process ID numbers are joined in a single ORed set before participating in AND option selection. However, PID exclusions are applied without ORing or ANDing and take effect before other selection criteria are applied.
    -P inhibits the conversion of port numbers to port names for network files. Inhibiting the conversion may make lsof run a lit- tle faster. It is also useful when port name lookup is not working properly.
    ±r [seconds[mfmt]] repeat mode delays seconds (default 15 ) then repeats

    - terminated with an interrupt or quit signal.
    + ends the first time no files are listed. Exit code= 0 if any files were ever listed; 1 none were ever listed.

    Output of each cycle is marked with ========.
    If field output is in progress (i-F ), the marker is m and NL

    fmt is a format for the marker line as to strftime(3).
    When field output is requested with the -F option, fmt cannot contain the NL format, %n.
    If fmt contains meta characters for the shell, it must be quoted.

    Repeat mode reduces startup overhead.

    Increase efficienrcy with options that filter at the process level - for example: -c, -g, -p, -u .

    Useful with field output and a supervising script.

    -R includle Parent Process ID
    -T [t] controls the reporting of some TCP/TPI information, also reported by netstat(1), following the network addresses.
    In normal output the information appears in parentheses, each item except TCP or TPI state name identified by a keyword, followed by =, separated from others by a single space:
           TCP or TPI state name
           QR=read queue length
           QS=send queue length
           SO=socket options and values
           SS=socket states
           TF=TCP flags and values
           WR=window read length
           WW=window write length
    values are reported after the item name and =.

    When the field output mode is in effect (See OUTPUT FOR OTHER PROGRAMS.) each item appears as a field with a T leading character.

    -T disables TCP/TPI
    -T TCP/TPI
    f socket options, states and values, and TCP flags and values.
    q queue length .
    s connection state .
    w window size .
    State is enabled by default. disabled by default with other options. -h for the -T option shows selections available

    Example: for queue lengths and state , use -Tqs.

    Socket options, states, some values, TCP flags and one TCP value may be requested after SO_, so_, SS_, TCP_ and TF_ in the dialect's header files - most often <sys/socket.h>, <sys/socketvar.h> and <netinet/tcp_var.h>. See them for the meaning . SO= precedes socket options and values; SS=, socket states; and TF=, TCP flags and values. Value are preceeded by = and the name -- Example SO=LINGER=5, SO=QLIM=5, TF=MSS=512.

    Common Symbol)
    MSS Maximum Segment Size (TCP_MAXSEG)
    PQLEN Partial listen Queue connections
    QLEN established listen Queue connections
    QLIM established listen Queue limit
    RCVBUF ReCeiVe BUFfer length (SO_RCVBUF)
    SNDBUF SeND Buffer length (SO_SNDBUF)
    socket options and values, states, and TCP flags and values may be displayed in lsof FAQ (The FAQ section gives its location.) Why doesn't lsof report socket options, socket states, and TCP flags and values and Why doesn't lsof report the partial listen queue connection count for my dialect?
    -t terse output (process identifiers only and no header ) the output may be piped to kill(1).
    Implies -w, (warnings).
    -u [^]uname [,userID … ] user abe, or 548,root. no spaces in the list.
    user ids are joined in an single ORed set before participating in AND option selection.

    ^ excludes files of processes owned by userid and is applied before other selections. For example, to exclude files belonging root processes -u^root or -u^0.

    -U UNIX domain socket files.
    -V items requested and failed to find - command names, file names, Internet addresses or

    files, login names, NFS files, PIDs, PGIDs, and UIDs. For example, lsof -V -iTCP@foobar -a -d 999 may not report a failure to locate open files at TCP@foobar and may not list any, if none have a file descriptor number of 999. If HASSECURITY and HASNOSOCKSECURITY are defined at compile time and they prevent the listing of open files.

    ±w warning messages are Enabled (+) or disabled (-) Warning messages may be disabled or enabled by default as indicated in -h
    -A As on systems configured for AFS(Andrew Files System) whose AFS kernel code is implemented via dynamic modules.
    allows specifing an alternate name list file where the kernel addresses of the dynamic modules might be found. See FAQ
    -X dialect-specific option. AIX: report of executed text file and shared library references. By default use of readx() is disabled and lsof may not be able to report information for all text and loader file references, it

    Linux: skip the reporting of information on all open TCP, UDP and UDPLITE IPv4 and IPv6 files. Useful when the system has an extremely large number of open TCP, UDP and UDPLITE files

    -b blockng kernel functions are avoided - lstat(2), readlink(2), and stat(2). See BLOCKS AND TIMEOUTS and AVOIDING KERNEL BLOCKS
    -Z [Z] how SELinux security contexts are to be handled. It and Z field output character support are inhibited when SELinux is disabled in the running Linux kernel. Without a argument security contexts are to be listed in the SECURITY-CON-TEXT output column.
    Followed by a wildcard security context name, Z. lists only open files for processes in that security context.
    Multiple -Z Z are permitted. open file of any process in any of the security contexts will be listed, Note Z can be A:B:C or *:B:C or A:B:* or *:*:C to match against the A:B:C context.
    -- end of options. Useful when the first file name begins with a minus sign or when the last option has no value before the start of the file names.
    -v version


    1. anyone can list all open files
      Restricting the listing of all open files to root, is controlled by compile-time options.
      The non-root user may list only open files of processes with the same user ID
    2. Creates a user-readable and user-writable device cache file is controlled by the compile-time option.
      Temporarily disable this with the -Di
    3. -k and -m name alternate kernel name list or memory files. When lsof user declares alternate kernel name list or memory files lsof checks the user's authority to read them with access(2). This is intended to prevent whatever special power lsof's modes might confer on it from letting it read files not normally accessible via the authority of the real user ID.


    Non-printable characters are output in the C \[bfrnt] form; the control character ^ form (example ^@); or hexadecimal \x

    SIZE columns width varies for each run.

