2003_10_10.html lsof

(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Printer Friendly Version

2003/10/10 lsof

List Open Files.

This is much more than it sounds like. It is similar to "fuser", but has much more power. I often use it to find processes using specific network ports:

bash-2.05a$ lsof -i:22
COMMAND PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
ssh     397  apl    3u  inet 0x0279421c      0t0  TCP 10.0.0.14:49155->mine:ssh (ESTABLISHED)
ssh     408  apl    3u  inet 0x027944cc      0t0  TCP 10.0.0.14:49202->website:ssh (ESTABLISHED)

When invoked for a specific process, it will show very useful information:

bash-2.05a$ lsof -p 473
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
vi      473  apl  cwd   VDIR   14,5    24576   143413 /Users/apl
vi      473  apl    0u  VCHR    4,4    0t844 37283460 /dev/ttyp4
vi      473  apl    1u  VCHR    4,4    0t844 37283460 /dev/ttyp4
vi      473  apl    2u  VCHR    4,4    0t844 37283460 /dev/ttyp4
vi      473  apl    3r  VREG   14,5       27  1401787 /Users/apl/t
vi      473  apl    4u  VREG   14,5        0  1440474 /private/var/tmp/vi.recover/vi.wqnCL1
vi      473  apl    5u  VREG   14,5        0  1440475 / (/dev/disk0s5)

I can tell from the above that I'm editing /Users/apl/t and that it is 27 bytes long. I'm logged in on ttyp4, and am sitting in /Users/apl. I can see the actual file descriptors in use also. When troubleshooting, lsof can be very handy.

"lsof" is also useful when you need to know if some other process is "done" with a file you want to do something else with. For example, some background process scp's or ftp's a file from somewhere else. You can't process it, move it, look at it, whatever until it is complete, so use lsof (or fuser) to see if any process has the file open. Often that would be some loop like this:

cd /somewhere
while :
do
	for i in *
	do
		test -e $i || break
		lsof $i || dosomethingwith $i
	done
	sleep 3
done

But it doesn't stop there: amazingly enough, lsof can (sometimes) help you recover a deleted file. Conditions have to be right - specifically, some process needs to have the departed loved one open and you need an OS (like Linux) that has /proc. If all that is true, then there's a link in /proc that can be copied. How would you know where that link is? Well, lsof will tell you, of course. You'd just "lsof | grep missingfile" and lsof will tell you everything you need to know about any process that has the file open: process id and file descriptor (fd).

So let's say I'd just stupidly removed ~/IMPORTANTs and belatedly realized that, duh, it's IMPORTANT. What can I do? If I immediately do "lsof ~/IMPORTANT", I see I'm in luck:

COMMAND   PID USER   FD   TYPE DEVICE SIZE    NODE NAME
less    10971 root    4r   REG    3,2   29 2785343 /root/IMPORTANT

I now know that there is a symbolic link in /proc/10971/fd/4:

# ls -l /proc/10971/fd/4
lr-x------    1 root     root           64 Nov 30 06:35 /proc/10971/fd/4 -> /root/IMPORTANT

So I can "cp /proc/10971/fd/4 ~/IMPORTANT" and all is well. How often is this going to save your bacon? Not very often, but it's worth a shot. Realistically, in most cases this won't help. Nothing will have your file open and you would need to take more drastic measures.

Click here to add your comments

Don't miss responses! Subscribe to Comments by RSS or by Email

Click here to add your comments

If you want a picture to show with your comment, go get a Gravatar

Why no "Digg this!" etc.?

Macworld Mobile Mac Superguide $9.99

Take Control of Easy Backups in Leopard

Take Control of Fonts in Leopard

Take Control of Screen Sharing in Leopard

Take Control of Permissions in Leopard

Printer Friendly Version

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.

Printer Friendly Version

More:

- Networking

- Misc.

Unix/Linux Consultants

Skills Tests

Guest Post Here

My Favorites