1LSOF(8) System Manager's Manual LSOF(8)
2
3
4
6 lsof - list open files
7
9 lsof [ -?abChlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D
10 D ] [ +|-e s ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k
11 ] [ +|-L [l] ] [ +|-m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r
12 [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x
13 [fl] ] [ -z [z] ] [ -Z [Z] ] [ -- ] [names]
14
16 Lsof revision 4.82 lists on its standard output file information about
17 files opened by processes for the following UNIX dialects:
18
19 AIX 5.3
20 Apple Darwin 9 (Mac OS X 10.5)
21 FreeBSD 4.9 for x86-based systems
22 FreeBSD 7.[012] and 8.0 for AMD64-based systems
23 Linux 2.1.72 and above for x86-based systems
24 Solaris 9 and 10
25
26 (See the DISTRIBUTION section of this manual page for information on
27 how to obtain the latest lsof revision.)
28
29 An open file may be a regular file, a directory, a block special file,
30 a character special file, an executing text reference, a library, a
31 stream or a network file (Internet socket, NFS file or UNIX domain
32 socket.) A specific file or all the files in a file system may be
33 selected by path.
34
35 Instead of a formatted display, lsof will produce output that can be
36 parsed by other programs. See the -F, option description, and the OUT‐
37 PUT FOR OTHER PROGRAMS section for more information.
38
39 In addition to producing a single output list, lsof will run in repeat
40 mode. In repeat mode it will produce output, delay, then repeat the
41 output operation until stopped with an interrupt or quit signal. See
42 the +|-r [t[m<fmt>]] option description for more information.
43
45 In the absence of any options, lsof lists all open files belonging to
46 all active processes.
47
48 If any list request option is specified, other list requests must be
49 specifically requested - e.g., if -U is specified for the listing of
50 UNIX socket files, NFS files won't be listed unless -N is also speci‐
51 fied; or if a user list is specified with the -u option, UNIX domain
52 socket files, belonging to users not in the list, won't be listed
53 unless the -U option is also specified.
54
55 Normally list options that are specifically stated are ORed - i.e.,
56 specifying the -i option without an address and the -ufoo option pro‐
57 duces a listing of all network files OR files belonging to processes
58 owned by user ``foo''. The exceptions are:
59
60 1) the `^' (negated) login name or user ID (UID), specified with the -u
61 option;
62
63 2) the `^' (negated) process ID (PID), specified with the -p option;
64
65 3) the `^' (negated) process group ID (PGID), specified with the -g
66 option;
67
68 4) the `^' (negated) command, specified with the -c option;
69
70 5) the (`^') negated TCP or UDP protocol state names, specified with
71 the -s [p:s] option.
72
73 Since they represent exclusions, they are applied without ORing or AND‐
74 ing and take effect before any other selection criteria are applied.
75
76 The -a option may be used to AND the selections. For example, specify‐
77 ing -a, -U, and -ufoo produces a listing of only UNIX socket files that
78 belong to processes owned by user ``foo''.
79
80 Caution: the -a option causes all list selection options to be ANDed;
81 it can't be used to cause ANDing of selected pairs of selection options
82 by placing it between them, even though its placement there is accept‐
83 able. Wherever -a is placed, it causes the ANDing of all selection
84 options.
85
86 Items of the same selection set - command names, file descriptors, net‐
87 work addresses, process identifiers, user identifiers, zone names,
88 security contexts - are joined in a single ORed set and applied before
89 the result participates in ANDing. Thus, for example, specifying
90 -i@aaa.bbb, -i@ccc.ddd, -a, and -ufff,ggg will select the listing of
91 files that belong to either login ``fff'' OR ``ggg'' AND have network
92 connections to either host aaa.bbb OR ccc.ddd.
93
94 Options may be grouped together following a single prefix -- e.g., the
95 option set ``-a -b -C'' may be stated as -abC. However, since values
96 are optional following +|-f, -F, -g, -i, +|-L, -o, +|-r, -s, -S, -T, -x
97 and -z. when you have no values for them be careful that the following
98 character isn't ambiguous. For example, -Fn might represent the -F and
99 -n options, or it might represent the n field identifier character fol‐
100 lowing the -F option. When ambiguity is possible, start a new option
101 with a `-' character - e.g., ``-F -n''. If the next option is a file
102 name, follow the possibly ambiguous option with ``--'' - e.g., ``-F --
103 name''.
104
105 Either the `+' or the `-' prefix may be applied to a group of options.
106 Options that don't take on separate meanings for each prefix - e.g., -i
107 - may be grouped under either prefix. Thus, for example, ``+M -i'' may
108 be stated as ``+Mi'' and the group means the same as the separate
109 options. Be careful of prefix grouping when one or more options in the
110 group does take on separate meanings under different prefixes - e.g.,
111 +|-M; ``-iM'' is not the same request as ``-i +M''. When in doubt, use
112 separate options with appropriate prefixes.
113
114 -? -h These two equivalent options select a usage (help) output
115 list. Lsof displays a shortened form of this output when it
116 detects an error in the options supplied to it, after it has
117 displayed messages explaining each error. (Escape the `?'
118 character as your shell requires.)
119
120 -a This option causes list selection options to be ANDed, as
121 described above.
122
123 -A A This option is available on systems configured for AFS whose
124 AFS kernel code is implemented via dynamic modules. It allows
125 the lsof user to specify A as an alternate name list file
126 where the kernel addresses of the dynamic modules might be
127 found. See the lsof FAQ (The FAQ section gives its location.)
128 for more information about dynamic modules, their symbols, and
129 how they affect lsof.
130
131 -b This option causes lsof to avoid kernel functions that might
132 block - lstat(2), readlink(2), and stat(2).
133
134 See the BLOCKS AND TIMEOUTS and AVOIDING KERNEL BLOCKS sec‐
135 tions for information on using this option.
136
137 -c c This option selects the listing of files for processes execut‐
138 ing the command that begins with the characters of c. Multi‐
139 ple commands may be specified, using multiple -c options.
140 They are joined in a single ORed set before participating in
141 AND option selection.
142
143 If c begins with a `^', then the following characters specify
144 a command name whose processes are to be ignored (excluded.)
145
146 If c begins and ends with a slash ('/'), the characters
147 between the slashes are interpreted as a regular expression.
148 Shell meta-characters in the regular expression must be quoted
149 to prevent their interpretation by the shell. The closing
150 slash may be followed by these modifiers:
151
152 b the regular expression is a basic one.
153 i ignore the case of letters.
154 x the regular expression is an extended one
155 (default).
156
157 See the lsof FAQ (The FAQ section gives its location.) for
158 more information on basic and extended regular expressions.
159
160 The simple command specification is tested first. If that
161 test fails, the command regular expression is applied. If the
162 simple command test succeeds, the command regular expression
163 test isn't made. This may result in ``no command found for
164 regex:'' messages when lsof's -V option is specified.
165
166 +c w This option defines the maximum number of initial characters
167 of the name, supplied by the UNIX dialect, of the UNIX command
168 associated with a process to be printed in the COMMAND column.
169 (The lsof default is nine.)
170
171 Note that many UNIX dialects do not supply all command name
172 characters to lsof in the files and structures from which lsof
173 obtains command name. Often dialects limit the number of
174 characters supplied in those sources. For example, Linux
175 2.4.27 and Solaris 9 both limit command name length to 16
176 characters.
177
178 If w is zero ('0'), all command characters supplied to lsof by
179 the UNIX dialect will be printed.
180
181 If w is less than the length of the column title, ``COMMAND'',
182 it will be raised to that length.
183
184 -C This option disables the reporting of any path name components
185 from the kernel's name cache. See the KERNEL NAME CACHE sec‐
186 tion for more information.
187
188 +d s This option causes lsof to search for all open instances of
189 directory s and the files and directories it contains at its
190 top level. This option does NOT descend the directory tree,
191 rooted at s. The +D D option may be used to request a
192 full-descent directory tree search, rooted at directory D.
193
194 Processing of the +d option does not follow symbolic links
195 within s unless the -x or -x l option is also specified. Nor
196 does it search for open files on file system mount points on
197 subdirectories of s unless the -x or -x f option is also
198 specified.
199
200 Note: the authority of the user of this option limits it to
201 searching for files that the user has permission to examine
202 with the system stat(2) function.
203
204 -d s This option specifies a list of file descriptors (FDs) to
205 exclude from or include in the output listing. The file
206 descriptors are specified in the comma-separated set s - e.g.,
207 ``cwd,1,3'', ``^6,^2''. (There should be no spaces in the
208 set.)
209
210 The list is an exclusion list if all entries of the set begin
211 with `^'. It is an inclusion list if no entry begins with
212 `^'. Mixed lists are not permitted.
213
214 A file descriptor number range may be in the set as long as
215 neither member is empty, both members are numbers, and the
216 ending member is larger than the starting one - e.g., ``0-7''
217 or ``3-10''. Ranges may be specified for exclusion if they
218 have the `^' prefix - e.g., ``^0-7'' excludes all file
219 descriptors 0 through 7.
220
221 Multiple file descriptor numbers are joined in a single ORed
222 set before participating in AND option selection.
223
224 When there are exclusion and inclusion members in the set,
225 lsof reports them as errors and exits with a non-zero return
226 code.
227
228 See the description of File Descriptor (FD) output values in
229 the OUTPUT section for more information on file descriptor
230 names.
231
232 +D D This option causes lsof to search for all open instances of
233 directory D and all the files and directories it contains to
234 its complete depth.
235
236 Processing of the +D option does not follow symbolic links
237 within D unless the -x or -x l option is also specified. Nor
238 does it search for open files on file system mount points on
239 subdirectories of D unless the -x or -x f option is also
240 specified.
241
242 Note: the authority of the user of this option limits it to
243 searching for files that the user has permission to examine
244 with the system stat(2) function.
245
246 Further note: lsof may process this option slowly and require
247 a large amount of dynamic memory to do it. This is because it
248 must descend the entire directory tree, rooted at D, calling
249 stat(2) for each file and directory, building a list of all
250 the files it finds, and searching that list for a match with
251 every open file. When directory D is large, these steps can
252 take a long time, so use this option prudently.
253
254 -D D This option directs lsof's use of the device cache file. The
255 use of this option is sometimes restricted. See the DEVICE
256 CACHE FILE section and the sections that follow it for more
257 information on this option.
258
259 -D must be followed by a function letter; the function letter
260 may optionally be followed by a path name. Lsof recognizes
261 these function letters:
262
263 ? - report device cache file paths
264 b - build the device cache file
265 i - ignore the device cache file
266 r - read the device cache file
267 u - read and update the device cache file
268
269 The b, r, and u functions, accompanied by a path name, are
270 sometimes restricted. When these functions are restricted,
271 they will not appear in the description of the -D option that
272 accompanies -h or -? option output. See the DEVICE CACHE
273 FILE section and the sections that follow it for more informa‐
274 tion on these functions and when they're restricted.
275
276 The ? function reports the read-only and write paths that
277 lsof can use for the device cache file, the names of any envi‐
278 ronment variables whose values lsof will examine when forming
279 the device cache file path, and the format for the personal
280 device cache file path. (Escape the `?' character as your
281 shell requires.)
282
283 When available, the b, r, and u functions may be followed by
284 the device cache file's path. The standard default is
285 .lsof_hostname in the home directory of the real user ID that
286 executes lsof, but this could have been changed when lsof was
287 configured and compiled. (The output of the -h and -?
288 options show the current default prefix - e.g., ``.lsof''.)
289 The suffix, hostname, is the first component of the host's
290 name returned by gethostname(2).
291
292 When available, the b function directs lsof to build a new
293 device cache file at the default or specified path.
294
295 The i function directs lsof to ignore the default device cache
296 file and obtain its information about devices via direct calls
297 to the kernel.
298
299 The r function directs lsof to read the device cache at the
300 default or specified path, but prevents it from creating a new
301 device cache file when none exists or the existing one is
302 improperly structured. The r function, when specified without
303 a path name, prevents lsof from updating an incorrect or out‐
304 dated device cache file, or creating a new one in its place.
305 The r function is always available when it is specified with‐
306 out a path name argument; it may be restricted by the permis‐
307 sions of the lsof process.
308
309 When available, the u function directs lsof to read the device
310 cache file at the default or specified path, if possible, and
311 to rebuild it, if necessary. This is the default device cache
312 file function when no -D option has been specified.
313
314 +|-e s exempts the file system whose path name is s from being sub‐
315 jected to kernel function calls that might block. The +e
316 option exempts stat(2), lstat(2) and most readlink(2) kernel
317 function calls. The -e option exempts only stat(2) and
318 lstat(2) kernel function calls. Multiple file systems may be
319 specified with separate +|-e specifications and each may have
320 readlink(2) calls exempted or not.
321
322 This option is currently implemented only for Linux.
323
324 CAUTION: this option can easily be mis-applied to other than
325 the file system of interest, because it uses path name rather
326 than the more reliable device and inode numbers. (Device and
327 inode numbers are acquired via the potentially blocking
328 stat(2) kernel call and are thus not available, but see the
329 +|-m m option as a possible alternative way to supply device
330 numbers.)
331
332 Use this option with great care and fully specify the path
333 name of the file system to be exempted. Consider, for exam‐
334 ple, that specifying ``-e /'' would exempt all file systems,
335 since all their paths begin with a `/'.
336
337 When open files on exempted file systems are reported, it is
338 not possible to obtain all their information. Therefore, some
339 information columns will be blank, the characters ``UNKN''
340 preface the values in the TYPE column, and the applicable
341 exemption option is added in parentheses to the end of the
342 NAME column. Some device number information might be made
343 available via the +|-m m option.
344
345 +|-f [cfgGn]
346 f by itself clarifies how path name arguments are to be inter‐
347 preted. When followed by c, f, g, G, or n in any combination
348 it specifies that the listing of kernel file structure infor‐
349 mation is to be enabled (`+') or inhibited (`-').