    PPID Parent Process ID, only displayed with -R
    PGID process group ID, only displayed -g
    FD is the File Descriptor number OR:
             cwd  current working directory;
             Lnn  library references (AIX);
             err  FD information error (see NAME column);
             jld  jail directory (FreeBSD);
             ltx  shared library text (code and data);
             Mxx  hex memory-mapped type number xx.
             m86  DOS Merge mapped file;
             mem  memory-mapped file;
             mmap memory-mapped device;
             pd   parent directory;
             rtd  root directory;
             tr   kernel trace file (OpenBSD);
             txt  program text (code and data);
             v86  VP/ix mapped file; 
    mode under which the file is open folllows the FD:
             r for read 
             w for write
             u for read and write 
             - if mode unknown and lock character follows.
             space mode unknown and no lock character follows;
        lock characters 
             N fSolaris NFS lock of unknown type;
             r read lock on part of the file;
             R read lock on the entire file;
             w write lock on part of the file;
             W write lock on the entire file;
             u read and write lock of any length;
             U unknown 
             x SCO OpenServer Xenix lock on part of the file;
             X SCO OpenServer Xenix lock on the entire file;
             space no lock.
    See the LOCKS section for more information on the lock information character.
    TYPE type of the node associated with the file - for example: GDIR, GREG, VDIR, VREG, etc.


    PCUR current /proc process

    REG regular file
    SMT shared memory transport file
    STSO stream socket
    IPv4 IPv4 socket
    IPv6 open IPv6 network file
    ax25 Linux AX.25 socket
    inet Internet domain socket
    lla HP-UX link level access
    rte AF_ROUTE socket
    sock socket of unknown domain
    unix UNIX domain socket
    x.25 HP-UX x.25 socket

    BLK block special
    CHR character special
    DEL Linux map file that has been deleted
    DIR directory
    FIFO FIFO special
    KQUEUE BSD style kernel event queue
    LINK symbolic link
    MPB multiplexed block
    MPC multiplexed character
    PIPE for pipes
    PORT SYSV named pipe

    PMAP map
    PFIL executable
    PGD pagedata
    PCWD current working directory
    PAS as
    PAXV auxv
    PCRE cred
    PCTL control
    PDIR directory
    PETY executable type (etype)
    PFD file descriptor
    PFDR file descriptor directory
    PFPR FP register set
    PGID group notifier
    PLC lwpctl
    PLDR lpw directory
    PLDT ldt
    PLPI lpsinfo
    PLST lstatus
    PLU lusage
    PLWG gwindows
    PLWI lwpsinfo
    PLWS lwpstatus
    PLWU lwpusage
    PLWX xregs file
    PMEM memory image
    PNTF process notifier
    POBJ object
    PODR object directory
    POLPlight weight process
    POPGpage data
    PREG proc register
    PRMP rmap
    PRTD root directory
    PSGA sigact
    PSIN psinfo
    PSTA status
    PSXSEM POSIX semaphore
    PSXSHM POSIX shared memory
    PUSG usage
    PW watch
    PXMP xmap
    UNNMunnamed type
    XNAMOpenServer Xenix special file of unknown type
    XSEM" semaphore
    XSD " shared data >
    FILE-ADDR kernel file structure address when f has been specified to +f;
    FCT file reference count when c has been specified to +f;
    FILE-FLAG the contents of the f_flag[s] member of the kernel file structure when g or G has been specified to +f and the kernels per-process open file flags
    G in hexadecimal; g, as short-hand names;

    Two lists may be displayed with entries separated by commas,

    the lists separated by a semicolon (;);

    the first list may contain short-hand names for f_flag:

    AIO       asynchronous I/O (e.g., FAIO)
    AP        append
    ASYN      asynchronous I/O (e.g., FASYNC)
    BAS       block, test, and set in use
    BKIU      block if in use
    BL        use block offsets
    BSK       block seek
    CA        copy avoid
    CIO       concurrent I/O
    CLON      clone
    CLRD      CL read
    CR        create
    DF        defer
    DFI       defer IND
    DFLU      data flush
    DIR       direct
    DLY       delay
    DOCL      do clone
    DSYN      data-only integrity
    DTY       must be a directory
    EVO       event only
    EX        open for exec
    EXCL      exclusive open
    FSYN      synchronous writes
    GCDF      defer during unp_gc() (AIX)
    GCMK      mark during unp_gc() (AIX)
    GTTY      accessed via /dev/tty
    HUP       HUP in progress
    KERN      kernel
    KIOC      kernel-issued ioctl
    LCK       has lock
    LG        large file
    MBLK      stream message block
    MK        mark
    MNT       mount
    MSYN      multiplex synchronization
    NATM      dont update atime
    NB        non-blocking I/O
    NBDR      no BDRM check
    NBIO      SYSV non-blocking I/O
    NBF       n-buffering in effect
    NC        no cache
    ND        no delay
    NDSY      no data synchronization
    NET       network
    NFLK      dont follow links
    NMFS      NM file system
    NOTO      disable background stop
    NSH       no share
    NTTY      no controlling TTY
    OLRM      OLR mirror
    PAIO      POSIX asynchronous I/O
    PP        POSIX pipe
    R         read
    RC        file and record locking cache
    REV       revoked
    RSH       shared read
    RSYN      read synchronization
    RW        read and write access
    SL        shared lock
    SNAP      cooked snapshot
    SOCK      socket
    SQSH      Sequent shared set on open
    SQSV      Sequent SVM set on open
    SQR       Sequent set repair on open
    SQS1      Sequent full shared open
    SQS2      Sequent partial shared open
    STPI      stop I/O
    SWR       synchronous read
    SYN       file integrity while writing
    TCPM      avoid TCP collision
    TR        truncate
    W         write
    WKUP      parallel I/O synchronization
    WTG       parallel I/O synchronization
    VH        vhangup pending
    VTXT      virtual text
    XL        exclusive lock
    from F* in files fcntl.h, linux, sys/fcntl.c, sys/fcntlcom.h, and sys/file.h>; see the lsof.h header file

