Use Lsof to find open files

Introduction: Find out more about the system by looking at the open file. Knowing which files the application has opened or which application opens a particular file, as a system administrator, will allow you to make better decisions. For example, you should not uninstall a file system with open files. With lsof, you can check open files and abort the process before uninstalling as needed. Similarly, if you find an unknown file, you can find out which application opened the file.

In a UNIX® environment, where files are everywhere, there is a maxim: "Everything is a document." Not only do you have access to regular data through files, you typically also have access to network connections and hardware. In some cases, the corresponding entry appears when you request a catalog manifest using LS. In other cases, such as Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) sockets, there is no corresponding directory manifest. However, in the background, a file descriptor is assigned to the application, regardless of the nature of the file, which provides a common interface for interaction between the application and the underlying operating system.

It is helpful to be able to view this list because the application opens a list of descriptors that provide a lot of information about the application itself. The utility that completes this task is called the lsof, which corresponds to "List open files" (listing the open file). This utility is available in almost every UNIX version, but it is strange that most vendors do not include it in the initial installation of the operating system. For more information on lsof, see the Resources section.

Lsof Introduction

A large amount of information can be generated by simply entering Lsof, as shown in Listing 1. Because lsof needs to access core memory and various files, it must be run as root to fully perform its functions.

Listing 1. Sample Output for Lsof

bash-3.00# lsof
COMMAND　　PID　 USER　 FD　 TYPE　　　　DEVICE SIZE/OFF　　　NODE NAME
sched　　　　 0　 root　cwd　 VDIR　　　　 136,8　　 1024　　　　 2 /
init　　　　 1　 root　cwd　 VDIR　　　　 136,8　　 1024　　　　 2 /
init　　　　 1　 root　txt　 VREG　　　　 136,8 　　49016　　　1655 /sbin/init
init　　　　 1　 root　txt　 VREG　　　　 136,8　　51084 　　　3185 /lib/libuutil.so.1
vi　　　　2013　 root　　3u　VREG　　　　 136,8　　　　0 　　　8501 /var/tmp/ExXDaO7d
...

Each line displays an open file, and unless otherwise specified, all files opened by all processes are displayed. The Command, PID, and User columns represent the name of the process, the process identifier (PID), and the owner name, respectively. The Device, Size/off, Node, and Name columns involve information about the file itself, representing the name of the specified disk, the size of the file, the index node (the identity of the file on disk), and the exact name of the file. Depending on the UNIX version, the size of the file may be reported as the current position (offset) in which the application reads in the file. Listing 1 comes from a Sun Solaris 10 computer that can report this information, and linux® does not have this feature.

The FD and Type columns have the most ambiguous meanings, and they provide more information about how the files are used. The FD column represents a file descriptor that the application identifies with the file descriptor. The Type column provides more description of the file format. Let's take a look at the file Descriptor column, which shows three different values in Listing 1. The CWD value represents the current working directory of the application, which is the directory that the application starts, unless it makes changes to the directory itself. The TXT type of file is program code, such as the application binaries themselves or shared libraries, and then the INIT program shown in the list in this example. Finally, the numeric value represents the application's file descriptor, which is an integer that is returned when the file is opened. In the last line of the listing 1 output, you can see that the user is using the VI edit/var/tmp/exxdao7d with a file descriptor of 3. U indicates that the file is open and in read/write mode, not read-only (R) or write-only (w) mode. It's not important, but it's very helpful, when you initially open each application, you have three file descriptors, from 0 to 2, representing standard input, output, and error streams, respectively. Because of this, most applications open files with FD starting at 3.

The Type column is more intuitive than the FD column. Depending on the specific operating system, you will find files and directories called REG and DIR (in Solaris, called VREG and VDIR). Other possible values are CHR and BLK, which represent characters and block devices, or UNIX, FIFO, and IPv4, which represent UNIX domain sockets, first-in first-out (FIFO) queues, and Internet Protocol (IP) sockets, respectively.