350
351 Normally a path name argument is taken to be a file system
352 name if it matches a mounted-on directory name reported by
353 mount(8), or if it represents a block device, named in the
354 mount output and associated with a mounted directory name.
355 When +f is specified, all path name arguments will be taken to
356 be file system names, and lsof will complain if any are not.
357 This can be useful, for example, when the file system name
358 (mounted-on device) isn't a block device. This happens for
359 some CD-ROM file systems.
360
361 When -f is specified by itself, all path name arguments will
362 be taken to be simple files. Thus, for example, the ``-f --
363 /'' arguments direct lsof to search for open files with a `/'
364 path name, not all open files in the `/' (root) file system.
365
366 Be careful to make sure +f and -f are properly terminated and
367 aren't followed by a character (e.g., of the file or file sys‐
368 tem name) that might be taken as a parameter. For example,
369 use ``--'' after +f and -f as in these examples.
370
371 $ lsof +f -- /file/system/name
372 $ lsof -f -- /file/name
373
374 The listing of information from kernel file structures,
375 requested with the +f [cfgGn] option form, is normally inhib‐
376 ited, and is not available in whole or part for some dialects
377 - e.g., /proc-based Linux kernels below 2.6.22. When the pre‐
378 fix to f is a plus sign (`+'), these characters request file
379 structure information:
380
381 c file structure use count (not Linux)
382 f file structure address (not Linux)
383 g file flag abbreviations (Linux 2.6.22 and up)
384 G file flags in hexadecimal (Linux 2.6.22 and up)
385 n file structure node address (not Linux)
386
387 When the prefix is minus (`-') the same characters disable the
388 listing of the indicated values.
389
390 File structure addresses, use counts, flags, and node
391 addresses may be used to detect more readily identical files
392 inherited by child processes and identical files in use by
393 different processes. Lsof column output can be sorted by out‐
394 put columns holding the values and listed to identify identi‐
395 cal file use, or lsof field output can be parsed by an AWK or
396 Perl post-filter script, or by a C program.
397
398 -F f This option specifies a character list, f, that selects the
399 fields to be output for processing by another program, and the
400 character that terminates each output field. Each field to be
401 output is specified with a single character in f. The field
402 terminator defaults to NL, but may be changed to NUL (000).
403 See the OUTPUT FOR OTHER PROGRAMS section for a description of
404 the field identification characters and the field output
405 process.
406
407 When the field selection character list is empty, all standard
408 fields are selected (except the raw device field, security
409 context and zone field for compatibility reasons) and the NL
410 field terminator is used.
411
412 When the field selection character list contains only a zero
413 (`0'), all fields are selected (except the raw device field
414 for compatibility reasons) and the NUL terminator character is
415 used.
416
417 Other combinations of fields and their associated field termi‐
418 nator character must be set with explicit entries in f, as
419 described in the OUTPUT FOR OTHER PROGRAMS section.
420
421 When a field selection character identifies an item lsof does
422 not normally list - e.g., PPID, selected with -R - specifica‐
423 tion of the field character - e.g., ``-FR'' - also selects the
424 listing of the item.
425
426 When the field selection character list contains the single
427 character `?', lsof will display a help list of the field
428 identification characters. (Escape the `?' character as your
429 shell requires.)
430
431 -g [s] This option excludes or selects the listing of files for the
432 processes whose optional process group IDentification (PGID)
433 numbers are in the comma-separated set s - e.g., ``123'' or
434 ``123,^456''. (There should be no spaces in the set.)
435
436 PGID numbers that begin with `^' (negation) represent exclu‐
437 sions.
438
439 Multiple PGID numbers are joined in a single ORed set before
440 participating in AND option selection. However, PGID exclu‐
441 sions are applied without ORing or ANDing and take effect
442 before other selection criteria are applied.
443
444 The -g option also enables the output display of PGID numbers.
445 When specified without a PGID set that's all it does.
446
447 -i [i] This option selects the listing of files any of whose Internet
448 address matches the address specified in i. If no address is
449 specified, this option selects the listing of all Internet and
450 x.25 (HP-UX) network files.
451
452 If -i4 or -i6 is specified with no following address, only
453 files of the indicated IP version, IPv4 or IPv6, are dis‐
454 played. (An IPv6 specification may be used only if the
455 dialects supports IPv6, as indicated by ``[46]'' and
456 ``IPv[46]'' in lsof's -h or -? output.) Sequentially speci‐
457 fying -i4, followed by -i6 is the same as specifying -i, and
458 vice-versa. Specifying -i4, or -i6 after -i is the same as
459 specifying -i4 or -i6 by itself.
460
461 Multiple addresses (up to a limit of 100) may be specified
462 with multiple -i options. (A port number or service name
463 range is counted as one address.) They are joined in a single
464 ORed set before participating in AND option selection.
465
466 An Internet address is specified in the form (Items in square
467 brackets are optional.):
468
469 [46][protocol][@hostname|hostaddr][:service|port]
470
471 where:
472 46 specifies the IP version, IPv4 or IPv6
473 that applies to the following address.
474 '6' may be be specified only if the UNIX
475 dialect supports IPv6. If neither '4' nor
476 '6' is specified, the following address
477 applies to all IP versions.
478 protocol is a protocol name - TCP, UDP
479 hostname is an Internet host name. Unless a
480 specific IP version is specified, open
481 network files associated with host names
482 of all versions will be selected.
483 hostaddr is a numeric Internet IPv4 address in
484 dot form; or an IPv6 numeric address in
485 colon form, enclosed in brackets, if the
486 UNIX dialect supports IPv6. When an IP
487 version is selected, only its numeric
488 addresses may be specified.
489 service is an /etc/services name - e.g., smtp -
490 or a list of them.
491 port is a port number, or a list of them.
492
493 IPv6 options may be used only if the UNIX dialect supports
494 IPv6. To see if the dialect supports IPv6, run lsof and spec‐
495 ify the -h or -? (help) option. If the displayed description
496 of the -i option contains ``[46]'' and ``IPv[46]'', IPv6 is
497 supported.
498
499 IPv4 host names and addresses may not be specified if network
500 file selection is limited to IPv6 with -i 6. IPv6 host names
501 and addresses may not be specified if network file selection
502 is limited to IPv4 with -i 4. When an open IPv4 network
503 file's address is mapped in an IPv6 address, the open file's
504 type will be IPv6, not IPv4, and its display will be selected
505 by '6', not '4'.
506
507 At least one address component - 4, 6, protocol, ,IR hostname
508 , hostaddr, or service - must be supplied. The `@' character,
509 leading the host specification, is always required; as is the
510 `:', leading the port specification. Specify either hostname
511 or hostaddr. Specify either service name list or port number
512 list. If a service name list is specified, the protocol may
513 also need to be specified if the TCP, UDP and UDPLITE port
514 numbers for the service name are different. Use any case -
515 lower or upper - for protocol.
516
517 Service names and port numbers may be combined in a list whose
518 entries are separated by commas and whose numeric range
519 entries are separated by minus signs. There may be no embed‐
520 ded spaces, and all service names must belong to the specified
521 protocol. Since service names may contain embedded minus
522 signs, the starting entry of a range can't be a service name;
523 it can be a port number, however.
524
525 Here are some sample addresses:
526
527 -i6 - IPv6 only
528 TCP:25 - TCP and port 25
529 @1.2.3.4 - Internet IPv4 host address 1.2.3.4
530 @[3ffe:1ebc::1]:1234 - Internet IPv6 host address
531 3ffe:1ebc::1, port 1234
532 UDP:who - UDP who service port
533 TCP@lsof.itap:513 - TCP, port 513 and host name lsof.itap
534 tcp@foo:1-10,smtp,99 - TCP, ports 1 through 10,
535 service name smtp, port 99, host name foo
536 tcp@bar:1-smtp - TCP, ports 1 through smtp, host bar
537 :time - either TCP, UDP or UDPLITE time service port
538
539 -k k This option specifies a kernel name list file, k, in place of
540 /vmunix, /mach, etc. This option is not available under AIX
541 on the IBM RISC/System 6000.
542
543 -l This option inhibits the conversion of user ID numbers to
544 login names. It is also useful when login name lookup is
545 working improperly or slowly.
546
547 +|-L [l] This option enables (`+') or disables (`-') the listing of
548 file link counts, where they are available - e.g., they aren't
549 available for sockets, or most FIFOs and pipes.
550
551 When +L is specified without a following number, all link
552 counts will be listed. When -L is specified (the default), no
553 link counts will be listed.
554
555 When +L is followed by a number, only files having a link
556 count less than that number will be listed. (No number may
557 follow -L.) A specification of the form ``+L1'' will select
558 open files that have been unlinked. A specification of the
559 form ``+aL1 <file_system>'' will select unlinked open files on
560 the specified file system.
561
562 For other link count comparisons, use field output (-F) and a
563 post-processing script or program.
564
565 +|-m m This option specifies an alternate kernel memory file or acti‐
566 vates mount table supplement processing.
567
568 The option form -m m specifies a kernel memory file, m, in
569 place of /dev/kmem or /dev/mem - e.g., a crash dump file.
570
571 The option form +m requests that a mount supplement file be
572 written to the standard output file. All other options are
573 silently ignored.
574
575 There will be a line in the mount supplement file for each
576 mounted file system, containing the mounted file system direc‐
577 tory, followed by a single space, followed by the device num‐
578 ber in hexadecimal "0x" format - e.g.,
579
580 / 0x801
581
582 Lsof can use the mount supplement file to get device numbers
583 for file systems when it can't get them via stat(2) or
584 lstat(2).
585
586 The option form +m m identifies m as a mount supplement file.
587
588 Note: the +m and +m m options are not available for all sup‐
589 ported dialects. Check the output of lsof's -h or -? options
590 to see if the +m and +m m options are available.
591
592 +|-M Enables (+) or disables (-) the reporting of portmapper regis‐
593 trations for local TCP, UDP and UDPLITE ports. The default
594 reporting mode is set by the lsof builder with the HASPMAPEN‐
595 ABLED #define in the dialect's machine.h header file; lsof is
596 distributed with the HASPMAPENABLED #define deactivated, so
597 portmapper reporting is disabled by default and must be
598 requested with +M. Specifying lsof's -h or -? option will
599 report the default mode. Disabling portmapper registration
600 when it is already disabled or enabling it when already
601 enabled is acceptable.
602
603 When portmapper registration reporting is enabled, lsof dis‐
604 plays the portmapper registration (if any) for local TCP, UDP
605 or UDPLITE ports in square brackets immediately following the
606 port numbers or service names - e.g., ``:1234[name]'' or
607 ``:name[100083]''. The registration information may be a name
608 or number, depending on what the registering program supplied
609 to the portmapper when it registered the port.
610
611 When portmapper registration reporting is enabled, lsof may
612 run a little more slowly or even become blocked when access to
613 the portmapper becomes congested or stopped. Reverse the
614 reporting mode to determine if portmapper registration report‐
615 ing is slowing or blocking lsof.
616
617 For purposes of portmapper registration reporting lsof consid‐
618 ers a TCP, UDP or UDPLITE port local if: it is found in the
619 local part of its containing kernel structure; or if it is
620 located in the foreign part of its containing kernel structure
621 and the local and foreign Internet addresses are the same; or
622 if it is located in the foreign part of its containing kernel
623 structure and the foreign Internet address is INADDR_LOOPBACK
624 (127.0.0.1). This rule may make lsof ignore some foreign
625 ports on machines with multiple interfaces when the foreign
626 Internet address is on a different interface from the local
627 one.
628
629 See the lsof FAQ (The FAQ section gives its location.) for
630 further discussion of portmapper registration reporting
631 issues.
632
633 -n This option inhibits the conversion of network numbers to host
634 names for network files. Inhibiting conversion may make lsof
635 run faster. It is also useful when host name lookup is not
636 working properly.
637
638 -N This option selects the listing of NFS files.
639
640 -o This option directs lsof to display file offset at all times.
641 It causes the SIZE/OFF output column title to be changed to
642 OFFSET. Note: on some UNIX dialects lsof can't obtain accu‐
643 rate or consistent file offset information from its kernel
644 data sources, sometimes just for particular kinds of files
645 (e.g., socket files.) Consult the lsof FAQ (The FAQ section
646 gives its location.) for more information.
647
648 The -o and -s options are mutually exclusive; they can't both
649 be specified. When neither is specified, lsof displays what‐
650 ever value - size or offset - is appropriate and available for
651 the type of the file.
652
653 -o o This option defines the number of decimal digits (o) to be
654 printed after the ``0t'' for a file offset before the form is
655 switched to ``0x...''. An o value of zero (unlimited) directs
656 lsof to use the ``0t'' form for all offset output.
657
658 This option does NOT direct lsof to display offset at all
659 times; specify -o (without a trailing number) to do that.
660 This option only specifies the number of digits after ``0t''
661 in either mixed size and offset or offset-only output. Thus,
662 for example, to direct lsof to display offset at all times
663 with a decimal digit count of 10, use:
664
665 -o -o 10
666 or
667 -oo10
668
669 The default number of digits allowed after ``0t'' is normally
670 8, but may have been changed by the lsof builder. Consult the
671 description of the -o o option in the output of the -h or -?
672 option to determine the default that is in effect.
673
674 -O This option directs lsof to bypass the strategy it uses to
675 avoid being blocked by some kernel operations - i.e., doing
676 them in forked child processes. See the BLOCKS AND TIMEOUTS
677 and AVOIDING KERNEL BLOCKS sections for more information on
678 kernel operations that may block lsof.
679
680 While use of this option will reduce lsof startup overhead, it
681 may also cause lsof to hang when the kernel doesn't respond to
682 a function. Use this option cautiously.