    The second list (after the semicolon) may contain short-hand names for kernel per-process open file flags :

    ALLC      allocated
    BR        the file has been read
    BHUP      activity stopped by SIGHUP
    BW        the file has been written
    CLSG      closing
    CX        close-on-exec (see fcntl(F_SETFD))
    LCK       lock was applied
    MP        memory-mapped
    OPIP      open pending - in progress
    RSVW      reserved wait
    SHMT      UF_FSHMAT set (AIX)
    USE       in use (multi-threaded)

  • the device numbers, separated by commas, for a character special, block special, regular, directory or NFS file;
  • memory& for a memory file system node under Tru64 UNIX;
  • address of the private data area of a Solaris socket stream;
  • a kernel reference address that identifies the file (The kernel reference address may be used for FIFOs, for example.);
  • the base address or device name of a Linux AX.25 socket device. Usually only the lower thirty two bits of Tru64 UNIX kernel addresses are displayed.
  • SIZE, SIZE/OFF, or OFFSET in bytes. The file size is displayed in decimal.
    The offset is normally displayed in decimal with a leading 0t& if it contains 8 digits or less or in hexadecimal 0x& . (see -o o

    the leading 0t& and 0x& identify an offset when the column may contain both a size and an offset (i.e., its title is SIZE/OFF). If the -o option is specified, lsof always displays the file offset (or nothing if no offset is available) and labels the column OFFSET. The offset always begins with 0t& or 0x& as described above.

    The lsof user can control the switch from 0t& to 0x& with the -o o option. Consult its description for more information.

    If the -s option is specified, lsof always displays the file size (or nothing if no size is available) and labels the col- umn SIZE. The -o and -s options are mutually exclusive; they cant both be specified.

    For files that dont have a fixed size - e.g., dont reside on a disk device - lsof will display appropriate information about the current size or position of the file if it is available in the kernel structures that define the file.

    NLINK contains the file link count when +L has been specified;
    NODE is the node number of a local file; or the inode number of an NFS file in the server host;
  • or the Internet protocol type - e. g, TCP&;
  • or STR& for a stream;
  • or CCITT& for an HP-UX x.25 socket;
  • or the IRQ or inode number of a Linux AX.25 socket device.
  • NAME is the name of the mount point and file system on which the file resides;
    • or the name of a file specified in the names option (after any symbolic links have been resolved);
    • or the name of a character special or block special device;
    • or the local and remote Internet addresses of a network file; the local host name or IP number is followed by a :, the port, ->&, and the two-part remote address; IP addresses may be reported as numbers or names, depending on the ±M, -n, and -P options; colon-separated IPv6 numbers are enclosed in square brackets; IPv4 INADDR_ANY and IPv6 IN6_IS_ADDR_UNSPECIFIED addresses, and zero port numbers are represented by an asterisk (*); a UDP destination address may be followed by the amount of time elapsed since the last packet was sent to the destination; TCP, UDP and UDPLITE remote addresses may be followed by TCP/TPI information in parentheses - state (e.g., (ESTABLISHED)&, (Unbound)&), queue sizes, and window sizes (not all dialects) - in a fashion similar to what netstat(1) reports; see the -T option description or the description of the TCP/TPI field in OUTPUT FOR OTHER PROGRAMS for more information on state, queue size, and window size;
    • or the address or name of a UNIX domain socket, possibly including a stream clone device name, a file system objects path name, local and foreign kernel addresses, socket pair information, and a bound vnode address;
    • or the local and remote mount point names of an NFS file;
    • or STR&, followed by the stream name;
    • or a stream character device name, followed by ->& and the stream name or a list of stream module names, separated by ->&;
    • or STR:& followed by the SCO OpenServer stream device and module names, separated by ->&;
    • or system directory name, -- &, and as many components of the path name as lsof can find in the kernels name cache for selected dialects (See the KERNEL NAME CACHE section for more information.);
    • or PIPE->&, followed by a Solaris kernel pipe destination address;
    • or COMMON:&, followed by the vnode device information structures device name, for a Solaris common vnode;
    • or the address family, followed by a slash (/), followed by fourteen comma-separated bytes of a non-Internet raw socket address;
    • or the HP-UX x.25 local address, followed by the virtual connection number (if any), followed by the remote address (if any);
    • or (dead)& for disassociated Tru64 UNIX files - typically terminal files that have been flagged with the TIOCNOTTY ioctl and closed by daemons;
    • or rd=& and wr=& for the values of the read and write offsets of a FIFO;
    • or clone n:/dev/event& for SCO OpenServer file clones of the /dev/event device, where n is the minor device number of the file;
    • or (socketpair: n)& for a Solaris 2.6, 8, 9 or 10 UNIX domain socket, created by the socketpair(3N) network function;
    • or no PCB& for socket files that do not have a protocol block associated with them, optionally followed by , CANTSEND- MORE& if sending on the socket has been disabled, or , CANTRCVMORE& if receiving on the socket has been disabled (e.g., by the shutdown(2) function);
    • or the local and remote addresses of a Linux IPX socket file in the form :[:], followed in parentheses by the transmit and receive queue sizes, and the connection state;
    • or dgram& or stream& for the type UnixWare 7.1.1 and above in-kernel UNIX domain sockets, followed by a : and the local path name when available, followed by ->& and the remote path name or kernel socket address in hexadecimal when available;
    • or the association value, association index, endpoint value, local address, local port, remote address and remote port for Linux SCTP sockets.
    Mac OS bIgSur
    lsof 4.87
     latest revision:
     latest FAQ:
     latest man page:
     usage: [-?abhlnNoOPRtUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
     [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]] [-p s]
    [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
    Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
      -?|-h list help          -a AND selections (OR)     -b avoid kernel blocks
      -c c  cmd c ^c /c/[bix]  +c w  COMMAND width (9)    +d s  dir s files
      -d s  select by FD set   +D D  dir D tree *SLOW?*   -i select IPv[46] files
      -l list UID numbers      -n no host names           -N select NFS files
      -o list file offset      -O no overhead *RISKY*     -P no port names
      -R list paRent PID       -s list file size          -t terse listing
      -T disable TCP/TPI info  -U select Unix socket      -v list version info
      -V verbose search        +|-w  Warnings (+)         -- end option scan
      +f|-f  +filesystem or -file names     +|-f[cgG] Ct flaGs 
      -F [f] select fields; -F? for help  
      +|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
      +|-M   portMap registration (-)       -o o   o 0t offset digits (8)
      -p s   exclude(^)|select PIDs         -S [t] t second stat timeout (15)
      -T fqs TCP/TPI Fl,Q,St (s) info
      -g [s] exclude(^)|select and print process group IDs
      -i i   select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
      +|-r [t[m]] repeat every t seconds (15);  + until no files, - forever.
           An optional suffix to t is m; m must separate t from  and
           is an strftime(3) format for the marker line.
      -s p:s  exclude(^)|select protocol (p = TCP|UDP) states by name(s).
      -u s   exclude(^)|select login|UID set s
      -x [fl] cross over +d|+D File systems or symbolic Links
      names  select named files or files on named file systems
    Anyone can list all files; /dev warnings disabled; kernel ID check disabled.
    When an error in an option is encountered:
    Mac OS bIgSur
    lsof 4.87
     latest revision:
     latest FAQ:
     latest man page:
     usage: [-?abhlnNoOPRtUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
     [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]] [-p s]
    [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
    Use the ``-h'' option to get more help information.
    For dialects that support a namefs& file system, allowing one file to be attached to another with fattach(3C), lsof will add (FA:)& to the NAME column. and are hexadecimal vnode addresses. will be <-& if has been fattached to this vnode whose address is ; and ->& if , the vnode address of this vnode, has been fattached to . may be omitted if it already appears in the DEVICE column.

