Advertisement

Monday man page: lsof

Michael Rose
Editor
Updated ·6 min read

Happy hangover Monday everyone! To soothe those post-big-game blues, here's this week's man page -- lsof, the LiSt Open Files tool. If you're trying to figure out why a removable drive won't unmount or track down a stray outbound network connection, this is the tool for you. Note: If you want to stay out of the command line but still accomplish some of the same tasks, a reader suggests you check out Sloth.

Written by Vic Abell of Purdue University (now retired), the power and flexibility of lsof has given it the distinction of reputedly having more command-line flags than any other tool:

lsof [ -?abChlnNOPRstUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ +|-L [l] ] [ +|-m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -- ] [names]

Yee-ikes. Let's get two quick tips taken care of before we move on to the details. First, you probably don't ever want to run lsof with no options specified, as that will generate a list of every open file on your machine (likely thousands of lines). Second, for a quick review of all those options, try lsof -h.

More after the break...


Here's the lsof -h output:
mikerose$ lsof -h
lsof 4.77
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]]
[-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
-?|-h list help -a AND selections (OR) -b avoid kernel blocks
-c c cmd c, /c/[bix] +c w COMMAND width (9)
+d s dir s files -d s select by FD set +D D dir D tree *SLOW?*
-i select IPv[46] files -l list UID numbers
-n no host names -N select NFS files -o list file offset
-O avoid overhead *RISK -P no port names -R list paRent PID
-s list file size -t terse listing -T disable TCP/TPI info
-U select Unix socket -v list version info -V verbose search
+|-w Warnings (+) -- end option scan
+f|-f +filesystem or -file names +|-f[cgG] Ct flaGs
-F [f] select fields; -F? for help
+|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
+|-M portMap registration (-) -o o o 0t offset digits (8)
-p s exclude(^)|select PIDs -S [t] t second stat timeout (15)
-T fqs TCP/TPI Fl,Q,St (s) info
-g [s] exclude(^)|select and print process group IDs
-i i select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
+|-r [t] repeat every t seconds (15); + until no files, - forever
-u s exclude(^)|select login|UID set s
-x [fl] cross over +d|+D File systems or symbolic Links
names select named files or files on named file systems
Only root can list all files; /dev warnings disabled; kernel ID check disabled.

OK, let's take a deep breath... the most basic use of lsof is to show open files on a volume, or to determine what process or user has a specific file open, especially when you're trying to unmount a removable volume.



The only thing you need to do is provide the path to the volume, device or file and go to town:

mikerose$ lsof /Volumes/Removable
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Finder 459 mikerose 16r DIR 14,6 68 25 /Volumes/Removable/.Trashes/550
Finder 459 mikerose 17r DIR 14,6 272 2 /Volumes/Removable
Word 4956 mikerose 21u REG 14,6 19456 28 /Volumes/Removable/test.doc

Aha! I have to close that pesky Word file. If I want to turn that around and search for open files by command or process ID, that would be the -c or -p options respectively. The Spotlight indexer process, mdimport, is a good bet for lots of open files:

mikerose$ lsof -c mdimport
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
mdimport 5104 mikerose cwd DIR 14,2 1428 2 /
mdimport 5104 mikerose txt REG 14,2 155676 6866 /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mdimport
mdimport 5104 mikerose txt REG 14,2 81316 3215 /System/Library/CoreServices/CharacterSets/CFUnicodeData-L.mapping
mdimport 5104 mikerose txt REG 14,2 352454 3212 /System/Library/CoreServices/CharacterSets/CFCharacterSetBitmaps.bitmap
mdimport 5104 mikerose txt REG 14,2 17688 3213 /System/Library/CoreServices/CharacterSets/CFUniCharPropertyDatabase.data
mdimport 5104 mikerose txt REG 14,2 48016 11677 /System/Library/Spotlight/RichText.mdimporter/Contents/MacOS/RichText
mdimport 5104 mikerose txt REG 14,2 50980 2275464 /Library/Spotlight/Microsoft Entourage.mdimporter/Contents/MacOS/Microsoft Entourage
...

OK, open files, nice enough -- but remember that almost everything on a UNIX-like system is represented by a file. Network sockets, for example...

mikerose$ lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
GrowlHelp 466 mikerose 6u IPv4 0x4e14394 0t0 TCP *:23052 (LISTEN)
GrowlHelp 466 mikerose 10u IPv4 0x447e2b0 0t0 UDP *:9887
firefox-b 1313 mikerose 34u IPv4 0x7001e08 0t0 TCP 192.168.1.4:51805->ug-in-f93.google.com:http (ESTABLISHED)
firefox-b 1313 mikerose 35u IPv4 0x4c0ea8c 0t0 TCP 192.168.1.4:50816->199.239.137.245:http (ESTABLISHED)
Adium 2994 mikerose 13u IPv4 0x4ea65a4 0t0 TCP *:5298 (LISTEN)
Adium 2994 mikerose 14u IPv4 0x48a5c9c 0t0 TCP 192.168.1.4:50532->64.12.26.62:aol (ESTABLISHED)
Adium 2994 mikerose 15u IPv4 0x4ff2710 0t0 TCP 192.168.1.4:50531->205.188.9.98:aol (ESTABLISHED)
Adium 2994 mikerose 19u IPv4 0x48a5920 0t0 TCP 192.168.1.4:50541->oam-m03b.blue.aol.com:aol (ESTABLISHED)

It's clear that I've got Adium running and it's holding open connections to AOL, which is as it should be. I could run Little Snitch or GlowWorm to monitor my outgoing network activity, but lsof is always there to pitch in.

With the ability to chain open file searches and pipe results to grep, there are literally thousands of combinations for lsof use. Apple thoughtfully hosts the full source and documentation, including the very helpful quickstart file, for the version of lsof that ships with OS X at the opensource.apple.com site. For more great lsof tips and detailed usage info, check out:

http://dmiessler.com/study/nix/commands/lsof/
http://enterprise.linux.com/article.pl?sid=05/10/21/004255&tid=89
http://sial.org/howto/debug/unix/lsof/
http://www.akadia.com/services/lsof_intro.html