AIX 3.2.4, 3.2.5, 4.1, 4.1.1, and 4.1.2 for the IBM
RISC/System 6000
DC/OSx 1.1 for Pyramid ES, Nile, and S series
DYNIX 3.0.12 (Purdue version) for the Sequent Symmetry
EP/IX 2.1.1 for the CDC 4680
FreeBSD 1.1.5.1, 2.0, and 2.0.5 for Intel-based systems
HP-UX 8.x, 9.x, and 10 for HP systems
IRIX 4.0.5H, 5.2, 5.3, and 6.0 for SGI systems
Linux through 1.2.11 for Intel-based systems
Motorola V/88 for R32V3, R40V4.2, and R40V4.3 M88K systems
NetBSD 1.0 and 1.0A for Intel and SPARC-based systems
NEXTSTEP 2.1 and 3.[0123], all architectures
Novell UnixWare 1.1, 1.1.1, and 1.1.2 for Intel-based
systems
OSF/1 1.3, 2.0, 3.0, and 3.2 for DEC Alpha
PTX 2.1.[156] and 4.0.[23] for Sequent systems
RISC/os 4.52 for MIPS R2000-based systems
SCO OpenDesktop or OpenServer 1.1, 3.0, and 5.0 for
Intel-based systems
Solaris 2.[1234]
SunOS 4.1.[1234]
Ultrix 2.2, 4.2, 4.3, and 4.4 for DEC RISC and VAX
An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or Unix domain socket.) A specific file or all the files in a file system may be selected by path.
Instead of a formatted display, lsof will produce output that can be parsed by other programs. See the -F, option description, and the OUTPUT FOR OTHER PROGRAMS section for more information.
In addition to producing a single output list, lsof will run in repeat mode. In repeat mode it will produce output, delay, then repeat the output operation until stopped with an interrupt or quit signal. See the -r [t] option description for more information.
Lsof may work on other Unix dialects - e.g., AIX 3.2.3, EP/IX 1.4.3, FreeBSD 1.0e, HP-UX 7.x, IRIX 5.1.1, NEXTSTEP 2.[01], and SunOS 4.1 - but has not been tested on any of them recently.
If any list request option is specified, other list requests must be specifically requested - e.g., if -n is specified for the listing of Internet and x.25 (HP-UX) network files, NFS files won't be listed unless -N is also specified; or if a user list is specified with the -u option, Internet and x.25 (HP-UX) network files and Unix domain socket files, belonging to users not in the list, won't be listed unless the -n and -U options are also specified.
Normally list options that are specifically stated are ORed - i.e., specifying the -n and -ufoo options produces a listing of all network files OR files belonging to processes owned by user ``foo''. The -a option may be used to AND the selections. For example, specifying -a, -n, and -ufoo produces a listing of only network files that belong to processes owned by user ``foo''.
Caution: the -a option causes all list selection options to be ANDed; it can't be used to cause ANDing of selected pairs of selection options by placing it between them, even though its placement there is acceptable. Wherever -a is placed, it causes the ANDing of all selection options.
Items of the same selection set - command names, file descriptors, network addresses, process identifiers, user identifiers - are joined in a single ORed set and applied before the result participates in ANDing. Thus, for example, specifying -i@aaa.bbb, -i@ccc.ddd, -a, and -ufff,ggg will select the listing of files that belong to either login ``fff'' OR ``ggg'' AND have network connections to either host aaa.bbb OR ccc.ddd.
Values are optional following several options: -F, -g, -r, and -S. When you have no values for these options, be careful that the following character isn't ambiguous. For example, -Fn might represent the -F and -n options, or it might represent the n field identifier character following the -F option. When ambiguity is possible, start a new option with a `-' character - e.g., ``-F -n''. If the next option is a file name, follow the possibly ambiguous option with ``--'' - e.g., ``-F -- name''.
b - build the device cache
i - ignore the device cache
r - read the device cache
u - read and update the device cache
protocol is a protocol name - e.g., TCP.
hostname is an Internet host name.
hostaddr is an Internet host address in dot form.
service is an /etc/services name - e.g., smtp.
port is a port number.
TCP:25 - TCP and port 25
@1.2.3.4 - Internet host address 1.2.3.4
UDP:who - UDP who service port
TCP@vic.cc:513 - TCP, port 513 and host name vic.cc
The last line of the help output, presented in response to the -? or -h option, gives the security mode status.