    Lsof may add two parenthetical notes to the NAME column for open Solaris 10 files: (?)& if lsof considers the path name of questionable accuracy; and (deleted)& if the -X option has been specified and lsof detects the open files path name has been deleted.
    Consult the lsof FAQ (The FAQ section gives its location.) for more information on these NAME column additions.


    Lsof cant adequately report the wide variety of UNIX dialect file locks in a single character. What it reports in a single character is a compromise between the information it finds in the kernel and the limitations of the reporting format.

    Moreover, when a process holds several byte level locks on a file, lsof only reports the status of the first lock it encounters. If it is a byte level lock, then the lock character will be reported in lower case - i.e., r, w, or x - rather than the upper case equivalent reported for a full file lock.

    Generally lsof can only report on locks held by local processes on local files. When a local process sets a lock on a remotely mounted (e.g., NFS) file, the remote server host usually records the lock state. One exception is Solaris - at some patch levels of 2.3, and in all versions above 2.4, the Solaris kernel records information on remote locks in local structures.

    Lsof has trouble reporting locks for some UNIX dialects. Consult the BUGS section of this manual page or the lsof FAQ (The FAQ sec- tion gives its location.) for more information.


    Each unit of information is output in a field that is identified with a leading character and terminated by a NL (0A) or a NUL (00)

    Field output is process and file sets.

  • A process set begins with a field whose identifier is p (for process IDentifier (PID)). It extends to the beginning of the next PID field or the beginning of the first file set
    Included in the process set are fields that identify the command, the process group IDentification (PGID) number, the task (thread), ID (TID), and the user ID (UID) number or login name.

  • A file set begins with a field whose identifier is f (for file descriptor). followed by lines that describe the file's access mode, lock state, type, device, size, offset, inode, protocol, name and stream module names.

    With the NUL field terminator , process and file set with a NL (0A).

    Lsof always produces one field, the PID (p) field. All other fields may be declared optionally in the field identifier character list that follows the -F option. When a field selection character identifies an item lsof does not normally list - e.g., PPID, selected with -R - specification of the field character - e.g., -FR& - also selects the listing of the item.

    It is entirely possible to select a set of fields that cannot easily be parsed - e.g., if the field descriptor field is not selected, it may be difficult to identify file sets. To help you avoid this difficulty, lsof supports the -F option; it selects the output of all fields with NL terminators (the -F0 option pair selects the output of all fields with NUL terminators). For compatibility reasons neither -F nor -F0 select the raw device field.


       a    access mode
       c    process command name (all characters from proc or user structure)
       C    structure share count
       d    device character code
       D    major/minor device number (0x)
       f    descriptor
       F    structure address (0x)
       G    flaGs (0x; names if +fg follows)
       g    process group ID
       i    inode number
       K    tasK ID
       k    link count
       l    lock status
       L    process login name
       m    marker between repeated output
       n    name, comment, Internet address
       N    node identifier (ox
       o    file's offset (decimal)
       p    process ID (always selected)
       P    protocol name
       r    raw device number (0x)
       R    parent process ID
       s    size (decimal)
       S    stream identification
       t    type
       T    TCP/TPI information, identified by prefixes (the
       = is part of the prefix):
           QR=queue for Read size
           QS=queue for Sendsize
           SO=socket options and values
           SS=socket states
           ST=connection state
           TF=TCP flags and values
           WR=window read size
           WW=window write size>
       u    process user ID
       z    Solaris 10 and higher zone name
       Z    SELinux security context (inhibited when SELinux is disabled)
       0    use NUL field terminator character in place of NL
       1-9  dialect-specific field identifiers (The output of -F? identifies the information to be found in dialect-specific fields.)

    help by specifying the -F\? Additional information on field content can be found in the OUTPUT section.

    Example: Select the process ID (p), command name (c), file descriptor (f) and file name (n) fields with an NL field terminator ;

    -F pcfn&
    Selects the same output with a NUL (000) field terminator
    -F pcfn0&

    Lsof does not produce all fields for every process or file set, only those that are available.
    Some fields are mutually exclusive: file device characters and file major/minor device numbers; file inode number and protocol name; file name and stream identification; file size and offset. One or the other member of these mutually exclusive sets will appear in field output, but not both.