683
684 -p s This option excludes or selects the listing of files for the
685 processes whose optional process IDentification (PID) numbers
686 are in the comma-separated set s - e.g., ``123'' or
687 ``123,^456''. (There should be no spaces in the set.)
688
689 PID numbers that begin with `^' (negation) represent exclu‐
690 sions.
691
692 Multiple process ID numbers are joined in a single ORed set
693 before participating in AND option selection. However, PID
694 exclusions are applied without ORing or ANDing and take effect
695 before other selection criteria are applied.
696
697 -P This option inhibits the conversion of port numbers to port
698 names for network files. Inhibiting the conversion may make
699 lsof run a little faster. It is also useful when port name
700 lookup is not working properly.
701
702 +|-r [t[m<fmt>]]
703 This option puts lsof in repeat mode. There lsof lists open
704 files as selected by other options, delays t seconds (default
705 fifteen), then repeats the listing, delaying and listing
706 repetitively until stopped by a condition defined by the pre‐
707 fix to the option.
708
709 If the prefix is a `-', repeat mode is endless. Lsof must be
710 terminated with an interrupt or quit signal.
711
712 If the prefix is `+', repeat mode will end the first cycle no
713 open files are listed - and of course when lsof is stopped
714 with an interrupt or quit signal. When repeat mode ends
715 because no files are listed, the process exit code will be
716 zero if any open files were ever listed; one, if none were
717 ever listed.
718
719 Lsof marks the end of each listing: if field output is in
720 progress (the -F, option has been specified), the default
721 marker is `m'; otherwise the default marker is ``========''.
722 The marker is followed by a NL character.
723
724 The optional "m<fmt>" argument specifies a format for the
725 marker line. The <fmt> characters following `m' are inter‐
726 preted as a format specification to the strftime(3) function,
727 when both it and the localtime(3) function are available in
728 the dialect's C library. Consult the strftime(3) documenta‐
729 tion for what may appear in its format specification. Note
730 that when field output is requested with the -F option, <fmt>
731 cannot contain the NL format, ``%n''. Note also that when
732 <fmt> contains spaces or other characters that affect the
733 shell's interpretation of arguments, <fmt> must be quoted
734 appropriately.
735
736 Repeat mode reduces lsof startup overhead, so it is more effi‐
737 cient to use this mode than to call lsof repetitively from a
738 shell script, for example.
739
740 To use repeat mode most efficiently, accompany +|-r with spec‐
741 ification of other lsof selection options, so the amount of
742 kernel memory access lsof does will be kept to a minimum.
743 Options that filter at the process level - e.g., -c, -g, -p,
744 -u - are the most efficient selectors.
745
746 Repeat mode is useful when coupled with field output (see the
747 -F, option description) and a supervising awk or Perl script,
748 or a C program.
749
750 -R This option directs lsof to list the Parent Process IDentifi‐
751 cation number in the PPID column.
752
753 -s [p:s] s alone directs lsof to display file size at all times. It
754 causes the SIZE/OFF output column title to be changed to SIZE.
755 If the file does not have a size, nothing is displayed.
756
757 When followed by a protocol name (p), either TCP or UDP, a
758 colon (`:') and a comma-separated protocol state name list,
759 the option causes open TCP and UDP files to be excluded if
760 their state name(s) are in the list (s) preceded by a `^'; or
761 included if their name(s) are not preceded by a `^'.
762
763 When an inclusion list is defined, only network files with
764 state names in the list will be present in the lsof output.
765 Thus, specifying one state name means that only network files
766 with that lone state name will be listed.
767
768 Case is unimportant in the protocol or state names, but there
769 may be no spaces and the colon (`:') separating the protocol
770 name (p) and the state name list (s) is required.
771
772 If only TCP and UDP files are to be listed, as controlled by
773 the specified exclusions and inclusions, the -i option must be
774 specified, too. If only a single protocol's files are to be
775 listed, add its name as an argument to the -i option.
776
777 For example, to list only network files with TCP state LISTEN,
778 use:
779
780 -iTCP -sTCP:LISTEN
781
782 Or, for example, to list network files with all UDP states
783 except Idle, use:
784
785 -iUDP -sUDP:Idle
786
787 State names vary with UNIX dialects, so it's not possible to
788 provide a complete list. Some common TCP state names are:
789 CLOSED, IDLE, BOUND, LISTEN, ESTABLISHED, SYN_SENT, SYN_RCDV,
790 ESTABLISHED, CLOSE_WAIT, FIN_WAIT1, CLOSING, LAST_ACK,
791 FIN_WAIT_2, and TIME_WAIT. Two common UDP state names are
792 Unbound and Idle.
793
794 See the lsof FAQ (The FAQ section gives its location.) for
795 more information on how to use protocol state exclusion and
796 inclusion, including examples.
797
798 The -o (without a following decimal digit count) and -s option
799 (without a following protocol and state name list) are mutu‐
800 ally exclusive; they can't both be specified. When neither is
801 specified, lsof displays whatever value - size or offset - is
802 appropriate and available for the type of file.
803
804 Since some types of files don't have true sizes - sockets,
805 FIFOs, pipes, etc. - lsof displays for their sizes the content
806 amounts in their associated kernel buffers, if possible.
807
808 -S [t] This option specifies an optional time-out seconds value for
809 kernel functions - lstat(2), readlink(2), and stat(2) - that
810 might otherwise deadlock. The minimum for t is two; the
811 default, fifteen; when no value is specified, the default is
812 used.
813
814 See the BLOCKS AND TIMEOUTS section for more information.
815
816 -T [t] This option controls the reporting of some TCP/TPI informa‐
817 tion, also reported by netstat(1), following the network
818 addresses. In normal output the information appears in paren‐
819 theses, each item except TCP or TPI state name identified by a
820 keyword, followed by `=', separated from others by a single
821 space:
822
823 <TCP or TPI state name>
824 QR=<read queue length>
825 QS=<send queue length>
826 SO=<socket options and values>
827 SS=<socket states>
828 TF=<TCP flags and values>
829 WR=<window read length>
830 WW=<window write length>
831
832 Not all values are reported for all UNIX dialects. Items val‐
833 ues (when available) are reported after the item name and '='.
834
835 When the field output mode is in effect (See OUTPUT FOR OTHER
836 PROGRAMS.) each item appears as a field with a `T' leading
837 character.
838
839 -T with no following key characters disables TCP/TPI informa‐
840 tion reporting.
841
842 -T with following characters selects the reporting of specific
843 TCP/TPI information:
844
845 f selects reporting of socket options,
846 states and values, and TCP flags and
847 values.
848 q selects queue length reporting.
849 s selects connection state reporting.
850 w selects window size reporting.
851
852 Not all selections are enabled for some UNIX dialects. State
853 may be selected for all dialects and is reported by default.
854 The -h or -? help output for the -T option will show what
855 selections may be used with the UNIX dialect.
856
857 When -T is used to select information - i.e., it is followed
858 by one or more selection characters - the displaying of state
859 is disabled by default, and it must be explicitly selected
860 again in the characters following -T. (In effect, then, the
861 default is equivalent to -Ts.) For example, if queue lengths
862 and state are desired, use -Tqs.
863
864 Socket options, socket states, some socket values, TCP flags
865 and one TCP value may be reported (when available in the UNIX
866 dialect) in the form of the names that commonly appear after
867 SO_, so_, SS_, TCP_ and TF_ in the dialect's header files -
868 most often <sys/socket.h>, <sys/socketvar.h> and
869 <netinet/tcp_var.h>. Consult those header files for the mean‐
870 ing of the flags, options, states and values.
871
872 ``SO='' precedes socket options and values; ``SS='', socket
873 states; and ``TF='', TCP flags and values.
874
875 If a flag or option has a value, the value will follow an '='
876 and the name -- e.g., ``SO=LINGER=5'', ``SO=QLIM=5'',
877 ``TF=MSS=512''. The following seven values may be reported:
878
879 Name
880 Reported Description (Common Symbol)
881
882 KEEPALIVE keep alive time (SO_KEEPALIVE)
883 LINGER linger time (SO_LINGER)
884 MSS maximum segment size (TCP_MAXSEG)
885 PQLEN partial listen queue connections
886 QLEN established listen queue connections
887 QLIM established listen queue limit
888 RCVBUF receive buffer length (SO_RCVBUF)
889 SNDBUF send buffer length (SO_SNDBUF)
890
891 Details on what socket options and values, socket states, and
892 TCP flags and values may be displayed for particular UNIX
893 dialects may be found in the answer to the ``Why doesn't lsof
894 report socket options, socket states, and TCP flags and values
895 for my dialect?'' and ``Why doesn't lsof report the partial
896 listen queue connection count for my dialect?'' questions in
897 the lsof FAQ (The FAQ section gives its location.)
898
899 -t This option specifies that lsof should produce terse output
900 with process identifiers only and no header - e.g., so that
901 the output may be piped to kill(1). This option selects the
902 -w option.
903
904 -u s This option selects the listing of files for the user whose
905 login names or user ID numbers are in the comma-separated set
906 s - e.g., ``abe'', or ``548,root''. (There should be no spa‐
907 ces in the set.)
908
909 Multiple login names or user ID numbers are joined in a single
910 ORed set before participating in AND option selection.
911
912 If a login name or user ID is preceded by a `^', it becomes a
913 negation - i.e., files of processes owned by the login name or
914 user ID will never be listed. A negated login name or user ID
915 selection is neither ANDed nor ORed with other selections; it
916 is applied before all other selections and absolutely excludes
917 the listing of the files of the process. For example, to
918 direct lsof to exclude the listing of files belonging to root
919 processes, specify ``-u^root'' or ``-u^0''.
920
921 -U This option selects the listing of UNIX domain socket files.
922
923 -v This option selects the listing of lsof version information,
924 including: revision number; when the lsof binary was con‐
925 structed; who constructed the binary and where; the name of
926 the compiler used to construct the lsof binary; the version
927 number of the compiler when readily available; the compiler
928 and loader flags used to construct the lsof binary; and system
929 information, typically the output of uname's -a option.
930
931 -V This option directs lsof to indicate the items it was asked to
932 list and failed to find - command names, file names, Internet
933 addresses or files, login names, NFS files, PIDs, PGIDs, and
934 UIDs.
935
936 When other options are ANDed to search options, or com‐
937 pile-time options restrict the listing of some files, lsof may
938 not report that it failed to find a search item when an ANDed
939 option or compile-time option prevents the listing of the open
940 file containing the located search item.
941
942 For example, ``lsof -V -iTCP@foobar -a -d 999'' may not report
943 a failure to locate open files at ``TCP@foobar'' and may not
944 list any, if none have a file descriptor number of 999. A
945 similar situation arises when HASSECURITY and HASNOSOCKSECU‐
946 RITY are defined at compile time and they prevent the listing
947 of open files.
948
949 +|-w Enables (+) or disables (-) the suppression of warning mes‐
950 sages.
951
952 The lsof builder may choose to have warning messages disabled
953 or enabled by default. The default warning message state is
954 indicated in the output of the -h or -? option. Disabling
955 warning messages when they are already disabled or enabling
956 them when already enabled is acceptable.
957
958 The -t option selects the -w option.
959
960 -x [fl] This option may accompany the +d and +D options to direct
961 their processing to cross over symbolic links and|or file sys‐
962 tem mount points encountered when scanning the directory (+d)
963 or directory tree (+D).
964
965 If -x is specified by itself without a following parameter,
966 cross-over processing of both symbolic links and file system
967 mount points is enabled. Note that when -x is specified with‐
968 out a parameter, the next argument must begin with '-' or '+'.
969
970 The optional 'f' parameter enables file system mount point
971 cross-over processing; 'l', symbolic link cross-over process‐
972 ing.
973
974 The -x option may not be supplied without also supplying a +d
975 or +D option.
976
977 -X This is a dialect-specific option.
978
979 AIX:
980 This IBM AIX RISC/System 6000 option requests the reporting of
981 executed text file and shared library references.
982
983 WARNING: because this option uses the kernel readx() function,
984 its use on a busy AIX system might cause an application
985 process to hang so completely that it can neither be killed
986 nor stopped. I have never seen this happen or had a report of
987 its happening, but I think there is a remote possibility it
988 could happen.
989
990 By default use of readx() is disabled. On AIX 5L and above
991 lsof may need setuid-root permission to perform the actions
992 this option requests.
993
994 The lsof builder may specify that the -X option be restricted
995 to processes whose real UID is root. If that has been done,
996 the -X option will not appear in the -h or -? help output
997 unless the real UID of the lsof process is root. The default
998 lsof distribution allows any UID to specify -X, so by default
999 it will appear in the help output.
1000
1001 When AIX readx() use is disabled, lsof may not be able to
1002 report information for all text and loader file references,
1003 but it may also avoid exacerbating an AIX kernel directory
1004 search kernel error, known as the Stale Segment ID bug.
1005
1006 The readx() function, used by lsof or any other program to
1007 access some sections of kernel virtual memory, can trigger the
1008 Stale Segment ID bug. It can cause the kernel's dir_search()
1009 function to believe erroneously that part of an in-memory copy
1010 of a file system directory has been zeroed. Another applica‐
1011 tion process, distinct from lsof, asking the kernel to search
1012 the directory - e.g., by using open(2) - can cause
1013 dir_search() to loop forever, thus hanging the application
1014 process.
1015
1016 Consult the lsof FAQ (The FAQ section gives its location.)
1017 and the 00README file of the lsof distribution for a more com‐
1018 plete description of the Stale Segment ID bug, its APAR, and
1019 methods for defining readx() use when compiling lsof.
1020
1021 Linux:
1022 This Linux option requests that lsof skip the reporting of
1023 information on all open TCP, UDP and UDPLITE IPv4 and IPv6
1024 files.