If the lsof user declares alternate kernel name list or memory files with the -c and -k options, lsof will check the user's authority to read them with access(2). This prevents whatever special power lsof's modes might confer on it from letting it read files not normally accessible via the authority of the real user ID.
cwd current working directory;
Lnn library references;
ltx shared library text (code and data);
Mxx hex memory-mapped type number xx.
m86 DOS Merge mapped file;
mem memory-mapped file;
pd parent directory;
rtd root directory;
txt program text (code and data);
v86 VP/ix mapped file;
Each unit of information is output in a field that is identified with a leading character and terminated by a NL (012) (or a NUL (000) if the 0 (zero) field identifier character is specified.) The data of the field follows immediately after the field identification character and extends to the field terminator.
It is possible to think of field output as process and file sets. A process set begins with a field whose identifier is `p' (for process IDentifier (PID)). It extends to the beginning of the next PID field or the beginning of the first file set of the process, whichever comes first. Included in the process set are fields that identify the command, the process group IDentification (PGRP) number, and the user ID (UID) number or login name.
A file set begins with a field whose identifier is `f' (for file descriptor). It is followed by lines that describe the file's access mode, lock state, type, device, size, offset, inode, protocol, name and stream module names. It extends to the beginning of the next file or process set, whichever comes first.
When the NUL (000) field terminator has been selected with the 0 (zero) field identifier character, lsof ends each process and file set with a NL (012) character.
Lsof always produces one field, the PID (`p') field. All other fields may be declared optionally in the field identifier character list that follows the -F option.
It is entirely possible to select a set of fields that cannot easily be parsed - e.g., if the field descriptor field is not selected, it may be difficult to identify file sets. To help you avoid this difficulty, lsof supports the -F option; it selects the output of all fields with NL terminators (the -F0 option pair selects the output of all fields with NUL terminators).
These are the fields that lsof will produce. The single character listed first is the field identifier.
a file access mode
c process command name
d file's device character code
D file's major/minor device number (0x<hexadecimal>)
f file descriptor
i file's inode number
l file's lock status
L process login name
m marker between repeated output
n file name, comment, Internet address
o file's offset (0t<decimal> or 0x<hexadecimal>)
p process ID (always selected)
g process group ID
P protocol name
s file's size
S file's stream identification
t file's type
u process user ID
0 use NUL field terminator character in place of NL
You can get on-line help information on these characters and their descriptions by specifying the -F? option pair. (Escape the `?' character as your shell requires.) Additional information on field content can be found in the OUTPUT section.
As an example, ``-F pcfn'' will select the process ID (`p'), command name (`c'), file descriptor (`f') and file name (`n') fields with an NL field terminator character; ``-F pcfn0'' selects the same output with a NUL (000) field terminator character.
Lsof doesn't produce all fields for every process or file set, only those that are available. Some fields are mutually exclusive: file device characters and file major/minor device numbers; file inode number and protocol name; file name and stream identification; file size and offset. One or the other member of these mutually exclusive sets will appear in field output, but not both.
Normally lsof ends each field with a NL (012) character. The 0 (zero) field identifier character may be specified to change the field terminator character to a NUL (000). A NUL terminator may be easier to process with xargs (1), for example, or with programs whose quoting mechanisms may not easily cope with the range of characters in the field output. When the NUL field terminator is in use, lsof ends each process and file set with a NL (012).
Two aids to producing programs that can process lsof field output are included in the lsof distribution. The first is a C header file, lsof_fields.h, that contains symbols for the field identification characters, indexes for storing them in a table, and explanation strings that may be compiled into programs. Lsof uses this header file.
The second aid is a set of sample scripts that process field output, written in awk, perl 4, and perl 5. They're located in the scripts subdirectory of the lsof distribution.
Lsof attempts to break these blocks with timers and child processes, but the techniques are not wholly reliable. When lsof does manage to break a block, it will report the break with an error message. The messages may be suppressed with the -t and -w options.
The default timeout value may be displayed with the -? or -h option, and it may be changed with the -S [t] option. The minimum for t is two seconds, but you should avoid small values, since slow system responsiveness can cause short timeouts to expire unexpectedly and perhaps stop lsof before it can produce any output.