    A NUL terminator may be easier to process with xargs (1), for example, or with programs whose quoting mechanisms may not easily cope with the range of characters in the field output. When the NUL field terminator is in use, lsof ends each process and file set with a NL (012).

    Utility Files included

    Blocks and Timeouts

    Lsof can be blocked espically when NFS become inaccessible.
    When it breaks a block, it will report the break with an error message, which can be suppressed with -t and -w.

    The default timeout, displayed with -h The minimum for t is two seconds, but you should avoid small values, since slow system responsiveness can cause short timeouts to expire unexpectedly and perhaps stop lsof before it can produce any output.

    When lsof has to break a block during its access of mounted file system information, it normally continues, although with less infor- mation available to display about open files.

    Lsof can also be directed to avoid the protection of timers and child processes when using the kernel functions that might block by specifying the -O option. While this will allow lsof to start up with less overhead, it exposes lsof completely to the kernel situa- tions that might block it. Use this option cautiously.


    You can use the -b option to tell lsof to avoid using kernel functions that would block. Some cautions apply.

    First, using this option usually requires that your system supply alternate device numbers in place of the device numbers that lsof would normally obtain with the lstat(2) and stat(2) kernel functions. See the ALTERNATE DEVICE NUMBERS section for more information on alternate device numbers.

    Second, you cant specify names for lsof to locate unless theyre file system names. This is because lsof needs to know the device and inode numbers of files listed with names in the lsof options, and the -b option prevents lsof from obtaining them. Moreover, since lsof only has device numbers for the file systems that have alternates, its ability to locate files on file systems depends com- pletely on the availability and accuracy of the alternates. If no alternates are available, or if theyre incorrect, lsof wont be able to locate files on the named file systems.

    Third, if the names of your file system directories that lsof obtains from your system's mount table are symbolic links, lsof wont be able to resolve the links. This is because the -b option causes lsof to avoid the kernel readlink(2) function it uses to resolve sym- bolic links.

    Finally, using the -b option causes lsof to issue warning messages when it needs to use the kernel functions that the -b option directs it to avoid. You can suppress these messages by specifying the -w option, but if you do, you wont see the alternate device numbers reported in the warning messages.


    On some dialects, when lsof has to break a block because it cant get information about a mounted file system via the lstat(2) and stat(2) kernel functions, or because you specified the -b option, lsof can obtain some of the information it needs - the device number and possibly the file system type - from the system mount table. When that is possible, lsof will report the device number it obtained. (You can suppress the report by specifying the -w option.)

    You can assist this process if your mount table is supported with an /etc/mtab or /etc/mnttab file that contains an options field by adding a dev=xxxx& field for mount points that do not have one in their options strings. Note: you must be able to edit the file - i.e., some mount tables like recent Solaris /etc/mnttab or Linux /proc/mounts are read-only and cant be modified.

    You may also be able to supply device numbers using the +m and +m m options, provided they are supported by your dialect. Check the output of lsof's -h or -? options to see if the +m and +m m options are available.

    The xxxx& portion of the field is the hexadecimal value of the file system's device number. (Consult the st_dev field of the output of the lstat(2) and stat(2) functions for the appropriate values for your file systems.) Heres an example from a Sun Solaris 2.6 /etc/mnttab for a file system remotely mounted via NFS:
    nfs ignore,noquota,dev=2a40001

    There's an advantage to having dev=xxxx& entries in your mount table file, especially for file systems that are mounted from remote NFS servers. When a remote server crashes and you want to identify its users by running lsof on one of its clients, lsof probably wont be able to get output from the lstat(2) and stat(2) functions for the file system. If it can obtain the file system's device number from the mount table, it will be able to display the files open on the crashed NFS server.

    Some dialects that do not use an ASCII /etc/mtab or /etc/mnttab file for the mount table may still provide an alternative device num- ber in their internal mount tables. This includes AIX, Apple Darwin, FreeBSD, NetBSD, OpenBSD, and Tru64 UNIX. Lsof knows how to obtain the alternative device number for these dialects and uses it when its attempt to lstat(2) or stat(2) the file system is blocked. If youre not sure your dialect supplies alternate device numbers for file systems from its mount table, use this lsof incantation to see if it reports any alternate device numbers: lsof -b Look for standard error file warning messages that begin assuming "dev=xxxx" from ...&.


    Lsof reports the complete paths it finds in the NAME column. If lsof cant report all components in a path, it reports in the NAME column the file system name, followed by a space, two - characters, another space, and the name components it has located, separated by the / character.

    When lsof is run in repeat mode - i.e., with the -r option specified - the extent to which it can report path name components for the same file may vary from cycle to cycle. That's because other running processes can cause the kernel to remove entries from its name cache and replace them with others.

    Lsof's use of the kernel name cache to identify the paths of files can lead it to report incorrect components under some circum- stances. This can happen when the kernel name cache uses device and node number as a key (e.g., SCO OpenServer) and a key on a rapidly changing file system is reused. If the UNIX dialect's kernel doesnt purge the name cache entry for a file when it is unlinked, lsof may find a reference to the wrong entry in the cache. The lsof FAQ (The FAQ section gives its location.) has more information on this situation.


    lsof maintains a cache of /dev information
    Compilation options control the cache file path which defaults to: Personal path (default); -D option; environment variable; System-wide path; Personal path, modified by an environment variable.

    -h, -D? displays device cache support. default read-mode device cache file path that is in effect for the current invocation of lsof.
    The -D? output lists the read-only and write device cache file paths, the names of any applicable environment variables, and the personal device cache path .