1025
1026 This Linux option is most useful when the system has an
1027 extremely large number of open TCP, UDP and UDPLITE files, the
1028 processing of whose information in the /proc/net/tcp* and
1029 /proc/net/udp* files would take lsof a long time, and whose
1030 reporting is not of interest.
1031
1032 Use this option with care and only when you are sure that the
1033 information you want lsof to display isn't associated with
1034 open TCP, UDP or UDPLITE socket files.
1035
1036 Solaris 10 and above:
1037 This Solaris 10 and above option requests the reporting of
1038 cached paths for files that have been deleted - i.e., removed
1039 with rm(1) or unlink(2).
1040
1041 The cached path is followed by the string `` (deleted)'' to
1042 indicate that the path by which the file was opened has been
1043 deleted.
1044
1045 Because intervening changes made to the path - i.e., renames
1046 with mv(1) or rename(2) - are not recorded in the cached path,
1047 what lsof reports is only the path by which the file was
1048 opened, not its possibly different final path.
1049
1050 -z [z] specifies how Solaris 10 and higher zone information is to be
1051 handled.
1052
1053 Without a following argument - e.g., NO z - the option speci‐
1054 fies that zone names are to be listed in the ZONE output col‐
1055 umn.
1056
1057 The -z option may be followed by a zone name, z. That causes
1058 lsof to list only open files for processes in that zone. Mul‐
1059 tiple -z z option and argument pairs may be specified to form
1060 a list of named zones. Any open file of any process in any of
1061 the zones will be listed, subject to other conditions speci‐
1062 fied by other options and arguments.
1063
1064 -Z [Z] specifies how SELinux security contexts are to be handled.
1065 This option and 'Z' field output character support are inhib‐
1066 ited when SELinux is disabled in the running Linux kernel.
1067 See OUTPUT FOR OTHER PROGRAMS for more information on the 'Z'
1068 field output character.
1069
1070 Without a following argument - e.g., NO Z - the option speci‐
1071 fies that security contexts are to be listed in the SECU‐
1072 RITY-CONTEXT output column.
1073
1074 The -Z option may be followed by a wildcard security context
1075 name, Z. That causes lsof to list only open files for pro‐
1076 cesses in that security context. Multiple -Z Z option and
1077 argument pairs may be specified to form a list of security
1078 contexts. Any open file of any process in any of the security
1079 contexts will be listed, subject to other conditions specified
1080 by other options and arguments. Note that Z can be A:B:C or
1081 *:B:C or A:B:* or *:*:C to match against the A:B:C context.
1082
1083 -- The double minus sign option is a marker that signals the end
1084 of the keyed options. It may be used, for example, when the
1085 first file name begins with a minus sign. It may also be used
1086 when the absence of a value for the last keyed option must be
1087 signified by the presence of a minus sign in the following
1088 option and before the start of the file names.
1089
1090 names These are path names of specific files to list. Symbolic
1091 links are resolved before use. The first name may be sepa‐
1092 rated from the preceding options with the ``--'' option.
1093
1094 If a name is the mounted-on directory of a file system or the
1095 device of the file system, lsof will list all the files open
1096 on the file system. To be considered a file system, the name
1097 must match a mounted-on directory name in mount(8) output, or
1098 match the name of a block device associated with a mounted-on
1099 directory name. The +|-f option may be used to force lsof to
1100 consider a name a file system identifier (+f) or a simple file
1101 (-f).
1102
1103 If name is a path to a directory that is not the mounted-on
1104 directory name of a file system, it is treated just as a regu‐
1105 lar file is treated - i.e., its listing is restricted to pro‐
1106 cesses that have it open as a file or as a process-specific
1107 directory, such as the root or current working directory. To
1108 request that lsof look for open files inside a directory name,
1109 use the +d s and +D D options.
1110
1111 If a name is the base name of a family of multiplexed files -
1112 e. g, AIX's /dev/pt[cs] - lsof will list all the associated
1113 multiplexed files on the device that are open - e.g.,
1114 /dev/pt[cs]/1, /dev/pt[cs]/2, etc.
1115
1116 If a name is a UNIX domain socket name, lsof will usually
1117 search for it by the characters of the name alone - exactly as
1118 it is specified and is recorded in the kernel socket struc‐
1119 ture. (See the next paragraph for an exception to that rule
1120 for Linux.) Specifying a relative path - e.g., ./file - in
1121 place of the file's absolute path - e.g., /tmp/file - won't
1122 work because lsof must match the characters you specify with
1123 what it finds in the kernel UNIX domain socket structures.
1124
1125 If a name is a Linux UNIX domain socket name, in one case lsof
1126 is able to search for it by its device and inode number,
1127 allowing name to be a relative path. The case requires that
1128 the absolute path -- i.e., one beginning with a slash ('/') be
1129 used by the process that created the socket, and hence be
1130 stored in the /proc/net/unix file; and it requires that lsof
1131 be able to obtain the device and node numbers of both the
1132 absolute path in /proc/net/unix and name via successful
1133 stat(2) system calls. When those conditions are met, lsof
1134 will be able to search for the UNIX domain socket when some
1135 path to it is is specified in name. Thus, for example, if the
1136 path is /dev/log, and an lsof search is initiated when the
1137 working directory is /dev, then name could be ./log.
1138
1139 If a name is none of the above, lsof will list any open files
1140 whose device and inode match that of the specified path name.
1141
1142 If you have also specified the -b option, the only names you
1143 may safely specify are file systems for which your mount table
1144 supplies alternate device numbers. See the AVOIDING KERNEL
1145 BLOCKS and ALTERNATE DEVICE NUMBERS sections for more informa‐
1146 tion.
1147
1148 Multiple file names are joined in a single ORed set before
1149 participating in AND option selection.
1150
1152 Lsof supports the recognition of AFS files for these dialects (and AFS
1153 versions):
1154
1155 AIX 4.1.4 (AFS 3.4a)
1156 HP-UX 9.0.5 (AFS 3.4a)
1157 Linux 1.2.13 (AFS 3.3)
1158 Solaris 2.[56] (AFS 3.4a)
1159
1160 It may recognize AFS files on other versions of these dialects, but has
1161 not been tested there. Depending on how AFS is implemented, lsof may
1162 recognize AFS files in other dialects, or may have difficulties recog‐
1163 nizing AFS files in the supported dialects.
1164
1165 Lsof may have trouble identifying all aspects of AFS files in supported
1166 dialects when AFS kernel support is implemented via dynamic modules
1167 whose addresses do not appear in the kernel's variable name list. In
1168 that case, lsof may have to guess at the identity of AFS files, and
1169 might not be able to obtain volume information from the kernel that is
1170 needed for calculating AFS volume node numbers. When lsof can't com‐
1171 pute volume node numbers, it reports blank in the NODE column.
1172
1173 The -A A option is available in some dialect implementations of lsof
1174 for specifying the name list file where dynamic module kernel addresses
1175 may be found. When this option is available, it will be listed in the
1176 lsof help output, presented in response to the -h or -?
1177
1178 See the lsof FAQ (The FAQ section gives its location.) for more infor‐
1179 mation about dynamic modules, their symbols, and how they affect lsof
1180 options.
1181
1182 Because AFS path lookups don't seem to participate in the kernel's name
1183 cache operations, lsof can't identify path name components for AFS
1184 files.
1185
1187 Lsof has three features that may cause security concerns. First, its
1188 default compilation mode allows anyone to list all open files with it.
1189 Second, by default it creates a user-readable and user-writable device
1190 cache file in the home directory of the real user ID that executes
1191 lsof. (The list-all-open-files and device cache features may be dis‐
1192 abled when lsof is compiled.) Third, its -k and -m options name alter‐
1193 nate kernel name list or memory files.
1194
1195 Restricting the listing of all open files is controlled by the com‐
1196 pile-time HASSECURITY and HASNOSOCKSECURITY options. When HASSECURITY
1197 is defined, lsof will allow only the root user to list all open files.
1198 The non-root user may list only open files of processes with the same
1199 user IDentification number as the real user ID number of the lsof
1200 process (the one that its user logged on with).
1201
1202 However, if HASSECURITY and HASNOSOCKSECURITY are both defined, anyone
1203 may list open socket files, provided they are selected with the -i
1204 option.
1205
1206 When HASSECURITY is not defined, anyone may list all open files.
1207
1208 Help output, presented in response to the -h or -? option, gives the
1209 status of the HASSECURITY and HASNOSOCKSECURITY definitions.
1210
1211 See the Security section of the 00README file of the lsof distribution
1212 for information on building lsof with the HASSECURITY and HASNOSOCKSE‐
1213 CURITY options enabled.
1214
1215 Creation and use of a user-readable and user-writable device cache file
1216 is controlled by the compile-time HASDCACHE option. See the DEVICE
1217 CACHE FILE section and the sections that follow it for details on how
1218 its path is formed. For security considerations it is important to
1219 note that in the default lsof distribution, if the real user ID under
1220 which lsof is executed is root, the device cache file will be written
1221 in root's home directory - e.g., / or /root. When HASDCACHE is not
1222 defined, lsof does not write or attempt to read a device cache file.
1223
1224 When HASDCACHE is defined, the lsof help output, presented in response
1225 to the -h, -D?, or -? options, will provide device cache file handling
1226 information. When HASDCACHE is not defined, the -h or -? output will
1227 have no -D option description.
1228
1229 Before you decide to disable the device cache file feature - enabling
1230 it improves the performance of lsof by reducing the startup overhead of
1231 examining all the nodes in /dev (or /devices) - read the discussion of
1232 it in the 00DCACHE file of the lsof distribution and the lsof FAQ (The
1233 FAQ section gives its location.)
1234
1235 WHEN IN DOUBT, YOU CAN TEMPORARILY DISABLE THE USE OF THE DEVICE CACHE
1236 FILE WITH THE -Di OPTION.
1237
1238 When lsof user declares alternate kernel name list or memory files with
1239 the -k and -m options, lsof checks the user's authority to read them
1240 with access(2). This is intended to prevent whatever special power
1241 lsof's modes might confer on it from letting it read files not normally
1242 accessible via the authority of the real user ID.
1243
1245 This section describes the information lsof lists for each open file.
1246 See the OUTPUT FOR OTHER PROGRAMS section for additional information on
1247 output that can be processed by another program.
1248
1249 Lsof only outputs printable (declared so by isprint(3)) 8 bit charac‐
1250 ters. Non-printable characters are printed in one of three forms: the
1251 C ``\[bfrnt]'' form; the control character `^' form (e.g., ``^@''); or
1252 hexadecimal leading ``\x'' form (e.g., ``\xab''). Space is non-print‐
1253 able in the COMMAND column (``\x20'') and printable elsewhere.
1254
1255 For some dialects - if HASSETLOCALE is defined in the dialect's
1256 machine.h header file - lsof will print the extended 8 bit characters
1257 of a language locale. The lsof process must be supplied a language
1258 locale environment variable (e.g., LANG) whose value represents a known
1259 language locale in which the extended characters are considered print‐
1260 able by isprint(3). Otherwise lsof considers the extended characters
1261 non-printable and prints them according to its rules for non-printable
1262 characters, stated above. Consult your dialect's setlocale(3) man page
1263 for the names of other environment variables that may be used in place
1264 of LANG - e.g., LC_ALL, LC_CTYPE, etc.
1265
1266 Lsof's language locale support for a dialect also covers wide charac‐
1267 ters - e.g., UTF-8 - when HASSETLOCALE and HASWIDECHAR are defined in
1268 the dialect's machine.h header file, and when a suitable language
1269 locale has been defined in the appropriate environment variable for the
1270 lsof process. Wide characters are printable under those conditions if
1271 iswprint(3) reports them to be. If HASSETLOCALE, HASWIDECHAR and a
1272 suitable language locale aren't defined, or if iswprint(3) reports wide
1273 characters that aren't printable, lsof considers the wide characters
1274 non-printable and prints each of their 8 bits according to its rules
1275 for non-printable characters, stated above.
1276
1277 Consult the answers to the "Language locale support" questions in the
1278 lsof FAQ (The FAQ section gives its location.) for more information.
1279
1280 Lsof dynamically sizes the output columns each time it runs, guarantee‐
1281 ing that each column is a minimum size. It also guarantees that each
1282 column is separated from its predecessor by at least one space.
1283
1284 COMMAND contains the first nine characters of the name of the UNIX
1285 command associated with the process. If a non-zero w value
1286 is specified to the +c w option, the column contains the
1287 first w characters of the name of the UNIX command associ‐
1288 ated with the process up to the limit of characters supplied
1289 to lsof by the UNIX dialect. (See the description of the +c
1290 w command or the lsof FAQ for more information. The FAQ
1291 section gives its location.)
1292
1293 If w is less than the length of the column title, ``COM‐
1294 MAND'', it will be raised to that length.
1295
1296 If a zero w value is specified to the +c w option, the col‐
1297 umn contains all the characters of the name of the UNIX com‐
1298 mand associated with the process.
1299
1300 All command name characters maintained by the kernel in its
1301 structures are displayed in field output when the command
1302 name descriptor (`c') is specified. See the OUTPUT FOR
1303 OTHER COMMANDS section for information on selecting field
1304 output and the associated command name descriptor.
1305
1306 PID is the Process IDentification number of the process.
1307
1308 ZONE is the Solaris 10 and higher zone name. This column must be
1309 selected with the -z option.
1310
1311 SECURITY-CONTEXT
1312 is the SELinux security context. This column must be
1313 selected with the -Z option. Note that the -Z option is
1314 inhibited when SELinux is disabled in the running Linux ker‐
1315 nel.
1316
1317 PPID is the Parent Process IDentification number of the process.
1318 It is only displayed when the -R option has been specified.
1319
1320 PGID is the process group IDentification number associated with
1321 the process. It is only displayed when the -g option has
1322 been specified.
1323
1324 USER is the user ID number or login name of the user to whom the
1325 process belongs, usually the same as reported by ps(1).
