lsof Command in Linux: Find Open Files, Ports, and Processes

If you have ever tried to unmount a filesystem and hit the dreaded “device is busy” error, or needed to find what is holding a port open, lsof is the tool that answers it immediately.

Every file descriptor, every open socket, every process holding a file handle. lsof sees all of it. The name stands for List Open Files. On Linux, that means almost everything: regular files, directories, block files, character files, libraries, streams, and network sockets. The saying “everything is a file” is exactly why lsof is so powerful.

This guide focuses on practical usage. The commands here are ones I actually run on servers when debugging.

Installing lsof

Many distros ship it by default. If not, install it with your package manager. The source is also available on GitHub if you need the latest version.

# Debian / Ubuntu
sudo apt install lsof

# Fedora / RHEL / CentOS
sudo dnf install lsof

# Arch Linux
sudo pacman -S lsof

Verify it is available:

lsof --version

Understanding lsof Output

Run lsof without arguments and you will see a flood of output. Every open file on the system. Useful to pipe and filter, not so useful raw. Here is what the columns mean:

COMMAND   PID   USER   FD   TYPE   DEVICE   SIZE/OFF   NODE   NAME

• COMMAND: Name of the process.
• PID: Process ID.
• USER: User running the process.
• FD: File descriptor. Common values: cwd (current working directory), txt (program text), mem (memory-mapped file), 0u/1u/2u (stdin/stdout/stderr), or a number for regular file descriptors.
• TYPE: Type of file. REG (regular), DIR (directory), IPv4/IPv6, unix (Unix socket), CHR (character device), etc.
• DEVICE: Device numbers.
• SIZE/OFF: File size or offset.
• NODE: Inode number for files, or protocol information for network entries.
• NAME: The file or socket name.

The Most Useful lsof Commands

List All Open Files by a Specific Process

Pass the PID with -p:

lsof -p 1234

Or use the process name with -c:

lsof -c nginx

This lists every file descriptor nginx has open. Useful when you suspect a process is holding more open files than expected. Pair it with wc -l for a quick count:

lsof -c nginx | wc -l

Note: If you are hitting open file limit errors on a busy server, also check why your Linux server looks idle but feels slow. Open file descriptor exhaustion is a common hidden culprit.

Find Which Process Is Using a File

This is the classic use case. Something holds a log file open, or a config file cannot be replaced because a process has it locked:

lsof /var/log/syslog

Or check an entire directory:

lsof +D /var/log

Note: +D walks the entire directory tree and can be extremely slow on large filesystems. Avoid running it on high-traffic production paths without narrowing scope first.

Find What Process Is Using a Port

This is probably the second most common reason I reach for lsof. Something is already bound to port 8080 and you need to know what:

lsof -i :8080

Check a range of ports:

lsof -i :8000-9000

Filter by TCP or UDP:

lsof -i TCP:443
lsof -i UDP:53

List all listening ports (the equivalent of ss -tlnp but via lsof):

lsof -i -sTCP:LISTEN

Find Network Activity for a Specific Process

Sometimes you want to see both the open files and active network connections for a single PID in one shot. The -Pan combination handles that:

lsof -Pan -p 1234 -i

-P shows port numbers instead of service names, -a ANDs the filters together, and -n skips DNS resolution for faster output. This is useful when debugging a specific process that you suspect is making unexpected outbound connections or binding to an unintended port.

List All Network Connections

Show every open network file (connections and listeners):

lsof -i

Add -n to skip DNS resolution (faster output) and -P to show port numbers instead of service names:

lsof -i -n -P

This is handy when you want a quick picture of what the system is connected to without waiting for reverse DNS lookups.

List Open Files for a Specific User

lsof -u www-data

To exclude a user, prefix with a caret:

lsof -u ^root

This shows everything except root’s open files. Not always useful on its own, but helpful when filtering in scripts.

Find the Process Using a Specific Library or Binary

After a security update, you sometimes want to know which running processes are still using the old version of a shared library before you restart services:

lsof /usr/lib/libssl.so.3

Or check for any deleted files still held open (common after library updates on Debian/Ubuntu):

lsof | grep deleted

That grep deleted trick is genuinely useful after a package upgrade. If a process has an old version of a library open and the file has been deleted from disk, it shows up here. Those processes need a restart to pick up the new library.

The “Device Is Busy” Fix

You try to unmount a filesystem and Linux refuses:

umount /mnt/data
umount: /mnt/data: target is busy.