    The path from which a lsof process may attempt to read a device cache file may not be the same as the path to which it can legiti- mately write. Thus when lsof senses that it needs to update the device cache file, it may choose a different path for writing it from the path from which it read an incorrect or outdated version. If available, the -Dr option will inhibit the writing of a new device cache file. (It's always available when specified without a path name argument.) When a new device is added to the system, the device cache file may need to be recreated. Since lsof compares the mtime of the device cache file with the mtime and ctime of the /dev (or /devices) directory, it usually detects that a new device has been added; in that case lsof issues a warning message and attempts to rebuild the device cache file. Whenever lsof writes a device cache file, it sets its ownership to the real UID of the executing process, and its permission modes to 0600, this restricting its reading and writing to the file's owner. LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS Two permissions of the lsof executable affect its ability to access device cache files. The permissions are set by the local system administrator when lsof is installed. The first and rarer permission is setuid-root. It comes into effect when lsof is executed; its effective UID is then root, while its real (i.e., that of the logged-on user) UID is not. The lsof distribution recommends that versions for these dialects run setuid-root. HP-UX 11.11 and 11.23 Linux The second and more common permission is setgid. It comes into effect when the effective group IDentification number (GID) of the lsof process is set to one that can access kernel memory devices - e.g., kmem&, sys&, or system&. An lsof process that has setgid permission usually surrenders the permission after it has accessed the kernel memory devices. When it does that, lsof can allow more liberal device cache path formations. The lsof distribution recommends that versions for these dialects run setgid and be allowed to surrender setgid permission. AIX 5.[12] and 5.3-ML1 Apple Darwin 7.x Power Macintosh systems FreeBSD 4.x, 4.1x, 5.x and [6789].x for x86-based systems FreeBSD 5.x and [6789].x for Alpha, AMD64 and Sparc64-based systems HP-UX 11.00 NetBSD 1.[456], 2.x and 3.x for Alpha, x86, and SPARC-based systems NEXTSTEP 3.[13] for NEXTSTEP architectures OpenBSD 2.[89] and 3.[0-9] for x86-based systems OPENSTEP 4.x SCO OpenServer Release 5.0.6 for x86-based systems SCO|Caldera UnixWare 7.1.4 for x86-based systems Solaris 2.6, 8, 9 and 10 Tru64 UNIX 5.1 (Note: lsof for AIX 5L and above needs setuid-root permission if its -X option is used.) Lsof for these dialects does not support a device cache, so the permissions given to the executable dont apply to the device cache file. Linux DEVICE CACHE FILE PATH FROM THE -D OPTION The -D option provides limited means for specifying the device cache file path. Its ? function will report the read-only and write device cache file paths that lsof will use. When the -D b, r, and u functions are available, you can use them to request that the cache file be built in a specific location (b[path]); read but not rebuilt (r[path]); or read and rebuilt (u[path]). The b, r, and u functions are restricted under some condi- tions. They are restricted when the lsof process is setuid-root. The path specified with the r function is always read-only, even when it is available. The b, r, and u functions are also restricted when the lsof process runs setgid and lsof doesnt surrender the setgid permission. (See the LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for a list of implementations that normally dont surrender their setgid permission.) A further -D function, i (for ignore), is always available. When available, the b function tells lsof to read device information from the kernel with the stat(2) function and build a device cache file at the indicated path. When available, the r function tells lsof to read the device cache file, but not update it. When a path argument accompanies -Dr, it names the device cache file path. The r function is always available when it is specified without a path name argument. If lsof is not running setuid-root and surrenders its setgid permission, a path name argument may accompany the r function. When available, the u function tells lsof to attempt to read and use the device cache file. If it cant read the file, or if it finds the contents of the file incorrect or outdated, it will read information from the kernel, and attempt to write an updated version of the device cache file, but only to a path it considers legitimate for the lsof process effective and real UIDs. DEVICE CACHE PATH FROM AN ENVIRONMENT VARIABLE Lsof's second choice for the device cache file is the contents of the LSOFDEVCACHE environment variable. It avoids this choice if the lsof process is setuid-root, or the real UID of the process is root. A further restriction applies to a device cache file path taken from the LSOFDEVCACHE environment variable: lsof will not write a device cache file to the path if the lsof process doesnt surrender its setgid permission. (See the LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for information on implementations that dont surrender their setgid permission.) The local system administrator can disable the use of the LSOFDEVCACHE environment variable or change its name when building lsof. Consult the output of -D? for the environment variable's name. SYSTEM-WIDE DEVICE CACHE PATH The local system administrator may choose to have a system-wide device cache file when building lsof. That file will generally be constructed by a special system administration procedure when the system is booted or when the contents of /dev or /devices) changes. If defined, it is lsof's third device cache file path choice. You can tell that a system-wide device cache file is in effect for your local installation by examining the lsof help option output - i.e., the output from the -h or -? option. Lsof will never write to the system-wide device cache file path by default. It must be explicitly named with a -D function in a root-owned procedure. Once the file has been written, the procedure must change its permission modes to 0644 (owner-read and owner-write, group-read, and other-read). PERSONAL DEVICE CACHE PATH (DEFAULT) The default device cache file path of the lsof distribution is one recorded in the home directory of the real UID that executes lsof. Added to the home directory is a second path component of the form .lsof_hostname. This is lsof's fourth device cache file path choice, and is usually the default. If a system-wide device cache file path was defined when lsof was built, this fourth choice will be applied when lsof cant find the system-wide device cache file. This is the only time lsof uses two paths when reading the device cache file. The hostname part of the second component is the base name of the executing host, as returned by gethostname(2). The base name is defined to be the characters preceding the first . in the gethostname(2) output, or all the gethostname(2) output if it contains no .. The device cache file belongs to the user ID and is readable and writable by the user ID alone - i.e., its modes are 0600. Each dis- tinct real user ID on a given host that executes lsof has a distinct device cache file. The hostname part of the path distinguishes device cache files in an NFS-mounted home directory into which device cache files are written from several different hosts. The personal device cache file path formed by this method represents a device cache file that lsof will attempt to read, and will attempt to write should it not exist or should its contents be incorrect or outdated. The -Dr option without a path name argument will inhibit the writing of a new device cache file. The -D? option will list the format specification for constructing the personal device cache file. The conversions used in the for- mat specification are described in the 00DCACHE file of the lsof distribution. MODIFIED PERSONAL DEVICE CACHE PATH If this option is defined by the local system administrator when lsof is built, the LSOFPERSDCPATH environment variable contents may be used to add a component of the personal device cache file path. The LSOFPERSDCPATH variable contents are inserted in the path at the place marked by the local system administrator with the %p& conversion in the HASPERSDC format specification of the dialect's machine.h header file. (Its placed right after the home directory in the default lsof distribution.) Thus, for example, if LSOFPERSDCPATH contains LSOF&, the home directory is /Homes/abe&, the host name is lsof.itap.pur-, and the HASPERSDC format is the default (%h/%p.lsof_%L&), the modified personal device cache file path is: /Homes/abe/LSOF/.lsof_vic The LSOFPERSDCPATH environment variable is ignored when the lsof process is setuid-root or when the real UID of the process is root. Lsof will not write to a modified personal device cache file path if the lsof process doesnt surrender setgid permission. (See the LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for a list of implementations that normally dont surrender their setgid permission.) If, for example, you want to create a sub-directory of personal device cache file paths by using the LSOFPERSDCPATH environment vari- able to name it, and lsof doesnt surrender its setgid permission, you will have to allow lsof to create device cache files at the standard personal path and move them to your subdirectory with shell commands. The local system administrator may: disable this option when lsof is built; change the name of the environment variable from LSOFPERS- DCPATH to something else; change the HASPERSDC format to include the personal path component in another place; or exclude the personal path component entirely. Consult the output of the -D? option for the environment variable's name and the HASPERSDC format specifi- cation. DIAGNOSTICS Errors are identified with messages on the standard error file. Lsof returns a one (1) if any error was detected, including the failure to locate command names, file names, Internet addresses or files, login names, NFS files, PIDs, PGIDs, or UIDs it was asked to list. If the -V option is specified, lsof will indicate the search items it failed to list. It returns a zero (0) if no errors were detected and if it was able to list some information about all the specified search arguments. When lsof cannot open access to /dev (or /devices) or one of its subdirectories, or get information on a file in them with stat(2), it issues a warning message and continues. That lsof will issue warning messages about inaccessible files in /dev (or /devices) is indi- cated in its help output - requested with the -h or >B -? options - with the message: Inaccessible /dev warnings are enabled. The warning message may be suppressed with the -w option. It may also have been suppressed by the system administrator when lsof was compiled by the setting of the WARNDEVACCESS definition. In this case, the output from the help options will include the message: Inaccessible /dev warnings are disabled. Inaccessible device warning messages usually disappear after lsof has created a working device cache file.