When lsof has to break a block during its access of mounted file system information, it normally continues, although with less information available to display about open files.
You can use the -b option to tell lsof to avoid using kernel functions that would block. Some cautions apply.
First, using this option usually requires that your system supply alternate device numbers in place of the device numbers that lsof would normally obtain with the lstat(2) and stat(2) kernel functions. See the ALTERNATE DEVICE NUMBERS section for more information on alternate device numbers.
Second, you can't specify names for lsof to locate unless they're file system names. This is because lsof needs to know the device and inode numbers of files listed with names in the lsof options, and the -b option prevents lsof from obtaining them. Moreover, since lsof only has device numbers for the file systems that have alternates, its ability to locate files on file systems depends completely on the availability and accuracy of the alternates. If no alternates are available, or if they're incorrect, lsof won't be able to locate files on the named file systems.
Third, if the names of your file system directories that lsof obtains from your system's mount table are symbolic links, lsof won't be able to resolve the links. This is because the -b option causes lsof to avoid the kernel readlink(2) function it uses to resolve symbolic links.
Finally, using the -b option causes lsof to issue warning messages when it needs to use the kernel functions that the -b option directs it to avoid. You can suppress these messages by specifying the -w option, but if you do, you won't see the alternate device numbers reported in the warning messages.
On some dialects, when lsof has to break a block because it can't get information about a mounted file system via the lstat(2) and stat(2) kernel functions, or because you specified the -b option, lsof can obtain some of the information it needs - the device number and possibly the file system type - from the system mount table. When that is possible, lsof will report the device number it obtained. (You can suppress the report by specifying the -w option.)
You can assist this process if your mount table is supported with an /etc/mtab or /etc/mnttab file that contains an options field by adding a ``dev=xxxx'' field for mount points that do not have one in their options strings.
The ``xxxx'' portion of the field is the hexadecimal value of the file system's device number. (Consult the st_dev field of the output of the lstat(2) and stat(2) functions for the appropriate values for your file systems.) Here's an example from an SGI IRIX 5.2 /etc/mtab for a file system remotely mounted via NFS:
... nfs rw,grpid,intr,nodevs,retry=6,dev=00100007 ...
There's an advantage to having ``dev=xxxx'' entries in your mount table file, especially for file systems that are mounted from remote NFS servers. When a remote server crashes and you want to identify its users by running lsof on one of its clients, lsof probably won't be able to get output from the lstat(2) and stat(2) functions for the file system. If it can obtain the file system's device number from the mount table, it will be able to display the files open on the crashed NFS server.
Some dialects that do not use an ASCII /etc/mtab or /etc/mnttab file for the mount table may still provide an alternative device number in their internal mount tables. This includes AIX, DEC OSF/1, FreeBSD, NetBSD, and Ultrix. Lsof knows how to obtain the alternative device number for these dialects and uses it when its attempt to lstat(2) or stat(2) the file system is blocked.
If you're not sure your dialect supplies alternate device numbers for file systems from its mount table, use this lsof incantation to see if it reports any alternate device numbers:
Look for standard error file warning messages that begin ``assuming "dev=xxxx" from ...''.
Lsof is able to examine the kernel's name cache on some dialects and extract recently used path name components from it. Lsof reports the ones it finds in the NAME column, starting with the file system name, followed by a space, two `-' characters, another space, and the name components it has located, separated by the `/' character.
Lsof can report path name components for these dialects:
DYNIX 3.0.12 (Purdue version)
EP/IX 2.1.1
FreeBSD 1.1.5.1, 2.0, and 2.0.5
HP-UX 9.x and 10
Motorola V/88 R40V4.2
NetBSD 1.0 and 1.0A
NEXTSTEP 3.[0123]
OSF/1 2.0, 3.0, and 3.2
PTX 2.1.[156] and 4.0.[23]
SGI IRIX 5.3
Solaris 2.[34]
SunOS 4.1.[23]
Ultrix 2.2, 4.2, and 4.3
Lsof can't report path name components for these dialects:
AIX 3.2.4, 3.2.5, 4.1, 4.1.1, and 4.1.2
DC/OSx 1.1
Linux
Motorola V/88 R32V3
Novell UnixWare 1.1, 1.1.1, and 1.1.2
SCO OpenDesktop or OpenServer 1.1 and 3.0
SGI IRIX 4.0.5H, 5.2, and 6.0
Lsof may be able to report path name components for these dialects, but the code hasn't been tested on them:
HP-UX 8.x
NEXTSTEP 2.1
OSF/1 1.3
Solaris 2.[12]
SunOS 4.1.[14]
Ultrix 4.3 and 4.4
If you want to know why lsof can't report path name components for some dialects, consult section 3.1 of the 00FAQ file of the lsof distribution.
