What does lsof do?

lsof is a command meaning “list open files”, which is used in many Unix-like systems to report a list of all open files and the processes that opened them.

 

Introduction to lsof

Simply typing lsof will provide a list of all open files belonging to all active processes.

# lsof

COMMAND  PID       USER   FD      TYPE     DEVICE  SIZE/OFF       NODE NAME
init       1       root  cwd       DIR        8,1      4096          2 /
init       1       root  txt       REG        8,1    124704     917562 /sbin/init
init       1       root    0u      CHR        1,3       0t0       4369 /dev/null
init       1       root    1u      CHR        1,3       0t0       4369 /dev/null
init       1       root    2u      CHR        1,3       0t0       4369 /dev/null
init       1       root    3r     FIFO        0,8       0t0       6323 pipe
...

By default One file per line is displayed. Most of the columns are self explanatory. We will explain the details about couple of cryptic columns (FD and TYPE).

FD – Represents the file descriptor. Some of the values of FDs are,

  • cwd – Current Working Directory
  • txt – Text file
  • mem – Memory mapped file
  • mmap – Memory mapped device
  • NUMBER – Represent the actual file descriptor. The character after the number i.e ’1u’, represents the mode in which the file is opened. r for read, w for write, u for read and write.

 

  • TYPE – Specifies the type of the file. Some of the values of TYPEs are,
  • REG – Regular File
  • DIR – Directory
  • FIFO – First In First Out
  • CHR – Character special file

List processes which opened a specific file

You can list only the processes which opened a specific file, by providing the filename as arguments.

# lsof /var/log/syslog

COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF   NODE NAME
rsyslogd 488 syslog    1w   REG    8,1     1151 268940 /var/log/syslog

source: thegeekstuff.com/2012/08/lsof-command-examples/