    For a more extensive set of examples, documented more fully, see the 00QUICKSTART file of the lsof distribution.

    all open files: lsof

    Internet, x.25 (HP-UX), and UNIX domain files: lsof -i -U

    IPv4 network files in use by the process whose PID is 1234: lsof -i 4 -a -p 1234

    IPv6 network files: lsof -i 6

    files using any protocol on ports 513, 514, or 515 of host, use: lsof -i

    any protocol on any port of this host : lsof -i hostname

     > lsof -i @hostname
    ssh     1401 dgerman    3u  IPv4 0x976a838ec8af3acf      0t0  TCP smackerpro.germans:50978-> (ESTABLISHED)

    to Another host
    ftp> !lsof -i
    ssh     1621 dgerman    3u  IPv4 0x976a838edb41aeaf      0t0  TCP smackerpro.germans:51186-> (ESTABLISHED)
    ftp     1650 dgerman    3u  IPv4 0x976a838ec8af55b7      0t0  TCP smackerpro.germans:51194-> (ESTABLISHED)

    For login name abe , user ID 1234, process 456, process 123, or process 789: lsof -p 456,123,789 -u 1234,abe

    On device /dev/hd4 lsof /dev/hd4

    The process that has /u/abe/foo open: lsof /u/abe/foo

    Send SIGHUP to the processes that have /u/abe/bar open: kill -HUP lsof -t /u/abe/bar

    A open UNIX domain socket file, with the name /dev/log: lsof /dev/log

    Processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible, and presuming your mount table supplies the device number for /nfs/mount/point: lsof -b /nfs/mount/point

         suppress warning messages : lsof -bw /nfs/mount/point

    Ignore the device cache file: lsof -Di

    Obtain PID and command name field output for each process, file descriptor, file device number, and file inode number for each file of each process: lsof -FpcfDi

    List the files at descriptors 1 and 3 of every process running the lsof command for login ID abe every 10 seconds: lsof -c lsof -a -d 1 -d 3 -u abe -r10

    list the current working directory of processes running a command that is exactly four characters long and has an o or O in character three, use this regular expression form of the -c: lsof -c /^..o.$/i -a -d cwd

    an IP version 4 socket file by its associated numeric dot-form address: lsof -i@

    find an IP version 6 socket file (when the UNIX dialect supports IPv6) by its associated numeric colon-form address: lsof -i@[0:1:2:3:4:5:6:7]

    IP version 6 socket file (when the UNIX dialect supports IPv6) by an associated numeric colon-form address that has a run of zeroes in it - e.g., the loop-back address: lsof -i@[::1]

    obtain a repeat mode marker line that contains the current time: lsof -rm====%T====

    add spaces to the previous marker line: lsof -r "m==== %T ===="


    BUGS lsof reads kernel memory in its search for open files, rapid changes in kernel memory may produce unpredictable results.

    When a file has multiple record locks, the lock status character (following the file descriptor) is derived from a test of the first lock structure, not from any combination of the individual record locks that might be described by multiple lock structures.

    Lsof cant search for files with restrictive access permissions by name unless it is installed with root set-UID permission. Otherwise it is limited to searching for files to which its user or its set-GID group (if any) has access permission.

    The display of the destination address of a raw socket (e.g., for ping) depends on the UNIX operating system. Some dialects store the destination address in the raw socket's protocol control block, some do not.

    Lsof cant always represent Solaris device numbers in the same way that ls(1) does. For example, the major and minor device numbers that the lstat(2) and stat(2) functions report for the directory on which CD-ROM files are mounted (typically /cdrom) are not the same as the ones that it reports for the device on which CD-ROM files are mounted (typically /dev/sr0). (Lsof reports the directory numbers.)