Examining all members of the /dev node tree with stat(2) functions can be time consuming. What's more, the information that lsof needs - device number, inode number, and path - rarely changes.
Consequently, at revision 3.19 lsof has begun maintaining an ASCII text file of cached /dev information. The standard path for the device cache file is /tmp/.lsof_dev_cache, but the local system administrator may change the path when lsof is compiled, or the default path for some systems my be slightly shorter. (Consult the output of the -? or -h option for the current default path.)
The -D option provides some control over the cache. It allows you to request that the cache file be built in a specific location (b[path]); ignored (i); read but not rebuilt (r[path]); or read and rebuilt (u[path]).
The u function is the default when no -D option has been specified, using the default device cache file path /tmp/.lsof_dev_cache. This function tells lsof to attempt to read and use the device cache file. If it can't read the file, it will read information from the kernel with stat(2) function calls, then write an updated version of the file.
The device cache file is stored by default in /tmp with read and write permission for owner, group, and user, so any lsof call can access or rebuild it. (You can change the device cache file path with the optional path suffix of the b, r, and u functions.)
Lsof can detect that the file has been accidentally or maliciously modified by several sanity checks, including a sixteen bit Cyclic Redundancy Check (CRC) sum of the file's contents. When lsof senses something wrong with the file, it will attempt to remove the current one and create a new copy.
On those rare occasions when a new device is added to the system, the device cache file may need to be recreated. Since lsof compares the mtime of the device cache file with the mtime and ctime of the device directory (usually /dev) it often can detect that a new device has been added; in that case lsof issues a warning message and rebuilds the device cache file, depending on the function specified in the -D option.
If lsof doesn't update the cache file when you believe it should, use the b function of -D to make it recreate the file.
Lsof returns a one (1) if any error was detected, including the failure to locate any names. It returns a zero (0) if no errors were detected and if it was able to list information about all the specified names.
When lsof cannot open access to /dev (or /device) or one of its subdirectories, it issues a warning message and continues. The warning message may be suppressed with the -w option. It may also have been suppressed by the system administrator when lsof was compiled by the setting of the WARNDEVACCESS definition. In the latter case, the output from lsof's -? or -h option will contain the message:
Warnings are disabled for inaccessible device directories.
To list all open Internet, x.25 (HP-UX), and Unix domain files, use:
To list all files using any protocol on port 513 of host wonderland.cc.purdue.edu, use:
To list all files using any protocol on any port of mace.cc.purdue.edu (cc.purdue.edu is the default domain), use:
To list all open files for login name ``abe'', or user ID 1234, or process 456, or process 123, or process 789, use:
To list all open files on device /dev/hd4, use:
To find the process that has /u/abe/foo open, use:
To send a SIGHUP to the processes that have /u/abe/bar open, use:
To find any open file, including an open Unix domain socket file, with the name /dev/log, use:
To find processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible, and presuming your mount table supplies the device number for /nfs/mount/point, use:
To do the preceding search with warning messages suppressed, use:
To ignore the device cache file, use:
To read the device cache file named Xyz in the current directory and update it, if necessary, use:
To obtain PID and command name field output for each process, file descriptor, file device number, and file inode number for each file of each process, use:
To list the files at descriptors 1 and 3 of every process running the lsof command for login ID ``abe'' every 10 seconds, use:
The lock status character (following the file descriptor) is derived under AIX from a test of the first filock structure of the gnode (see <sys/flock.h> and <sys/gnode.h>).
Lsof can't search for files with restrictive access permissions by name unless it is installed with root set-UID permission. Otherwise it is limited to searching for files to which its user or its set-GID group (if any) has access permission.
Lsof startup time is long on dialects where scanning the /dev (or /devices) directory and the mount table are slow operations. Where possible - e.g., when the listing of only network files is requested - the scans are avoided or deferred. When the device cache file is in use, scanning /dev is avoided once the cache file has been written.
