Open a cache of riches with lsof
Treasure Trove
In Linux, everything is a file – directories, devices, pipes – so lsof (list open files) reveals what's happening on your system.
Few Linux utilities are as popular as netstat
, a fantastic tool used to display network connections, routes, and bandwidth statistics gleaned from network interfaces. Not only is netstat very effective and full of features, but I can't count the number of Linux books and Linux training courses that cover its stock commands as must-have knowledge for any newcomers to Linux.
Don't get me wrong, netstat certainly has its place within those tutorials for both advanced and novice users, but I like to think I can turn to a more powerful tool sometimes. You could say that I've neatly slotted netstat into a place where I know I can use it if I want, but I can achieve the same results in most cases with one of its counterparts – and usually much more efficiently.
If I were making a package comparison and using DNS clients, I might say that netstat is the nslookup
to my host
command. That said, I will now backtrack a little and state that my alternative to netstat lacks many of its features and, in fact, isn't really a network information tool at all. However, because of this mighty command's formidable capabilities, I rarely turn to netstat at all.
Shopping Lists
My trusty tool is lsof
, which is short for list open files. In this article, I'll run through the power of this little tool. In fact, thanks to its functionality, lsof is one of the first packages that I install when building a new server.
Additionally, for Debian and Ubuntu users, I'll unveil a little trick that I've been using on production servers for many years, which thanks to the functionality that lsof provides, has meant that I've hit the desired levels of uptime again and again.
On Debian-based boxes, you can install lsof as simply as:
# apt-get install lsof
I've also seen it built into other Linux flavors.
Among other methods, lsof works by reading the processes from the operating system held within the process table. Apparently, it also queries other aspects of the system to relate which information in the process table is associated with which files on the filesystem. In other words, it cleverly brings together two otherwise hard-to-query and disparate areas of a system: the processes and the files these processes use. It's not just bog standard files either; the highly sophisticated lsof has the visibility of NFS (Network Files System) connections, too.
How Does It Help?
Lsof can output a mountain-sized amount of information about what a system is currently doing, which unquestionably needs to be filtered down to become immediately useful and to satisfy my fondness for brevity.
This information includes, for example, the PID (process number unique to a process), the command the process is executing, the owner of the process (the user that spawned it), all the files a process is currently using, and which shared libraries the process has called as dependencies. (I'll cover shared libraries later.) Then, you'll see a file's access mode, whether a file is locked, its device numbers, its inode number, and a file's local and remote network addresses, to name just a little of its output.
Network
Without meaning to disparage the powerful netstat in any way, I'll start by looking at similarities with netstat, or at least some of the functionality that both packages share, including a simple lookup of TCP port 22, a common server port for SSH daemons. The time-honored netstat can see what's going on with the command:
# netstat -lp
Netstat tries to list all listening daemons (not outbound connections, too) with the -l
switch and then offer the PID followed by the name of the program responsible. In Listing 1, it has discovered sshd
, the SSH daemon.
Listing 1
Netstat Output
The reminder about why I prefer lsof for such a simple query is compounded by the speed of the generated output from netstat: lsof just works, whereas netstat seems to take forever. I'm nitpicking here but the netstat
command took a staggering 5.111 seconds according to the time
command.
To be fair to netstat, you tend to filter after the command has been run using grep
(to filter the output) or something similar. So, to see just port 22 for SSH you might enter:
# netstat -pl | grep ssh
However, lsof only needs a little nudge, and in 0.125 seconds I have the information relating to port 22 only:
# lsof -i:22
The output dutifully shows an IPv4 and a IPv6 daemon running in Figure 1. (Note that I run the command intentionally as root to open the trove of privileged ports and processes on a system.)
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.
-
Fedora 41 Released with New Features
If you're a Fedora fan or just looking for a Linux distribution to help you migrate from Windows, Fedora 41 might be just the ticket.
-
AlmaLinux OS Kitten 10 Gives Power Users a Sneak Preview
If you're looking to kick the tires of AlmaLinux's upstream version, the developers have a purrfect solution.
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.