1326 However, on Linux USER is the user ID number or login that
1327 owns the directory in /proc where lsof finds information
1328 about the process. Usually that is the same value reported
1329 by ps(1), but may differ when the process has changed its
1330 effective user ID. (See the -l option description for
1331 information on when a user ID number or login name is dis‐
1332 played.)
1333
1334 FD is the File Descriptor number of the file or:
1335
1336 cwd current working directory;
1337 Lnn library references (AIX);
1338 err FD information error (see NAME column);
1339 jld jail directory (FreeBSD);
1340 ltx shared library text (code and data);
1341 Mxx hex memory-mapped type number xx.
1342 m86 DOS Merge mapped file;
1343 mem memory-mapped file;
1344 mmap memory-mapped device;
1345 pd parent directory;
1346 rtd root directory;
1347 tr kernel trace file (OpenBSD);
1348 txt program text (code and data);
1349 v86 VP/ix mapped file;
1350
1351 FD is followed by one of these characters, describing the
1352 mode under which the file is open:
1353
1354 r for read access;
1355 w for write access;
1356 u for read and write access;
1357 space if mode unknown and no lock
1358 character follows;
1359 `-' if mode unknown and lock
1360 character follows.
1361
1362 The mode character is followed by one of these lock charac‐
1363 ters, describing the type of lock applied to the file:
1364
1365 N for a Solaris NFS lock of unknown type;
1366 r for read lock on part of the file;
1367 R for a read lock on the entire file;
1368 w for a write lock on part of the file;
1369 W for a write lock on the entire file;
1370 u for a read and write lock of any length;
1371 U for a lock of unknown type;
1372 x for an SCO OpenServer Xenix lock on part of the
1373 file;
1374 X for an SCO OpenServer Xenix lock on the entire
1375 file;
1376 space if there is no lock.
1377
1378 See the LOCKS section for more information on the lock
1379 information character.
1380
1381 The FD column contents constitutes a single field for pars‐
1382 ing in post-processing scripts.
1383
1384 TYPE is the type of the node associated with the file - e.g.,
1385 GDIR, GREG, VDIR, VREG, etc.
1386
1387 or ``IPv4'' for an IPv4 socket;
1388
1389 or ``IPv6'' for an open IPv6 network file - even if its
1390 address is IPv4, mapped in an IPv6 address;
1391
1392 or ``ax25'' for a Linux AX.25 socket;
1393
1394 or ``inet'' for an Internet domain socket;
1395
1396 or ``lla'' for a HP-UX link level access file;
1397
1398 or ``rte'' for an AF_ROUTE socket;
1399
1400 or ``sock'' for a socket of unknown domain;
1401
1402 or ``unix'' for a UNIX domain socket;
1403
1404 or ``x.25'' for an HP-UX x.25 socket;
1405
1406 or ``BLK'' for a block special file;
1407
1408 or ``CHR'' for a character special file;
1409
1410 or ``DEL'' for a Linux map file that has been deleted;
1411
1412 or ``DIR'' for a directory;
1413
1414 or ``DOOR'' for a VDOOR file;
1415
1416 or ``FIFO'' for a FIFO special file;
1417
1418 or ``KQUEUE'' for a BSD style kernel event queue file;
1419
1420 or ``LINK'' for a symbolic link file;
1421
1422 or ``MPB'' for a multiplexed block file;
1423
1424 or ``MPC'' for a multiplexed character file;
1425
1426 or ``NOFD'' for a Linux /proc/<PID>/fd directory that can't
1427 be opened -- the directory path appears in the NAME column,
1428 followed by an error message;
1429
1430 or ``PAS'' for a /proc/as file;
1431
1432 or ``PAXV'' for a /proc/auxv file;
1433
1434 or ``PCRE'' for a /proc/cred file;
1435
1436 or ``PCTL'' for a /proc control file;
1437
1438 or ``PCUR'' for the current /proc process;
1439
1440 or ``PCWD'' for a /proc current working directory;
1441
1442 or ``PDIR'' for a /proc directory;
1443
1444 or ``PETY'' for a /proc executable type (etype);
1445
1446 or ``PFD'' for a /proc file descriptor;
1447
1448 or ``PFDR'' for a /proc file descriptor directory;
1449
1450 or ``PFIL'' for an executable /proc file;
1451
1452 or ``PFPR'' for a /proc FP register set;
1453
1454 or ``PGD'' for a /proc/pagedata file;
1455
1456 or ``PGID'' for a /proc group notifier file;
1457
1458 or ``PIPE'' for pipes;
1459
1460 or ``PLC'' for a /proc/lwpctl file;
1461
1462 or ``PLDR'' for a /proc/lpw directory;
1463
1464 or ``PLDT'' for a /proc/ldt file;
1465
1466 or ``PLPI'' for a /proc/lpsinfo file;
1467
1468 or ``PLST'' for a /proc/lstatus file;
1469
1470 or ``PLU'' for a /proc/lusage file;
1471
1472 or ``PLWG'' for a /proc/gwindows file;
1473
1474 or ``PLWI'' for a /proc/lwpsinfo file;
1475
1476 or ``PLWS'' for a /proc/lwpstatus file;
1477
1478 or ``PLWU'' for a /proc/lwpusage file;
1479
1480 or ``PLWX'' for a /proc/xregs file'
1481
1482 or ``PMAP'' for a /proc map file (map);
1483
1484 or ``PMEM'' for a /proc memory image file;
1485
1486 or ``PNTF'' for a /proc process notifier file;
1487
1488 or ``POBJ'' for a /proc/object file;
1489
1490 or ``PODR'' for a /proc/object directory;
1491
1492 or ``POLP'' for an old format /proc light weight process
1493 file;
1494
1495 or ``POPF'' for an old format /proc PID file;
1496
1497 or ``POPG'' for an old format /proc page data file;
1498
1499 or ``PORT'' for a SYSV named pipe;
1500
1501 or ``PREG'' for a /proc register file;
1502
1503 or ``PRMP'' for a /proc/rmap file;
1504
1505 or ``PRTD'' for a /proc root directory;
1506
1507 or ``PSGA'' for a /proc/sigact file;
1508
1509 or ``PSIN'' for a /proc/psinfo file;
1510
1511 or ``PSTA'' for a /proc status file;
1512
1513 or ``PSXSEM'' for a POSIX semaphore file;
1514
1515 or ``PSXSHM'' for a POSIX shared memory file;
1516
1517 or ``PUSG'' for a /proc/usage file;
1518
1519 or ``PW'' for a /proc/watch file;
1520
1521 or ``PXMP'' for a /proc/xmap file;
1522
1523 or ``REG'' for a regular file;
1524
1525 or ``SMT'' for a shared memory transport file;
1526
1527 or ``STSO'' for a stream socket;
1528
1529 or ``UNNM'' for an unnamed type file;
1530
1531 or ``XNAM'' for an OpenServer Xenix special file of unknown
1532 type;
1533
1534 or ``XSEM'' for an OpenServer Xenix semaphore file;
1535
1536 or ``XSD'' for an OpenServer Xenix shared data file;
1537
1538 or the four type number octets if the corresponding name
1539 isn't known.
1540
1541 FILE-ADDR contains the kernel file structure address when f has been
1542 specified to +f;
1543
1544 FCT contains the file reference count from the kernel file
1545 structure when c has been specified to +f;
1546
1547 FILE-FLAG when g or G has been specified to +f, this field contains
1548 the contents of the f_flag[s] member of the kernel file
1549 structure and the kernel's per-process open file flags (if
1550 available); `G' causes them to be displayed in hexadecimal;
1551 `g', as short-hand names; two lists may be displayed with
1552 entries separated by commas, the lists separated by a semi‐
1553 colon (`;'); the first list may contain short-hand names for
1554 f_flag[s] values from the following table:
1555
1556 AIO asynchronous I/O (e.g., FAIO)
1557 AP append
1558 ASYN asynchronous I/O (e.g., FASYNC)
1559 BAS block, test, and set in use
1560 BKIU block if in use
1561 BL use block offsets
1562 BSK block seek
1563 CA copy avoid
1564 CIO concurrent I/O
1565 CLON clone
1566 CLRD CL read
1567 CR create
1568 DF defer
1569 DFI defer IND
1570 DFLU data flush
1571 DIR direct
1572 DLY delay
1573 DOCL do clone
1574 DSYN data-only integrity
1575 DTY must be a directory
1576 EVO event only
1577 EX open for exec
1578 EXCL exclusive open
1579 FSYN synchronous writes
1580 GCDF defer during unp_gc() (AIX)
1581 GCMK mark during unp_gc() (AIX)
1582 GTTY accessed via /dev/tty
1583 HUP HUP in progress
1584 KERN kernel
1585 KIOC kernel-issued ioctl
1586 LCK has lock
1587 LG large file
1588 MBLK stream message block
1589 MK mark
1590 MNT mount
1591 MSYN multiplex synchronization
1592 NATM don't update atime
1593 NB non-blocking I/O
1594 NBDR no BDRM check
1595 NBIO SYSV non-blocking I/O
1596 NBF n-buffering in effect
1597 NC no cache
1598 ND no delay
1599 NDSY no data synchronization
1600 NET network
1601 NFLK don't follow links
1602 NMFS NM file system
1603 NOTO disable background stop
1604 NSH no share
1605 NTTY no controlling TTY
1606 OLRM OLR mirror
1607 PAIO POSIX asynchronous I/O
1608 PP POSIX pipe
1609 R read
1610 RC file and record locking cache
1611 REV revoked
1612 RSH shared read
1613 RSYN read synchronization
1614 RW read and write access
1615 SL shared lock
1616 SNAP cooked snapshot
1617 SOCK socket
1618 SQSH Sequent shared set on open
1619 SQSV Sequent SVM set on open
1620 SQR Sequent set repair on open
1621 SQS1 Sequent full shared open
1622 SQS2 Sequent partial shared open
1623 STPI stop I/O
1624 SWR synchronous read
1625 SYN file integrity while writing
1626 TCPM avoid TCP collision
1627 TR truncate
1628 W write
1629 WKUP parallel I/O synchronization
1630 WTG parallel I/O synchronization
1631 VH vhangup pending
1632 VTXT virtual text
1633 XL exclusive lock
1634
1635 this list of names was derived from F* #define's in dialect
1636 header files <fcntl.h>, <linux</fs.h>, <sys/fcntl.c>,
1637 <sys/fcntlcom.h>, and <sys/file.h>; see the lsof.h header
1638 file for a list showing the correspondence between the above
1639 short-hand names and the header file definitions;
1640
1641 the second list (after the semicolon) may contain short-hand
1642 names for kernel per-process open file flags from this ta‐
1643 ble:
1644
1645 ALLC allocated
1646 BR the file has been read
1647 BHUP activity stopped by SIGHUP
1648 BW the file has been written
1649 CLSG closing
1650 CX close-on-exec (see fcntl(F_SETFD))
1651 LCK lock was applied
1652 MP memory-mapped
1653 OPIP open pending - in progress
1654 RSVW reserved wait
1655 SHMT UF_FSHMAT set (AIX)
1656 USE in use (multi-threaded)
1657
1658 NODE-ID (or INODE-ADDR for some dialects) contains a unique identi‐
1659 fier for the file node (usually the kernel vnode or inode
1660 address, but also occasionally a concatenation of device and
1661 node number) when n has been specified to +f;
1662
1663 DEVICE contains the device numbers, separated by commas, for a
1664 character special, block special, regular, directory or NFS
1665 file;
1666
1667 or ``memory'' for a memory file system node under Tru64
1668 UNIX;
1669
1670 or the address of the private data area of a Solaris socket
1671 stream;
1672
1673 or a kernel reference address that identifies the file (The
1674 kernel reference address may be used for FIFO's, for exam‐
1675 ple.);
1676
1677 or the base address or device name of a Linux AX.25 socket
1678 device.
1679
1680 Usually only the lower thirty two bits of Tru64 UNIX kernel
1681 addresses are displayed.
1682
1683 SIZE, SIZE/OFF, or OFFSET
1684 is the size of the file or the file offset in bytes. A
1685 value is displayed in this column only if it is available.
1686 Lsof displays whatever value - size or offset - is appropri‐
1687 ate for the type of the file and the version of lsof.
1688
1689 On some UNIX dialects lsof can't obtain accurate or consis‐
1690 tent file offset information from its kernel data sources,
1691 sometimes just for particular kinds of files (e.g., socket
1692 files.) In other cases, files don't have true sizes - e.g.,
1693 sockets, FIFOs, pipes - so lsof displays for their sizes the
1694 content amounts it finds in their kernel buffer descriptors
1695 (e.g., socket buffer size counts or TCP/IP window sizes.)
1696 Consult the lsof FAQ (The FAQ section gives its location.)
1697 for more information.
1698
1699 The file size is displayed in decimal; the offset is nor‐
1700 mally displayed in decimal with a leading ``0t'' if it con‐
1701 tains 8 digits or less; in hexadecimal with a leading ``0x''
1702 if it is longer than 8 digits. (Consult the -o o option
1703 description for information on when 8 might default to some
1704 other value.)
1705
1706 Thus the leading ``0t'' and ``0x'' identify an offset when
1707 the column may contain both a size and an offset (i.e., its
1708 title is SIZE/OFF).
1709
1710 If the -o option is specified, lsof always displays the file
1711 offset (or nothing if no offset is available) and labels the
1712 column OFFSET. The offset always begins with ``0t'' or
1713 ``0x'' as described above.
1714
1715 The lsof user can control the switch from ``0t'' to ``0x''
1716 with the -o o option. Consult its description for more
1717 information.
1718
1719 If the -s option is specified, lsof always displays the file
1720 size (or nothing if no size is available) and labels the
1721 column SIZE. The -o and -s options are mutually exclusive;
1722 they can't both be specified.
