Open a cache of riches with lsof
Treasure Trove

© Lead Image © Scott Rothstein, 123RF.com
In Linux, everything is a file – directories, devices, pipes – so lsof (list open files) reveals what's happening on your system.
Few Linux utilities are as popular as netstat
, a fantastic tool used to display network connections, routes, and bandwidth statistics gleaned from network interfaces. Not only is netstat very effective and full of features, but I can't count the number of Linux books and Linux training courses that cover its stock commands as must-have knowledge for any newcomers to Linux.
Don't get me wrong, netstat certainly has its place within those tutorials for both advanced and novice users, but I like to think I can turn to a more powerful tool sometimes. You could say that I've neatly slotted netstat into a place where I know I can use it if I want, but I can achieve the same results in most cases with one of its counterparts – and usually much more efficiently.
If I were making a package comparison and using DNS clients, I might say that netstat is the nslookup
to my host
command. That said, I will now backtrack a little and state that my alternative to netstat lacks many of its features and, in fact, isn't really a network information tool at all. However, because of this mighty command's formidable capabilities, I rarely turn to netstat at all.
Shopping Lists
My trusty tool is lsof
, which is short for list open files. In this article, I'll run through the power of this little tool. In fact, thanks to its functionality, lsof is one of the first packages that I install when building a new server.
Additionally, for Debian and Ubuntu users, I'll unveil a little trick that I've been using on production servers for many years, which thanks to the functionality that lsof provides, has meant that I've hit the desired levels of uptime again and again.
On Debian-based boxes, you can install lsof as simply as:
# apt-get install lsof
I've also seen it built into other Linux flavors.
Among other methods, lsof works by reading the processes from the operating system held within the process table. Apparently, it also queries other aspects of the system to relate which information in the process table is associated with which files on the filesystem. In other words, it cleverly brings together two otherwise hard-to-query and disparate areas of a system: the processes and the files these processes use. It's not just bog standard files either; the highly sophisticated lsof has the visibility of NFS (Network Files System) connections, too.
How Does It Help?
Lsof can output a mountain-sized amount of information about what a system is currently doing, which unquestionably needs to be filtered down to become immediately useful and to satisfy my fondness for brevity.
This information includes, for example, the PID (process number unique to a process), the command the process is executing, the owner of the process (the user that spawned it), all the files a process is currently using, and which shared libraries the process has called as dependencies. (I'll cover shared libraries later.) Then, you'll see a file's access mode, whether a file is locked, its device numbers, its inode number, and a file's local and remote network addresses, to name just a little of its output.
Network
Without meaning to disparage the powerful netstat in any way, I'll start by looking at similarities with netstat, or at least some of the functionality that both packages share, including a simple lookup of TCP port 22, a common server port for SSH daemons. The time-honored netstat can see what's going on with the command:
# netstat -lp
Netstat tries to list all listening daemons (not outbound connections, too) with the -l
switch and then offer the PID followed by the name of the program responsible. In Listing 1, it has discovered sshd
, the SSH daemon.
Listing 1
Netstat Output
The reminder about why I prefer lsof for such a simple query is compounded by the speed of the generated output from netstat: lsof just works, whereas netstat seems to take forever. I'm nitpicking here but the netstat
command took a staggering 5.111 seconds according to the time
command.
To be fair to netstat, you tend to filter after the command has been run using grep
(to filter the output) or something similar. So, to see just port 22 for SSH you might enter:
# netstat -pl | grep ssh
However, lsof only needs a little nudge, and in 0.125 seconds I have the information relating to port 22 only:
# lsof -i:22
The output dutifully shows an IPv4 and a IPv6 daemon running in Figure 1. (Note that I run the command intentionally as root to open the trove of privileged ports and processes on a system.)
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Fedora 39 Beta is Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.
-
UbuntuDDE 23.04 Now Available
A new version of the UbuntuDDE remix has finally arrived with all the updates from the Deepin desktop and everything that comes with the Ubuntu 23.04 base.
-
Star Labs Reveals a New Surface-Like Linux Tablet
If you've ever wanted a tablet that rivals the MS Surface, you're in luck as Star Labs has created such a device.
-
SUSE Going Private (Again)
The company behind SUSE Linux Enterprise, Rancher, and NeuVector recently announced that Marcel LUX III SARL (Marcel), its majority shareholder, intends to delist it from the Frankfurt Stock Exchange by way of a merger.