Learn more about Israeli war crimes in Gaza, funded by the USA, Germany, the UK and others.

What is lsof?

In UNIX, “everything is a file”. Apparently. So one of the most fundamental UNIX tools is lsof, which “lists open files”. It can replace other more specific tools like netstat and ps. Here’s the most basic usage:

$ lsof | less
COMMAND    PID USER   FD      TYPE             DEVICE   SIZE/OFF     NODE NAME
loginwind  113  jim  cwd       DIR                1,4       1190        2 /
loginwind  113  jim    0r      CHR                3,2        0t0      304 /dev/null
loginwind  113  jim    1u      CHR                3,2        0t0      304 /dev/null
loginwind  113  jim    2u      CHR                3,2     0t4837      304 /dev/null
loginwind  113  jim    9u     IPv4 0x78b5c77b9446ebf7        0t0      UDP *:*
Google     273  jim   14u     IPv4 0x78b5c77ba0da62a7        0t0      TCP 192.168.1.2:58427->23.101.169.175:https (ESTABLISHED)
Google     273  jim   15u   KQUEUE                                        count=0, state=0xa
Google     273  jim   18   NPOLICY
iTerm2     276  jim  txt       REG                1,4     169024 17266852 /Library/Fonts/Mshtakan.ttc
iTerm2     276  jim   31r   PSXSHM                          4096          FNetwork.defaultStorageSession
Slack      277  jim   28      PIPE 0x78b5c77b9bb1f657      16384          ->0x78b5c77b9bb1fad7
sharingd   280  jim    5u    systm 0x78b5c77b951dcbe7        0t0          [1:6:1]
Spotify    281  jim   38u     IPv4 0x78b5c77b99e6c687        0t0      TCP localhost:4381 (LISTEN)
Spotify    281  jim   91r   PSXSHM                          4096          FNetwork.defaultStorageSession
identitys  295  jim   17     NEXUS
Google     411  jim  txt       REG                1,4   25918784 22978297 /usr/share/icu/icudt57l.dat
mysqld     561  jim  cwd       DIR                1,4        952   773691 /usr/local/var/mysql
WhatsApp  2428  jim    7u     unix 0x78b5c77badc6edc7        0t0          ->0x78b5c77badc6c77f

lsof      4010  jim  cwd       DIR                1,4       6494   617912 /Users/jim
lsof      4010  jim  txt       REG                1,4     113648 17590382 /usr/sbin/lsof
lsof      4010  jim  txt       REG                1,4     694528 22976956 /usr/lib/dyld
lsof      4010  jim  txt       REG                1,4  656064512 23196345 /private/var/db/dyld/dyld_shared_cache_x86_64h
lsof      4010  jim    0u      CHR               16,2     0t1555     1681 /dev/ttys002
lsof      4010  jim    1      PIPE 0x78b5c77ba6ef1d97      16384          ->0x78b5c77ba6ef1cd7
lsof      4010  jim    2u      CHR               16,2     0t1555     1681 /dev/ttys002
lsof      4010  jim    4      PIPE 0x78b5c77ba6ef0657      16384          ->0x78b5c77ba6eef697
lsof      4010  jim    5      PIPE 0x78b5c77ba6ef0357      16384          ->0x78b5c77ba6eef817
less      4011  jim  cwd       DIR                1,4       6494   617912 /Users/jim
less      4011  jim  txt       REG                1,4     129536 22440296 /usr/bin/less
less      4011  jim  txt       REG                1,4     694528 22976956 /usr/lib/dyld
less      4011  jim  txt       REG                1,4  656064512 23196345 /private/var/db/dyld/dyld_shared_cache_x86_64h
less      4011  jim    0      PIPE 0x78b5c77ba6ef1cd7      16384          ->0x78b5c77ba6ef1d97
less      4011  jim    1u      CHR               16,2     0t1555     1681 /dev/ttys002
less      4011  jim    2u      CHR               16,2     0t1555     1681 /dev/ttys002
less      4011  jim    3r      CHR                2,0        0t0      303 /dev/tty

Hey presto, a list of open files! (I’ve cut down the list to some interesting examples. There are around 7,000 open files on my machine.)

What is a file? As I’ve written before, it’s a misnomer, which should be read more vaguely as “resource”. lsof provides a concrete list of the types of things that are represented as “files”: the things in the “TYPE” column.

Type Description
Files
REG a regular file
DIR a directory
LINK a symbolic link file
BLK a block special file
CHR a character special file
FIFO a FIFO special file
MPB a multiplexed block file
MPC a multiplexed character file
Pipes
PIPE pipes
PORT a SYSV named pipe
Sockets
unix a UNIX domain socket
STSO a stream socket
IPv4 an IPv4 socket
IPv6 an open IPv6 network file - even if its address is IPv4, mapped in an IPv6 address
inet an Internet domain socket
rte an AF_ROUTE socket
sock a socket of unknown domain
Other
KQUEUE a BSD style kernel event queue file
UNNM an unnamed type file
XXXX the four type number octets if the corresponding name isn’t known
Tagged #lsof, #posix, #c, #programming, #file-descriptors, #system-calls, #networking.