1723
1724 For files that don't have a fixed size - e.g., don't reside
1725 on a disk device - lsof will display appropriate information
1726 about the current size or position of the file if it is
1727 available in the kernel structures that define the file.
1728
1729 NLINK contains the file link count when +L has been specified;
1730
1731 NODE is the node number of a local file;
1732
1733 or the inode number of an NFS file in the server host;
1734
1735 or the Internet protocol type - e. g, ``TCP'';
1736
1737 or ``STR'' for a stream;
1738
1739 or ``CCITT'' for an HP-UX x.25 socket;
1740
1741 or the IRQ or inode number of a Linux AX.25 socket device.
1742
1743 NAME is the name of the mount point and file system on which the
1744 file resides;
1745
1746 or the name of a file specified in the names option (after
1747 any symbolic links have been resolved);
1748
1749 or the name of a character special or block special device;
1750
1751 or the local and remote Internet addresses of a network
1752 file; the local host name or IP number is followed by a
1753 colon (':'), the port, ``->'', and the two-part remote
1754 address; IP addresses may be reported as numbers or names,
1755 depending on the +|-M, -n, and -P options; colon-separated
1756 IPv6 numbers are enclosed in square brackets; IPv4
1757 INADDR_ANY and IPv6 IN6_IS_ADDR_UNSPECIFIED addresses, and
1758 zero port numbers are represented by an asterisk ('*'); a
1759 UDP destination address may be followed by the amount of
1760 time elapsed since the last packet was sent to the destina‐
1761 tion; TCP, UDP and UDPLITE remote addresses may be followed
1762 by TCP/TPI information in parentheses - state (e.g.,
1763 ``(ESTABLISHED)'', ``(Unbound)''), queue sizes, and window
1764 sizes (not all dialects) - in a fashion similar to what net‐
1765 stat(1) reports; see the -T option description or the
1766 description of the TCP/TPI field in OUTPUT FOR OTHER PRO‐
1767 GRAMS for more information on state, queue size, and window
1768 size;
1769
1770 or the address or name of a UNIX domain socket, possibly
1771 including a stream clone device name, a file system object's
1772 path name, local and foreign kernel addresses, socket pair
1773 information, and a bound vnode address;
1774
1775 or the local and remote mount point names of an NFS file;
1776
1777 or ``STR'', followed by the stream name;
1778
1779 or a stream character device name, followed by ``->'' and
1780 the stream name or a list of stream module names, separated
1781 by ``->'';
1782
1783 or ``STR:'' followed by the SCO OpenServer stream device and
1784 module names, separated by ``->'';
1785
1786 or system directory name, `` -- '', and as many components
1787 of the path name as lsof can find in the kernel's name cache
1788 for selected dialects (See the KERNEL NAME CACHE section for
1789 more information.);
1790
1791 or ``PIPE->'', followed by a Solaris kernel pipe destination
1792 address;
1793
1794 or ``COMMON:'', followed by the vnode device information
1795 structure's device name, for a Solaris common vnode;
1796
1797 or the address family, followed by a slash (`/'), followed
1798 by fourteen comma-separated bytes of a non-Internet raw
1799 socket address;
1800
1801 or the HP-UX x.25 local address, followed by the virtual
1802 connection number (if any), followed by the remote address
1803 (if any);
1804
1805 or ``(dead)'' for disassociated Tru64 UNIX files - typically
1806 terminal files that have been flagged with the TIOCNOTTY
1807 ioctl and closed by daemons;
1808
1809 or ``rd=<offset>'' and ``wr=<offset>'' for the values of the
1810 read and write offsets of a FIFO;
1811
1812 or ``clone n:/dev/event'' for SCO OpenServer file clones of
1813 the /dev/event device, where n is the minor device number of
1814 the file;
1815
1816 or ``(socketpair: n)'' for a Solaris 2.6, 8, 9 or 10 UNIX
1817 domain socket, created by the socketpair(3N) network func‐
1818 tion;
1819
1820 or ``no PCB'' for socket files that do not have a protocol
1821 block associated with them, optionally followed by ``,
1822 CANTSENDMORE'' if sending on the socket has been disabled,
1823 or ``, CANTRCVMORE'' if receiving on the socket has been
1824 disabled (e.g., by the shutdown(2) function);
1825
1826 or the local and remote addresses of a Linux IPX socket file
1827 in the form <net>:[<node>:]<port>, followed in parentheses
1828 by the transmit and receive queue sizes, and the connection
1829 state;
1830
1831 or ``dgram'' or ``stream'' for the type UnixWare 7.1.1 and
1832 above in-kernel UNIX domain sockets, followed by a colon
1833 (':') and the local path name when available, followed by
1834 ``->'' and the remote path name or kernel socket address in
1835 hexadecimal when available;
1836
1837 or the association value, association index, endpoint value,
1838 local address, local port, remote address and remote port
1839 for Linux SCTP sockets.
1840
1841 For dialects that support a ``namefs'' file system, allowing one file
1842 to be attached to another with fattach(3C), lsof will add
1843 ``(FA:<address1><direction><address2>)'' to the NAME column.
1844 <address1> and <address2> are hexadecimal vnode addresses. <direction>
1845 will be ``<-'' if <address2> has been fattach'ed to this vnode whose
1846 address is <address1>; and ``->'' if <address1>, the vnode address of
1847 this vnode, has been fattach'ed to <address2>. <address1> may be omit‐
1848 ted if it already appears in the DEVICE column.
1849
1850 Lsof may add two parenthetical notes to the NAME column for open
1851 Solaris 10 files: ``(?)'' if lsof considers the path name of question‐
1852 able accuracy; and ``(deleted)'' if the -X option has been specified
1853 and lsof detects the open file's path name has been deleted. Consult
1854 the lsof FAQ (The FAQ section gives its location.) for more informa‐
1855 tion on these NAME column additions.
1856
1858 Lsof can't adequately report the wide variety of UNIX dialect file
1859 locks in a single character. What it reports in a single character is
1860 a compromise between the information it finds in the kernel and the
1861 limitations of the reporting format.
1862
1863 Moreover, when a process holds several byte level locks on a file, lsof
1864 only reports the status of the first lock it encounters. If it is a
1865 byte level lock, then the lock character will be reported in lower case
1866 - i.e., `r', `w', or `x' - rather than the upper case equivalent
1867 reported for a full file lock.
1868
1869 Generally lsof can only report on locks held by local processes on
1870 local files. When a local process sets a lock on a remotely mounted
1871 (e.g., NFS) file, the remote server host usually records the lock
1872 state. One exception is Solaris - at some patch levels of 2.3, and in
1873 all versions above 2.4, the Solaris kernel records information on
1874 remote locks in local structures.
1875
1876 Lsof has trouble reporting locks for some UNIX dialects. Consult the
1877 BUGS section of this manual page or the lsof FAQ (The FAQ section gives
1878 its location.) for more information.
1879
1881 When the -F option is specified, lsof produces output that is suitable
1882 for processing by another program - e.g, an awk or Perl script, or a C
1883 program.
1884
1885 Each unit of information is output in a field that is identified with a
1886 leading character and terminated by a NL (012) (or a NUL (000) if the 0
1887 (zero) field identifier character is specified.) The data of the field
1888 follows immediately after the field identification character and
1889 extends to the field terminator.
1890
1891 It is possible to think of field output as process and file sets. A
1892 process set begins with a field whose identifier is `p' (for process
1893 IDentifier (PID)). It extends to the beginning of the next PID field
1894 or the beginning of the first file set of the process, whichever comes
1895 first. Included in the process set are fields that identify the com‐
1896 mand, the process group IDentification (PGID) number, and the user ID
1897 (UID) number or login name.
1898
1899 A file set begins with a field whose identifier is `f' (for file
1900 descriptor). It is followed by lines that describe the file's access
1901 mode, lock state, type, device, size, offset, inode, protocol, name and
1902 stream module names. It extends to the beginning of the next file or
1903 process set, whichever comes first.
1904
1905 When the NUL (000) field terminator has been selected with the 0 (zero)
1906 field identifier character, lsof ends each process and file set with a
1907 NL (012) character.
1908
1909 Lsof always produces one field, the PID (`p') field. All other fields
1910 may be declared optionally in the field identifier character list that
1911 follows the -F option. When a field selection character identifies an
1912 item lsof does not normally list - e.g., PPID, selected with -R - spec‐
1913 ification of the field character - e.g., ``-FR'' - also selects the
1914 listing of the item.
1915
1916 It is entirely possible to select a set of fields that cannot easily be
1917 parsed - e.g., if the field descriptor field is not selected, it may be
1918 difficult to identify file sets. To help you avoid this difficulty,
1919 lsof supports the -F option; it selects the output of all fields with
1920 NL terminators (the -F0 option pair selects the output of all fields
1921 with NUL terminators). For compatibility reasons neither -F nor -F0
1922 select the raw device field.
1923
1924 These are the fields that lsof will produce. The single character
1925 listed first is the field identifier.
1926
1927 a file access mode
1928 c process command name (all characters from proc or
1929 user structure)
1930 C file structure share count
1931 d file's device character code
1932 D file's major/minor device number (0x<hexadecimal>)
1933 f file descriptor
1934 F file structure address (0x<hexadecimal>)
1935 G file flaGs (0x<hexadecimal>; names if +fg follows)
1936 i file's inode number
1937 k link count
1938 l file's lock status
1939 L process login name
1940 m marker between repeated output
1941 n file name, comment, Internet address
1942 N node identifier (ox<hexadecimal>
1943 o file's offset (decimal)
1944 p process ID (always selected)
1945 g process group ID
1946 P protocol name
1947 r raw device number (0x<hexadecimal>)
1948 R parent process ID
1949 s file's size (decimal)
1950 S file's stream identification
1951 t file's type
1952 T TCP/TPI information, identified by prefixes (the
1953 `=' is part of the prefix):
1954 QR=<read queue size>
1955 QS=<send queue size>
1956 SO=<socket options and values> (not all dialects)
1957 SS=<socket states> (not all dialects)
1958 ST=<connection state>
1959 TF=<TCP flags and values> (not all dialects)
1960 WR=<window read size> (not all dialects)
1961 WW=<window write size> (not all dialects)
1962 (TCP/TPI information isn't reported for all supported
1963 UNIX dialects. The -h or -? help output for the
1964 -T option will show what TCP/TPI reporting can be
1965 requested.)
1966 u process user ID
1967 z Solaris 10 and higher zone name
1968 Z SELinux security context (inhibited when SELinux is disabled)
1969 0 use NUL field terminator character in place of NL
1970 1-9 dialect-specific field identifiers (The output
1971 of -F? identifies the information to be found
1972 in dialect-specific fields.)
1973
1974 You can get on-line help information on these characters and their
1975 descriptions by specifying the -F? option pair. (Escape the `?' char‐
1976 acter as your shell requires.) Additional information on field content
1977 can be found in the OUTPUT section.
1978
1979 As an example, ``-F pcfn'' will select the process ID (`p'), command
1980 name (`c'), file descriptor (`f') and file name (`n') fields with an NL
1981 field terminator character; ``-F pcfn0'' selects the same output with a
1982 NUL (000) field terminator character.
1983
1984 Lsof doesn't produce all fields for every process or file set, only
1985 those that are available. Some fields are mutually exclusive: file
1986 device characters and file major/minor device numbers; file inode num‐
1987 ber and protocol name; file name and stream identification; file size
1988 and offset. One or the other member of these mutually exclusive sets
1989 will appear in field output, but not both.
1990
1991 Normally lsof ends each field with a NL (012) character. The 0 (zero)
1992 field identifier character may be specified to change the field termi‐
1993 nator character to a NUL (000). A NUL terminator may be easier to
1994 process with xargs [4m(1), for example, or with programs whose quoting
1995 mechanisms may not easily cope with the range of characters in the
1996 field output. When the NUL field terminator is in use, lsof ends each
1997 process and file set with a NL (012).
1998
1999 Three aids to producing programs that can process lsof field output are
2000 included in the lsof distribution. The first is a C header file,
2001 lsof_fields.h, that contains symbols for the field identification char‐
2002 acters, indexes for storing them in a table, and explanation strings
2003 that may be compiled into programs. Lsof uses this header file.
2004
2005 The second aid is a set of sample scripts that process field output,
2006 written in awk, Perl 4, and Perl 5. They're located in the scripts
2007 subdirectory of the lsof distribution.
2008
2009 The third aid is the C library used for the lsof test suite. The test
2010 suite is written in C and uses field output to validate the correct
2011 operation of lsof. The library can be found in the tests/LTlib.c file
2012 of the lsof distribution. The library uses the first aid, the
2013 lsof_fields.h header file.
2014
2016 Lsof can be blocked by some kernel functions that it uses - lstat(2),
2017 readlink(2), and stat(2). These functions are stalled in the kernel,
2018 for example, when the hosts where mounted NFS file systems reside
2019 become inaccessible.
2020
2021 Lsof attempts to break these blocks with timers and child processes,
2022 but the techniques are not wholly reliable. When lsof does manage to
2023 break a block, it will report the break with an error message. The
2024 messages may be suppressed with the -t and -w options.
2025
2026 The default timeout value may be displayed with the -h or -? option,
2027 and it may be changed with the -S [t] option. The minimum for t is two
2028 seconds, but you should avoid small values, since slow system respon‐
2029 siveness can cause short timeouts to expire unexpectedly and perhaps
2030 stop lsof before it can produce any output.
2031
2032 When lsof has to break a block during its access of mounted file system
2033 information, it normally continues, although with less information
2034 available to display about open files.
2035
2036 Lsof can also be directed to avoid the protection of timers and child
2037 processes when using the kernel functions that might block by specify‐
2038 ing the -O option. While this will allow lsof to start up with less
2039 overhead, it exposes lsof completely to the kernel situations that
2040 might block it. Use this option cautiously.