    The support for /proc file systems is available only for BSD and Tru64 UNIX dialects, Linux, and dialects derived from SYSV R4 - e.g., FreeBSD, NetBSD, OpenBSD, Solaris, UnixWare.

    Some /proc file items - device number, inode number, and file size - are unavailable in some dialects. Searching for files in a /proc file system may require that the full path name be specified.

    No text (txt) file descriptors are displayed for Linux processes. All entries for files other than the current working directory, the root directory, and numerical file descriptors are labeled mem descriptors.

    Lsof can't search for Tru64 UNIX named pipes by name, because their kernel implementation of lstat(2) returns an improper device number for a named pipe.

    Lsof can't report fully or correctly on HP-UX 9.01, 10.20, and 11.00 locks because of insufficient access to kernel data or errors in the kernel data. See the lsof FAQ (The FAQ section gives its location.) for details.

    The ±f[cfgGn] is not supported under /proc-based Linux lsof, because it doesn't read kernel structures from kernel memory.


    $LANG defines a language locale. See setlocale e.g., LC_ALL, LC_TYPE, etc.
    $LSOFDEVCACHE the path to a device cache file. See the DEVICE CACHE PATH FROM AN ENVIRONMENT VARIABLE section for more information. $LSOFPERSDCPATH the middle component of a modified personal device cache file path. See the MODIFIED PERSONAL DEVICE CACHE PATH section for more information.


    Frequently-asked questions and their answers are available in the 00FAQ file of the lsof distribution. available via anonymous ftp from


    /dev/kmem kernel virtual memory device
    /dev/mem physical memory device
    /dev/swap system paging device
    lsof_hostname lsof's device cache file (The suffix, hostname, is the first component of the host's name returned by gethostname(2).) See access(2), awk(1), crash(1), fattach(3C), ff(1), fstat(8), fuser(1), gethostname(2), isprint(3), kill(1), localtime(3), lstat(2), modload(8), mount(8), netstat(1), ofiles(8L), perl(1), ps(1), readlink(2), setlocale(3), stat(2), strftime(3), time(2), uname(1).



    smackerpro 8/4/14
    lsof -i
    UserEvent   204 dgerman    7u  IPv4 0x5c086aaa24351191      0t0  UDP *:*
    SystemUIS   213 dgerman    7u  IPv4 0x5c086aaa24350439      0t0  UDP *:*
    sharingd    231 dgerman   12u  IPv4 0x5c086aaa24350809      0t0  UDP *:*
    ssh        5246 dgerman    3u  IPv4 0x5c086aaa256a0e69      0t0  TCP> (CLOSED)
    ssh       19420 dgerman    3u  IPv4 0x5c086aaa39cb4e69      0t0  TCP slammerfox.germans:61435-> (CLOSED)
    ssh       37304 dgerman    3u  IPv4 0x5c086aaa2b76ce69      0t0  TCP smackerpro.germans:63625-> (ESTABLISHED)
    ssh       40559 dgerman    3u  IPv4 0x5c086aaa2b701651      0t0  TCP> (CLOSED) 45247 dgerman   12u  IPv4 0x5c086aaa2a94be69      0t0  TCP smackerpro.germans:49670-> (ESTABLISHED) 45247 dgerman   13u  IPv4 0x5c086aaa2a959651      0t0  TCP smackerpro.germans:49671-> (ESTABLISHED) 45247 dgerman   17u  IPv4 0x5c086aaa2a94be69      0t0  TCP smackerpro.germans:49670-> (ESTABLISHED) 45247 dgerman   18u  IPv4 0x5c086aaa2a959651      0t0  TCP smackerpro.germans:49671-> (ESTABLISHED) 45247 dgerman   20u  IPv4 0x5c086aaa2a958e69      0t0  TCP smackerpro.germans:49672-> (ESTABLISHED) 45247 dgerman   21u  IPv4 0x5c086aaa2a958e69      0t0  TCP smackerpro.germans:49672-> (ESTABLISHED)
    ssh       45269 dgerman    3u  IPv4 0x5c086aaa2a288e69      0t0  TCP> (CLOSED)
    ssh       52305 dgerman    3u  IPv4 0x5c086aaa26ca2e69      0t0  TCP> (CLOSED)
    thunderbi 55630 dgerman   59u  IPv4 0x5c086aaa2b979e69      0t0  TCP smackerpro.germans:63616-> (ESTABLISHED)
    thunderbi 55630 dgerman   60u  IPv4 0x5c086aaa24794e69      0t0  TCP smackerpro.germans:63617-> (ESTABLISHED)
    ssh       60693 dgerman    3u  IPv4 0x5c086aaa2ba8d651      0t0  TCP smackerpro.germans:51281-> (CLOSED)
    ssh       65768 dgerman    3u  IPv4 0x5c086aaa257d8651      0t0  TCP kitchen.germans:58667-> (CLOSED)
    ssh       68409 dgerman    3u  IPv4 0x5c086aaa2b353651      0t0  TCP smackerpro.germans:58718-> (CLOSED)
    CIJScanne 77133 dgerman    4u  IPv4 0x5c086aaa2a5469f1      0t0  UDP *:58348
    CIJScanne 77133 dgerman    5u  IPv4 0x5c086aaa2ba9f379      0t0  UDP *:59373
    ssh       82907 dgerman    3u  IPv4 0x5c086aaa257d7e69      0t0  TCP smackerpro.germans:55109-> (CLOSED)
    ssh       94640 dgerman    3u  IPv4 0x5c086aaa2ba8ce69      0t0  TCP smackerpro.germans:53255-> (CLOSED)
    WakeOnLan 99904 dgerman   19u  IPv4 0x5c086aaa29f97621      0t0  UDP *:63967
    WakeOnLan 99904 dgerman   30u  IPv4 0x5c086aaa2b60a191      0t0  UDP *:56540