The display of the destination address of a raw socket (e.g., for ping) depends on the Unix operating system. Some dialects store the destination address in the raw socket's protocol control block, some do not.
Lsof can't always represent Solaris and SunOS device numbers in the same way that ls(1) does. For example, the major and minor device numbers that the lstat(2) and stat(2) functions report for the directory on which CD-ROM files are mounted (typically /cdrom) are not the same as the ones that it reports for the device on which CD-ROM files are mounted (typically /dev/sr0). (Lsof reports the directory numbers.)
The system to which the Ultrix 2.2 port was directed is a local one that has been extensively updated with network features from the 4.3BSD Tahoe and Reno releases, so it may not match a standard Ultrix 2.2 system, if there is any such system still in use.
The support for /proc file systems is available only for BSD and OSF dialects, Linux, and dialects derived from SYSV R4 - e.g., FreeBSD, IRIX 5.[23], NetBSD, Solaris, V/88 R40V4.[23], UnixWare. One SYSV R4 exception is EP/IX 2.1.1, where I have been unable to overcome conflicts between its svr3 and svr4 environments to build an lsof with /proc file system support. Some /proc file items - device number, inode number, and file size - are unavailable in some dialects.
No text (txt) file descriptors are displayed for Linux processes. All entries for files other than the current working directory, the root directory, and numerical file descriptors are labeled mem descriptors.
Vic acknowledges his debt to the work of Dan Bernstein, Michael ``Ford'' Ditto, Tom Dunigan, Alexander Dupuy, Vik Lall, Ray Moody, C. Spencer, Michael Spitzer and those who wrote Berkeley's fstat program, all contributors to lsof's predecessors. Vic thanks Doug McKenzie for his HP-UX proctor program and Rich Kulawiec for pointing it out.
Finally, Vic is grateful to David Addison, Richard Allen, Marc Auslander, Ade Barkah, Anthony Baxter, John Beacom, Bruce Beare, Dave Bianchi, Achim Bohnet, Mark Bonsack, Bill Bormann, Michael Bryan, Bernt Christandl, Hans Petter Christiansen, Axel Clauberg, John Colgrave, Jim Cooper, Dave Curry, Ian Darwin, Hugh Dickins, Casper Dik, Greg Earle, Robert Ehrlich, Doug Eldred, Scott Ellentuch, Tom Endo, Mike Feldman, Bob Foertsch, Mike Fraser, Terry Friedrichsen, David DiGiacomo, Garner Halloran, Adam Hammer, Charles Hannum, Steinar Haug, Paul Hite, J. Nelson Howell, Gerrit Huizenga, John Jackson, Kurt Jaeger, Carl Johnson, Dion Johnson, Peter Jordan, Pasi Kaara, Frank Kaefer, Claus Kalle, Shane Kenney, Steve Kirsch, Przemek Klosowski, Paul Kranenburg, Alex Kreis, Markus Lautenbacher, Steve Lacey, Marty Leisner, Stuart Levy, Wendy Lin, Friedel Loinger, Michael Long, Pete Lord, Bela Lubkin, Horst Luehrsen, Andreas Luik, Michael Mackenzie, Lawrence MacIntyre, Benson Margulies, Claude Marinier, Fletcher Mattox, Dale McCluskey, Sean McDermott, Dwight McKay, William McVey, Jeffrey Mogul, Dave Morrison, Pat Myrto, Allan Nathanson, Chance Neale, Joseph J. Nuspl Jr., Craig B. Olofson, Dave Olson, Mark Peek, Ezra Peisach, Nathan Peterson, Dominique Petitpierre, Francois Pinard, Alex Podlecki, Philippe-Andre Prindeville, David Putz, Tim Ramsey, Stephan Rossi, Kevin Ruderman, Chris Schanzle, Hendrik G. Seliger, Michael Shields, Anthony Shortland, John Silva, Gerry Singleton, Leonard Sitongia, Kevin Smallwood, Douglas R. Smith, Dave Stevens, Jeff Stewart, Andreas Stolcke, Dale Talcott, Andy Thomas, Chris Timmons, Zdenko Tomasic, Linus Torvalds, Lenny Turetsky, Jules van Weerden, Robert Vernon, Jos Vos, Joel White, Patrick Wolfe, James Woodward, and Ron Young for their help in developing and improving lsof.