2041
2043 You can use the -b option to tell lsof to avoid using kernel functions
2044 that would block. Some cautions apply.
2045
2046 First, using this option usually requires that your system supply
2047 alternate device numbers in place of the device numbers that lsof would
2048 normally obtain with the lstat(2) and stat(2) kernel functions. See
2049 the ALTERNATE DEVICE NUMBERS section for more information on alternate
2050 device numbers.
2051
2052 Second, you can't specify names for lsof to locate unless they're file
2053 system names. This is because lsof needs to know the device and inode
2054 numbers of files listed with names in the lsof options, and the -b
2055 option prevents lsof from obtaining them. Moreover, since lsof only
2056 has device numbers for the file systems that have alternates, its abil‐
2057 ity to locate files on file systems depends completely on the avail‐
2058 ability and accuracy of the alternates. If no alternates are avail‐
2059 able, or if they're incorrect, lsof won't be able to locate files on
2060 the named file systems.
2061
2062 Third, if the names of your file system directories that lsof obtains
2063 from your system's mount table are symbolic links, lsof won't be able
2064 to resolve the links. This is because the -b option causes lsof to
2065 avoid the kernel readlink(2) function it uses to resolve symbolic
2066 links.
2067
2068 Finally, using the -b option causes lsof to issue warning messages when
2069 it needs to use the kernel functions that the -b option directs it to
2070 avoid. You can suppress these messages by specifying the -w option,
2071 but if you do, you won't see the alternate device numbers reported in
2072 the warning messages.
2073
2075 On some dialects, when lsof has to break a block because it can't get
2076 information about a mounted file system via the lstat(2) and stat(2)
2077 kernel functions, or because you specified the -b option, lsof can
2078 obtain some of the information it needs - the device number and possi‐
2079 bly the file system type - from the system mount table. When that is
2080 possible, lsof will report the device number it obtained. (You can
2081 suppress the report by specifying the -w option.)
2082
2083 You can assist this process if your mount table is supported with an
2084 /etc/mtab or /etc/mnttab file that contains an options field by adding
2085 a ``dev=xxxx'' field for mount points that do not have one in their
2086 options strings. Note: you must be able to edit the file - i.e., some
2087 mount tables like recent Solaris /etc/mnttab or Linux /proc/mounts are
2088 read-only and can't be modified.
2089
2090 You may also be able to supply device numbers using the +m and +m m
2091 options, provided they are supported by your dialect. Check the output
2092 of lsof's -h or -? options to see if the +m and +m m options are
2093 available.
2094
2095 The ``xxxx'' portion of the field is the hexadecimal value of the file
2096 system's device number. (Consult the st_dev field of the output of the
2097 lstat(2) and stat(2) functions for the appropriate values for your file
2098 systems.) Here's an example from a Sun Solaris 2.6 /etc/mnttab for a
2099 file system remotely mounted via NFS:
2100
2101 nfs ignore,noquota,dev=2a40001
2102
2103 There's an advantage to having ``dev=xxxx'' entries in your mount table
2104 file, especially for file systems that are mounted from remote NFS
2105 servers. When a remote server crashes and you want to identify its
2106 users by running lsof on one of its clients, lsof probably won't be
2107 able to get output from the lstat(2) and stat(2) functions for the file
2108 system. If it can obtain the file system's device number from the
2109 mount table, it will be able to display the files open on the crashed
2110 NFS server.
2111
2112 Some dialects that do not use an ASCII /etc/mtab or /etc/mnttab file
2113 for the mount table may still provide an alternative device number in
2114 their internal mount tables. This includes AIX, Apple Darwin, FreeBSD,
2115 NetBSD, OpenBSD, and Tru64 UNIX. Lsof knows how to obtain the alterna‐
2116 tive device number for these dialects and uses it when its attempt to
2117 lstat(2) or stat(2) the file system is blocked.
2118
2119 If you're not sure your dialect supplies alternate device numbers for
2120 file systems from its mount table, use this lsof incantation to see if
2121 it reports any alternate device numbers:
2122
2123 lsof -b
2124
2125 Look for standard error file warning messages that begin ``assuming
2126 "dev=xxxx" from ...''.
2127
2129 Lsof is able to examine the kernel's name cache or use other kernel
2130 facilities (e.g., the ADVFS 4.x tag_to_path() function under Tru64
2131 UNIX) on some dialects for most file system types, excluding AFS, and
2132 extract recently used path name components from it. (AFS file system
2133 path lookups don't use the kernel's name cache; some Solaris VxFS file
2134 system operations apparently don't use it, either.)
2135
2136 Lsof reports the complete paths it finds in the NAME column. If lsof
2137 can't report all components in a path, it reports in the NAME column
2138 the file system name, followed by a space, two `-' characters, another
2139 space, and the name components it has located, separated by the `/'
2140 character.
2141
2142 When lsof is run in repeat mode - i.e., with the -r option specified -
2143 the extent to which it can report path name components for the same
2144 file may vary from cycle to cycle. That's because other running pro‐
2145 cesses can cause the kernel to remove entries from its name cache and
2146 replace them with others.
2147
2148 Lsof's use of the kernel name cache to identify the paths of files can
2149 lead it to report incorrect components under some circumstances. This
2150 can happen when the kernel name cache uses device and node number as a
2151 key (e.g., SCO OpenServer) and a key on a rapidly changing file system
2152 is reused. If the UNIX dialect's kernel doesn't purge the name cache
2153 entry for a file when it is unlinked, lsof may find a reference to the
2154 wrong entry in the cache. The lsof FAQ (The FAQ section gives its
2155 location.) has more information on this situation.
2156
2157 Lsof can report path name components for these dialects:
2158
2159 FreeBSD
2160 HP-UX
2161 Linux
2162 NetBSD
2163 NEXTSTEP
2164 OpenBSD
2165 OPENSTEP
2166 SCO OpenServer
2167 SCO|Caldera UnixWare
2168 Solaris
2169 Tru64 UNIX
2170
2171 Lsof can't report path name components for these dialects:
2172
2173 AIX
2174
2175 If you want to know why lsof can't report path name components for some
2176 dialects, see the lsof FAQ (The FAQ section gives its location.)
2177
2179 Examining all members of the /dev (or /devices) node tree with stat(2)
2180 functions can be time consuming. What's more, the information that
2181 lsof needs - device number, inode number, and path - rarely changes.
2182
2183 Consequently, lsof normally maintains an ASCII text file of cached /dev
2184 (or /devices) information (exception: the /proc-based Linux lsof where
2185 it's not needed.) The local system administrator who builds lsof can
2186 control the way the device cache file path is formed, selecting from
2187 these options:
2188
2189 Path from the -D option;
2190 Path from an environment variable;
2191 System-wide path;
2192 Personal path (the default);
2193 Personal path, modified by an environment variable.
2194
2195 Consult the output of the -h, -D? , or -? help options for the current
2196 state of device cache support. The help output lists the default
2197 read-mode device cache file path that is in effect for the current
2198 invocation of lsof. The -D? option output lists the read-only and
2199 write device cache file paths, the names of any applicable environment
2200 variables, and the personal device cache path format.
2201
2202 Lsof can detect that the current device cache file has been acciden‐
2203 tally or maliciously modified by integrity checks, including the compu‐
2204 tation and verification of a sixteen bit Cyclic Redundancy Check (CRC)
2205 sum on the file's contents. When lsof senses something wrong with the
2206 file, it issues a warning and attempts to remove the current cache file
2207 and create a new copy, but only to a path that the process can legiti‐
2208 mately write.
2209
2210 The path from which a lsof process may attempt to read a device cache
2211 file may not be the same as the path to which it can legitimately
2212 write. Thus when lsof senses that it needs to update the device cache
2213 file, it may choose a different path for writing it from the path from
2214 which it read an incorrect or outdated version.
2215
2216 If available, the -Dr option will inhibit the writing of a new device
2217 cache file. (It's always available when specified without a path name
2218 argument.)
2219
2220 When a new device is added to the system, the device cache file may
2221 need to be recreated. Since lsof compares the mtime of the device
2222 cache file with the mtime and ctime of the /dev (or /devices) direc‐
2223 tory, it usually detects that a new device has been added; in that case
2224 lsof issues a warning message and attempts to rebuild the device cache
2225 file.
2226
2227 Whenever lsof writes a device cache file, it sets its ownership to the
2228 real UID of the executing process, and its permission modes to 0600,
2229 this restricting its reading and writing to the file's owner.
2230
2232 Two permissions of the lsof executable affect its ability to access
2233 device cache files. The permissions are set by the local system admin‐
2234 istrator when lsof is installed.
2235
2236 The first and rarer permission is setuid-root. It comes into effect
2237 when lsof is executed; its effective UID is then root, while its real
2238 (i.e., that of the logged-on user) UID is not. The lsof distribution
2239 recommends that versions for these dialects run setuid-root.
2240
2241 HP-UX 11.11 and 11.23
2242 Linux
2243
2244 The second and more common permission is setgid. It comes into effect
2245 when the effective group IDentification number (GID) of the lsof
2246 process is set to one that can access kernel memory devices - e.g.,
2247 ``kmem'', ``sys'', or ``system''.
2248
2249 An lsof process that has setgid permission usually surrenders the per‐
2250 mission after it has accessed the kernel memory devices. When it does
2251 that, lsof can allow more liberal device cache path formations. The
2252 lsof distribution recommends that versions for these dialects run set‐
2253 gid and be allowed to surrender setgid permission.
2254
2255 AIX 5.[12] and 5.3-ML1
2256 Apple Darwin 7.x Power Macintosh systems
2257 FreeBSD 4.x, 4.1x, 5.x and [67].x for x86-based systems
2258 FreeBSD 5.x and [67].x for Alpha, AMD64 and Sparc64-based
2259 systems
2260 HP-UX 11.00
2261 NetBSD 1.[456], 2.x and 3.x for Alpha, x86, and SPARC-based
2262 systems
2263 NEXTSTEP 3.[13] for NEXTSTEP architectures
2264 OpenBSD 2.[89] and 3.[0-9] for x86-based systems
2265 OPENSTEP 4.x
2266 SCO OpenServer Release 5.0.6 for x86-based systems
2267 SCO|Caldera UnixWare 7.1.4 for x86-based systems
2268 Solaris 2.6, 8, 9 and 10
2269 Tru64 UNIX 5.1
2270
2271 (Note: lsof for AIX 5L and above needs setuid-root permission if its -X
2272 option is used.)
2273
2274 Lsof for these dialects does not support a device cache, so the permis‐
2275 sions given to the executable don't apply to the device cache file.
2276
2277 Linux
2278
2280 The -D option provides limited means for specifying the device cache
2281 file path. Its ? function will report the read-only and write device
2282 cache file paths that lsof will use.
2283
2284 When the -D b, r, and u functions are available, you can use them to
2285 request that the cache file be built in a specific location (b[path]);
2286 read but not rebuilt (r[path]); or read and rebuilt (u[path]). The b,
2287 r, and u functions are restricted under some conditions. They are
2288 restricted when the lsof process is setuid-root. The path specified
2289 with the r function is always read-only, even when it is available.
2290
2291 The b, r, and u functions are also restricted when the lsof process
2292 runs setgid and lsof doesn't surrender the setgid permission. (See the
2293 LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for a
2294 list of implementations that normally don't surrender their setgid per‐
2295 mission.)
2296
2297 A further -D function, i (for ignore), is always available.
2298
2299 When available, the b function tells lsof to read device information
2300 from the kernel with the stat(2) function and build a device cache file
2301 at the indicated path.
2302
2303 When available, the r function tells lsof to read the device cache
2304 file, but not update it. When a path argument accompanies -Dr, it
2305 names the device cache file path. The r function is always available
2306 when it is specified without a path name argument. If lsof is not run‐
2307 ning setuid-root and surrenders its setgid permission, a path name
2308 argument may accompany the r function.
2309
2310 When available, the u function tells lsof to attempt to read and use
2311 the device cache file. If it can't read the file, or if it finds the
2312 contents of the file incorrect or outdated, it will read information
2313 from the kernel, and attempt to write an updated version of the device
2314 cache file, but only to a path it considers legitimate for the lsof
2315 process effective and real UIDs.
2316
2318 Lsof's second choice for the device cache file is the contents of the
2319 LSOFDEVCACHE environment variable. It avoids this choice if the lsof
2320 process is setuid-root, or the real UID of the process is root.
2321
2322 A further restriction applies to a device cache file path taken from
2323 the LSOFDEVCACHE environment variable: lsof will not write a device
2324 cache file to the path if the lsof process doesn't surrender its setgid
2325 permission. (See the LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE
2326 ACCESS section for information on implementations that don't surrender
2327 their setgid permission.)
2328
2329 The local system administrator can disable the use of the LSOFDEVCACHE
2330 environment variable or change its name when building lsof. Consult
2331 the output of -D? for the environment variable's name.
2332
2334 The local system administrator may choose to have a system-wide device
2335 cache file when building lsof. That file will generally be constructed
2336 by a special system administration procedure when the system is booted
2337 or when the contents of /dev or /devices) changes. If defined, it is
2338 lsof's third device cache file path choice.
2339
2340 You can tell that a system-wide device cache file is in effect for your
2341 local installation by examining the lsof help option output - i.e., the
2342 output from the -h or -? option.
2343
2344 Lsof will never write to the system-wide device cache file path by
2345 default. It must be explicitly named with a -D function in a
2346 root-owned procedure. Once the file has been written, the procedure
2347 must change its permission modes to 0644 (owner-read and owner-write,
2348 group-read, and other-read).
2349
2351 The default device cache file path of the lsof distribution is one
2352 recorded in the home directory of the real UID that executes lsof.
2353 Added to the home directory is a second path component of the form
2354 .lsof_hostname.