Similar posts

How do I duplicate a file descriptor in C?
Use the dup system call to duplicate a file descriptor in C, allowing two references to the same underlying pipe. 2017-02-15
How do I close a file descriptor in C?
To close a file descriptor in C, use the close system call. Multiple descriptors can reference the same underlying file or pipe. The pipe is only closed when all references are closed. 2017-02-16
What syscalls does a TCP server need?
A minimal TCP server in C uses the socket, bind, listen, accept, recv, send, and close syscalls to manage connections. 2016-12-14
What syscalls does a UDP server need?
The syscalls needed for a simple UDP echo server are socket, bind, recvfrom, sendto, and close. 2016-12-19
How do I call a program from C?
To call a program from C, use `fork` then `execve`. There is no more direct way! 2017-02-07
How do I use fork in C?
fork duplicates the current process. It returns 0 in the child process. In the parent process, it returns the child’s new process id. 2017-02-06

More by Jim

What does the dot do in JavaScript?
foo.bar, foo.bar(), or foo.bar = baz - what do they mean? A deep dive into prototypical inheritance and getters/setters. 2020-11-01
Smear phishing: a new Android vulnerability
Trick Android to display an SMS as coming from any contact. Convincing phishing vuln, but still unpatched. 2020-08-06
A probabilistic pub quiz for nerds
A “true or false” quiz where you respond with your confidence level, and the optimal strategy is to report your true belief. 2020-04-26
Time is running out to catch COVID-19
Simulation shows it’s rational to deliberately infect yourself with COVID-19 early on to get treatment, but after healthcare capacity is exceeded, it’s better to avoid infection. Includes interactive parameters and visualizations. 2020-03-14
The inception bar: a new phishing method
A new phishing technique that displays a fake URL bar in Chrome for mobile. A key innovation is the “scroll jail” that traps the user in a fake browser. 2019-04-27
The hacker hype cycle
I got started with simple web development, but because enamored with increasingly esoteric programming concepts, leading to a “trough of hipster technologies” before returning to more productive work. 2019-03-23
Project C-43: the lost origins of asymmetric crypto
Bob invents asymmetric cryptography by playing loud white noise to obscure Alice’s message, which he can cancel out but an eavesdropper cannot. This idea, published in 1944 by Walter Koenig Jr., is the forgotten origin of asymmetric crypto. 2019-02-16
How Hacker News stays interesting
Hacker News buried my post on conspiracy theories in my family due to overheated discussion, not censorship. Moderation keeps the site focused on interesting technical content. 2019-01-26
My parents are Flat-Earthers
For decades, my parents have been working up to Flat-Earther beliefs. From Egyptology to Jehovah’s Witnesses to theories that human built the Moon billions of years in the future. Surprisingly, it doesn’t affect their successful lives very much. For me, it’s a fun family pastime. 2019-01-20
The dots do matter: how to scam a Gmail user
Gmail’s “dots don’t matter” feature lets scammers create an account on, say, Netflix, with your email address but different dots. Results in convincing phishing emails. 2018-04-07
The sorry state of OpenSSL usability
OpenSSL’s inadequate documentation, confusing key formats, and deprecated interfaces make it difficult to use, despite its importance. 2017-12-02
I hate telephones
I hate telephones. Some rational reasons: lack of authentication, no spam filtering, forced synchronous communication. But also just a visceral fear. 2017-11-08
The Three Ts of Time, Thought and Typing: measuring cost on the web
Businesses often tout “free” services, but the real costs come in terms of time, thought, and typing required from users. Reducing these “Three Ts” is key to improving sign-up flows and increasing conversions. 2017-10-26
Granddad died today
Granddad died. The unspoken practice of death-by-dehydration in the NHS. The Liverpool Care Pathway. Assisted dying in the UK. The importance of planning in end-of-life care. 2017-05-19
How do I call a program in C, setting up standard pipes?
A C function to create a new process, set up its standard input/output/error pipes, and return a struct containing the process ID and pipe file descriptors. 2017-02-17
Your syntax highlighter is wrong
Syntax highlighters make value judgments about code. Most highlighters judge that comments are cruft, and try to hide them. Most diff viewers judge that code deletions are bad. 2014-05-11
Want to build a fantastic product using LLMs? I work at Granola where we're building the future IDE for knowledge work. Come and work with us! Read more or get in touch!

This page copyright James Fisher 2017. Content is not associated with my employer. Found an error? Edit this page.

Jim Fisher
CV
Speaking
Blogroll
RSS
TigYog
Kickabout