The lsof tool lists the filehandles that are open by one or more processes. Let’s see some examples of lsof to figure out how to use it.

To list the filehandles open by PIDs 454 and 467:

root:~> lsof ­-p 454,467

To list the filehandles open by processes executing the command dolphin:

root:~> lsof ­-c dolphin
COMMAND   PID USER  FD TYPE DEVICE SIZE/OFF      NODE NAME
dolphin 28534 marc cwd  DIR 253,17 4096 195      /home/marc
dolphin 28534 marc rtd  DIR 253,0  4096 192      /
dolphin 28534 marc txt  REG 253,0  7152 13768246 /usr/bin/dolphin
dolphin 28534 marc mem  REG 253,0 75416 20902853 /usr/lib64/kde4/kuriikwsfilter.so
dolphin 28534 marc mem  REG 253,0 24440 20902826 /usr/lib64/kde4/fixhosturifilter.so
[…]

To list filehandles open by processes executing commands starting with “dolph” & “knotify”:

root:~> lsof -­c dolphin ­-c knotify

To list filehandles open by processes executing commands matching a regex:

root:~> lsof ­-c /systemd.*udevd/

To list the filehandles currently open in /etc:

root:~> lsof +d /etc

To list filehandles currently open in /etc and subdirectories (but not in mount-points & symlinks):

root:~> lsof +D /etc

To list filehandles currently open in /etc and subdirectories including mount-points & symlinks:

root:~> lsof +D /etc -x

To list filehandles for network sockets:

root:~> lsof ­-i6                      →  IPv6 filehandles
root:~> lsof ­-i4                      →  IPv4 filehandles
root:~> lsof ­-itcp                    →  tcp filehandles
root:~> lsof ­-iudp                    →  udp filehandles
root:~> lsof ­-iserver4                →  filehandles connected to server4
root:~> lsof ­-i192.168.0.14           →  filehandles connected to this IP
root:~> lsof ­-itcp:sunrpc             →  tcp filehandles connected to the RPC port
root:~> lsof ­-iudp:53                 →  udp filehandles connected to port 53
root:~> lsof ­-itcp:1­-112              →  tcp filehandles connected to ports 1 up to 112
root:~> lsof ­-itcp@server3:20-­23,53   →  tcp filehandles connected to given server & ports
root:~> lsof ­-iudp:53 ­-n              →  udp filehandles connected to port 53 without DNS resolution
root:~> lsof ­-iudp:53 ­-n -­P           →  same as above but without port resolution

To list filehandles of all processes owned by marc:

root:~> lsof ­-u marc

We can combine conditions:

root:~> lsof ­-a -­u marc /tmp         → filehandles owned by marc in /tmp (“­a” ANDs everything)
root:~> lsof ­-a ­-u marc ­-i4tcp -­w    → filehandles owned by marc & TCP & IPv4 with warning suppression
.
root:~> lsof ­-u marc ­-c chrome       → without the “­a” for AND, everything is OR

<< nice, ionice & renice                pgrep >>