2355
2356 This is lsof's fourth device cache file path choice, and is usually the
2357 default. If a system-wide device cache file path was defined when lsof
2358 was built, this fourth choice will be applied when lsof can't find the
2359 system-wide device cache file. This is the only time lsof uses two
2360 paths when reading the device cache file.
2361
2362 The hostname part of the second component is the base name of the exe‐
2363 cuting host, as returned by gethostname(2). The base name is defined
2364 to be the characters preceding the first `.' in the gethostname(2)
2365 output, or all the gethostname(2) output if it contains no `.'.
2366
2367 The device cache file belongs to the user ID and is readable and
2368 writable by the user ID alone - i.e., its modes are 0600. Each dis‐
2369 tinct real user ID on a given host that executes lsof has a distinct
2370 device cache file. The hostname part of the path distinguishes device
2371 cache files in an NFS-mounted home directory into which device cache
2372 files are written from several different hosts.
2373
2374 The personal device cache file path formed by this method represents a
2375 device cache file that lsof will attempt to read, and will attempt to
2376 write should it not exist or should its contents be incorrect or out‐
2377 dated.
2378
2379 The -Dr option without a path name argument will inhibit the writing of
2380 a new device cache file.
2381
2382 The -D? option will list the format specification for constructing the
2383 personal device cache file. The conversions used in the format speci‐
2384 fication are described in the 00DCACHE file of the lsof distribution.
2385
2387 If this option is defined by the local system administrator when lsof
2388 is built, the LSOFPERSDCPATH environment variable contents may be used
2389 to add a component of the personal device cache file path.
2390
2391 The LSOFPERSDCPATH variable contents are inserted in the path at the
2392 place marked by the local system administrator with the ``%p'' conver‐
2393 sion in the HASPERSDC format specification of the dialect's machine.h
2394 header file. (It's placed right after the home directory in the
2395 default lsof distribution.)
2396
2397 Thus, for example, if LSOFPERSDCPATH contains ``LSOF'', the home direc‐
2398 tory is ``/Homes/abe'', the host name is ``lsof.itap.purdue.edu'', and
2399 the HASPERSDC format is the default (``%h/%p.lsof_%L''), the modified
2400 personal device cache file path is:
2401
2402 /Homes/abe/LSOF/.lsof_vic
2403
2404 The LSOFPERSDCPATH environment variable is ignored when the lsof
2405 process is setuid-root or when the real UID of the process is root.
2406
2407 Lsof will not write to a modified personal device cache file path if
2408 the lsof process doesn't surrender setgid permission. (See the LSOF
2409 PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for a list of
2410 implementations that normally don't surrender their setgid permission.)
2411
2412 If, for example, you want to create a sub-directory of personal device
2413 cache file paths by using the LSOFPERSDCPATH environment variable to
2414 name it, and lsof doesn't surrender its setgid permission, you will
2415 have to allow lsof to create device cache files at the standard per‐
2416 sonal path and move them to your subdirectory with shell commands.
2417
2418 The local system administrator may: disable this option when lsof is
2419 built; change the name of the environment variable from LSOFPERSDCPATH
2420 to something else; change the HASPERSDC format to include the personal
2421 path component in another place; or exclude the personal path component
2422 entirely. Consult the output of the -D? option for the environment
2423 variable's name and the HASPERSDC format specification.
2424
2426 Errors are identified with messages on the standard error file.
2427
2428 Lsof returns a one (1) if any error was detected, including the failure
2429 to locate command names, file names, Internet addresses or files, login
2430 names, NFS files, PIDs, PGIDs, or UIDs it was asked to list. If the -V
2431 option is specified, lsof will indicate the search items it failed to
2432 list.
2433
2434 It returns a zero (0) if no errors were detected and if it was able to
2435 list some information about all the specified search arguments.
2436
2437 When lsof cannot open access to /dev (or /devices) or one of its subdi‐
2438 rectories, or get information on a file in them with stat(2), it issues
2439 a warning message and continues. That lsof will issue warning messages
2440 about inaccessible files in /dev (or /devices) is indicated in its help
2441 output - requested with the -h or >B -? options - with the message:
2442
2443 Inaccessible /dev warnings are enabled.
2444
2445 The warning message may be suppressed with the -w option. It may also
2446 have been suppressed by the system administrator when lsof was compiled
2447 by the setting of the WARNDEVACCESS definition. In this case, the out‐
2448 put from the help options will include the message:
2449
2450 Inaccessible /dev warnings are disabled.
2451
2452 Inaccessible device warning messages usually disappear after lsof has
2453 created a working device cache file.
2454
2456 For a more extensive set of examples, documented more fully, see the
2457 00QUICKSTART file of the lsof distribution.
2458
2459 To list all open files, use:
2460
2461 lsof
2462
2463 To list all open Internet, x.25 (HP-UX), and UNIX domain files, use:
2464
2465 lsof -i -U
2466
2467 To list all open IPv4 network files in use by the process whose PID is
2468 1234, use:
2469
2470 lsof -i 4 -a -p 1234
2471
2472 Presuming the UNIX dialect supports IPv6, to list only open IPv6 net‐
2473 work files, use:
2474
2475 lsof -i 6
2476
2477 To list all files using any protocol on ports 513, 514, or 515 of host
2478 wonderland.cc.purdue.edu, use:
2479
2480 lsof -i @wonderland.cc.purdue.edu:513-515
2481
2482 To list all files using any protocol on any port of mace.cc.purdue.edu
2483 (cc.purdue.edu is the default domain), use:
2484
2485 lsof -i @mace
2486
2487 To list all open files for login name ``abe'', or user ID 1234, or
2488 process 456, or process 123, or process 789, use:
2489
2490 lsof -p 456,123,789 -u 1234,abe
2491
2492 To list all open files on device /dev/hd4, use:
2493
2494 lsof /dev/hd4
2495
2496 To find the process that has /u/abe/foo open, use:
2497
2498 lsof /u/abe/foo
2499
2500 To send a SIGHUP to the processes that have /u/abe/bar open, use:
2501
2502 kill -HUP `lsof -t /u/abe/bar`
2503
2504 To find any open file, including an open UNIX domain socket file, with
2505 the name /dev/log, use:
2506
2507 lsof /dev/log
2508
2509 To find processes with open files on the NFS file system named
2510 /nfs/mount/point whose server is inaccessible, and presuming your mount
2511 table supplies the device number for /nfs/mount/point, use:
2512
2513 lsof -b /nfs/mount/point
2514
2515 To do the preceding search with warning messages suppressed, use:
2516
2517 lsof -bw /nfs/mount/point
2518
2519 To ignore the device cache file, use:
2520
2521 lsof -Di
2522
2523 To obtain PID and command name field output for each process, file
2524 descriptor, file device number, and file inode number for each file of
2525 each process, use:
2526
2527 lsof -FpcfDi
2528
2529 To list the files at descriptors 1 and 3 of every process running the
2530 lsof command for login ID ``abe'' every 10 seconds, use:
2531
2532 lsof -c lsof -a -d 1 -d 3 -u abe -r10
2533
2534 To list the current working directory of processes running a command
2535 that is exactly four characters long and has an 'o' or 'O' in character
2536 three, use this regular expression form of the -c c option:
2537
2538 lsof -c /^..o.$/i -a -d cwd
2539
2540 To find an IP version 4 socket file by its associated numeric dot-form
2541 address, use:
2542
2543 lsof -i@128.210.15.17
2544
2545 To find an IP version 6 socket file (when the UNIX dialect supports
2546 IPv6) by its associated numeric colon-form address, use:
2547
2548 lsof -i@[0:1:2:3:4:5:6:7]
2549
2550 To find an IP version 6 socket file (when the UNIX dialect supports
2551 IPv6) by an associated numeric colon-form address that has a run of
2552 zeroes in it - e.g., the loop-back address - use:
2553
2554 lsof -i@[::1]
2555
2556 To obtain a repeat mode marker line that contains the current time,
2557 use:
2558
2559 lsof -rm====%T====
2560
2561 To add spaces to the previous marker line, use:
2562
2563 lsof -r "m==== %T ===="
2564
2566 Since lsof reads kernel memory in its search for open files, rapid
2567 changes in kernel memory may produce unpredictable results.
2568
2569 When a file has multiple record locks, the lock status character (fol‐
2570 lowing the file descriptor) is derived from a test of the first lock
2571 structure, not from any combination of the individual record locks that
2572 might be described by multiple lock structures.
2573
2574 Lsof can't search for files with restrictive access permissions by name
2575 unless it is installed with root set-UID permission. Otherwise it is
2576 limited to searching for files to which its user or its set-GID group
2577 (if any) has access permission.
2578
2579 The display of the destination address of a raw socket (e.g., for ping)
2580 depends on the UNIX operating system. Some dialects store the destina‐
2581 tion address in the raw socket's protocol control block, some do not.
2582
2583 Lsof can't always represent Solaris device numbers in the same way that
2584 ls(1) does. For example, the major and minor device numbers that the
2585 lstat(2) and stat(2) functions report for the directory on which CD-ROM
2586 files are mounted (typically /cdrom) are not the same as the ones that
2587 it reports for the device on which CD-ROM files are mounted (typically
2588 /dev/sr0). (Lsof reports the directory numbers.)
2589
2590 The support for /proc file systems is available only for BSD and Tru64
2591 UNIX dialects, Linux, and dialects derived from SYSV R4 - e.g., Free‐
2592 BSD, NetBSD, OpenBSD, Solaris, UnixWare.
2593
2594 Some /proc file items - device number, inode number, and file size -
2595 are unavailable in some dialects. Searching for files in a /proc file
2596 system may require that the full path name be specified.
2597
2598 No text (txt) file descriptors are displayed for Linux processes. All
2599 entries for files other than the current working directory, the root
2600 directory, and numerical file descriptors are labeled mem descriptors.
2601
2602 Lsof can't search for Tru64 UNIX named pipes by name, because their
2603 kernel implementation of lstat(2) returns an improper device number for
2604 a named pipe.
2605
2606 Lsof can't report fully or correctly on HP-UX 9.01, 10.20, and 11.00
2607 locks because of insufficient access to kernel data or errors in the
2608 kernel data. See the lsof FAQ (The FAQ section gives its location.)
2609 for details.
2610
2611 The AIX SMT file type is a fabrication. It's made up for file struc‐
2612 tures whose type (15) isn't defined in the AIX /usr/include/sys/file.h
2613 header file. One way to create such file structures is to run X
2614 clients with the DISPLAY variable set to ``:0.0''.
2615
2616 The +|-f[cfgGn] option is not supported under /proc-based Linux lsof,
2617 because it doesn't read kernel structures from kernel memory.
2618
2620 Lsof may access these environment variables.
2621
2622 LANG defines a language locale. See setlocale(3) for the
2623 names of other variables that can be used in place of
2624 LANG - e.g., LC_ALL, LC_TYPE, etc.
2625
2626 LSOFDEVCACHE defines the path to a device cache file. See the
2627 DEVICE CACHE PATH FROM AN ENVIRONMENT VARIABLE sec‐
2628 tion for more information.
2629
2630 LSOFPERSDCPATH defines the middle component of a modified personal
2631 device cache file path. See the MODIFIED PERSONAL
2632 DEVICE CACHE PATH section for more information.
2633
2635 Frequently-asked questions and their answers (an FAQ) are available in
2636 the 00FAQ file of the lsof distribution.
2637
2638 That file is also available via anonymous ftp from lsof.itap.purdue.edu
2639 at pub/tools/unix/lsofFAQ. The URL is:
2640
2641 ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
2642
2644 /dev/kmem kernel virtual memory device
2645
2646 /dev/mem physical memory device
2647
2648 /dev/swap system paging device
2649
2650 .lsof_hostname lsof's device cache file (The suffix, hostname, is
2651 the first component of the host's name returned by
2652 gethostname(2).)
2653
2655 Lsof was written by Victor A. Abell <abe@purdue.edu> of Purdue Univer‐
2656 sity. Many others have contributed to lsof. They're listed in the
2657 00CREDITS file of the lsof distribution.
2658
2660 The latest distribution of lsof is available via anonymous ftp from the
2661 host lsof.itap.purdue.edu. You'll find the lsof distribution in the
2662 pub/tools/unix/lsof directory.
2663
2664 You can also use this URL:
2665
2666 ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof
2667
2668 Lsof is also mirrored elsewhere. When you access lsof.itap.purdue.edu
2669 and change to its pub/tools/unix/lsof directory, you'll be given a list
2670 of some mirror sites. The pub/tools/unix/lsof directory also contains
2671 a more complete list in its mirrors file. Use mirrors with caution -
2672 not all mirrors always have the latest lsof revision.
2673
2674 Some pre-compiled Lsof executables are available on lsof.itap.pur‐
2675 due.edu, but their use is discouraged - it's better that you build your
2676 own from the sources. If you feel you must use a pre-compiled exe‐
2677 cutable, please read the cautions that appear in the README files of
2678 the pub/tools/unix/lsof/binaries subdirectories and in the 00* files of
2679 the distribution.
2680
2681 More information on the lsof distribution can be found in its
2682 README.lsof_<version> file. If you intend to get the lsof distribution
2683 and build it, please read README.lsof_<version> and the other 00* files
2684 of the distribution before sending questions to the author.
2685
2687 Not all the following manual pages may exist in every UNIX dialect to
2688 which lsof has been ported.
2689
2690 access(2), awk(1), crash(1), fattach(3C), ff(1), fstat(8), fuser(1),
2691 gethostname(2), isprint(3), kill(1), localtime(3), lstat(2), mod‐
2692 load(8), mount(8), netstat(1), ofiles(8L), perl(1), ps(1), readlink(2),
2693 setlocale(3), stat(2), strftime(3), time(2), uname(1).
2694
2695
2696
2697 Revision-4.82 LSOF(8)