Find the culprit immediately:

lsof +D /mnt/data

This shows every process with open files on that mount point. Kill or stop those processes, then unmount cleanly. Much faster than rebooting or guessing.

List Open Files for a Specific Process Name and User Combined

By default, lsof treats multiple filter options as OR. Use -a to AND them together:

lsof -u postgres -a -c postgres

This shows only files opened by processes named postgres running as the postgres user. Without -a you would get all processes by that user plus all processes with that name regardless of user.

Monitor lsof Output in Real Time

lsof does not refresh automatically like top. But you can use watch to simulate it:

watch -n 2 'lsof -i -n -P -sTCP:LISTEN'

This refreshes every 2 seconds and shows listening ports. Useful when you are starting or stopping services and want to confirm ports open and close as expected.

Count Open File Descriptors Per Process

This is useful for identifying processes that are leaking file descriptors:

lsof | awk '{print $1}' | sort | uniq -c | sort -rn | head -20

You will see the top 20 processes by open file count. If one process is hogging thousands of file descriptors, this surfaces it immediately. Cross-reference with vmstat and free if you suspect resource pressure across the board. Also see the guide on increasing max open files if you are hitting system-wide descriptor limits.

Practical Troubleshooting Scenarios

Scenario 1: Web Server Won’t Start

You restart nginx or Apache and get a port conflict error. Find what is sitting on port 80:

lsof -i :80 -n -P

Output example:

COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
apache2   3412    root   4u  IPv6  24891      0t0  TCP *:80 (LISTEN)

There it is. An old Apache process still running. Stop it, then start nginx cleanly.

Scenario 2: Disk Usage Is High but du Shows Nothing

A process wrote a large log file, you deleted it, but df still shows the space as used. The file is deleted on disk but still held open by a process. The space is not reclaimed until the file descriptor is closed. This can silently consume tens of gigabytes on a busy server, especially after log rotation.

lsof | grep deleted | awk '{print $1, $2, $7, $9}'

The fourth column shows the size. Find the large entries, identify the PID, and restart that service. Space reclaimed.

This is one of the most misunderstood disk space issues on Linux servers. Always check for deleted-but-open files before assuming something is wrong with your filesystem.

Scenario 3: Investigating a Suspicious Process

You spot an unfamiliar PID consuming network connections. Pull its full file descriptor list:

lsof -p 5678 -n -P

This shows every file and socket it has open. Combine with pstree to see where it sits in the process hierarchy:

pstree -p 5678

Between the two, you get a clear picture of what the process is doing and where it came from.

Useful lsof Options Quick Reference

• -i: List network files (all, or filtered by protocol/port).
• -i :PORT: Find what process is using a specific port.
• -a: AND filter conditions together (default is OR).
• -n: No DNS resolution (faster output).
• -P: Show port numbers, not service names.
• +D dir: Recursively list open files in a directory. Slow on large trees.
• -t: Output PIDs only. Composable: kill $(lsof -t -i :8080).
• -s TCP:LISTEN: Filter by socket state.
• -r N: Repeat every N seconds (built-in repeat mode).

The -t flag deserves a special mention. It returns just the PID, which makes it composable:

kill $(lsof -t -i :3000)

That one-liner kills whatever is on port 3000. Use kill -9 only if the process does not respond to a normal kill. Know what you are killing first.

lsof vs ss vs netstat

For network-specific work, ss is faster and more feature-complete than lsof -i. If you are coming from older tooling, the netstat guide covers the transition well. Use lsof when you need to cross-reference network activity with file system access, or when you need to tie a connection back to a specific file or library. They are complementary, not competing. I use ss for a quick network snapshot and lsof when I need to dig deeper.

Also see Boost Your Linux Command Line Productivity for more tools and habits that speed up day-to-day sysadmin work.

Permissions and sudo

Running lsof as a regular user only shows that user’s open files. To see the full system picture, run it with sudo:

sudo lsof -i -n -P

Without sudo, you will see partial results and a lot of “Permission denied” warnings. On production servers, most lsof commands for debugging are going to need root privileges anyway.

Conclusion

lsof is not something you run constantly. But when something is stuck, leaking, or refusing to release resources, it is usually the fastest way to see why.

The commands to keep in muscle memory: lsof -i -n -P for a network connection overview, lsof -i :PORT for port conflicts, lsof | grep deleted for phantom disk usage, and lsof +D /path when a mount refuses to budge.

Learn those four and you will reach for lsof regularly. The rest of the options are there when you need to go deeper.

Tags: commands, sysadmins