Linux lsof Command Deep Dive: Unlocking the Secrets of Open Files#

Published: May 11, 2026 06:56

In Linux, everything is a file. You’ve heard this before, but truly understanding it starts with mastering the lsof command. lsof (List Open Files) doesn’t just list open files—it helps you troubleshoot port conflicts, recover deleted files, and track down resource leaks. It’s the Swiss Army knife for sysadmins and developers.

Why lsof is So Powerful#

The core power of lsof lies in revealing the mapping between processes and files. In Unix philosophy, files aren’t just data on disk—they include network sockets, pipes, devices, and memory-mapped regions. lsof tells you:

  • Which process has a file open
  • Which process is using a specific port
  • What file descriptors a process has open
  • Deleted files still in use (the culprit behind disk space not being released)

Core Usage Deep Dive#

1. Check Port Usage#

This is the most common scenario for developers. When your service fails to start because a port is in use, lsof pinpoints the issue:

# Find process using port 8080
lsof -i :8080

# Output example
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx    1234 www-data   6u  IPv4  12345      0t0  TCP *:8080 (LISTEN)
node     5678 ubuntu    22u  IPv6  67890      0t0  TCP *:8080 (LISTEN)

Field breakdown:

  • COMMAND: Process name
  • PID: Process ID
  • USER: Running user
  • FD: File descriptor (u means read/write mode)
  • TYPE: File type (IPv4/IPv6 indicates network sockets)
  • NAME: Connection info

To see all TCP connections:

lsof -i TCP
# Or only LISTEN state ports
lsof -i TCP -s TCP:LISTEN

2. Recover Deleted Files#

This is lsof’s most “lifesaving” feature. When a file is deleted but a process still holds its file descriptor, the data isn’t truly gone.

# Step 1: Find processes holding deleted files
lsof | grep deleted

# Output example
mysql    1234 mysql   10u   REG  253,0  1073741824  12345 /var/lib/mysql/ibdata1 (deleted)

# Step 2: Recover via /proc
cp /proc/1234/fd/10 /recovered/ibdata1

The principle: Linux kernel only releases file data when the process closes the file descriptor or terminates. As long as the process is alive, the file remains accessible in /proc/<pid>/fd/.

3. Diagnose Disk Space Not Being Released#

Often you delete large files but df shows no space freed. The reason: processes still hold file descriptors.

# Find deleted files still open
lsof +L1

# Or with grep
lsof | grep deleted

+L1 means files with link count less than 1 (deleted files). Restart the relevant process to release the space.

4. View Files Opened by Process# 

# All files opened by PID 1234
lsof -p 1234

# Multiple processes
lsof -p 1234,5678

# Files opened by user
lsof -u www-data

5. View Open Files in a Directory# 

# Files opened under /var/log
lsof +D /var/log

# Limit recursion depth
lsof +d /var/log  # Non-recursive

Advanced Techniques#

Combined Filtering#

lsof supports multiple conditions (OR by default, add -a for AND):

# Port 80 opened by www-data user
lsof -a -i :80 -u www-data

# Network connections by PID 1234
lsof -a -i -p 1234

Output Formatting# 

# Output only PIDs (for scripts)
lsof -t -i :8080

# Combine with kill
kill -9 $(lsof -t -i :8080)

# Parse with awk
lsof -F pcn | awk '/^p/{pid=$0} /^c/{cmd=$0} /^n/{print pid,cmd,$0}'

Monitor Mode# 

# Continuous monitoring, refresh every 2 seconds
lsof -r 2 -i :8080

# Monitor until no process uses the port
lsof -r 1 -i :8080 -t

Performance Considerations#

lsof scans the /proc filesystem, which can be slow on servers with many processes. Optimization tips:

  1. Narrow the scope with conditions: lsof -i :80 is faster than lsof | grep :80
  2. Avoid parameterless execution: Running lsof without arguments lists all open files—huge output
  3. Use -n to skip DNS resolution: lsof -n -i :80 is faster
  4. Use -P to skip port name resolution: lsof -P -i :80

Real-World Case: Service Won’t Start#

A production service fails with “Address already in use”:

# 1. Confirm port usage
lsof -i :3000

# 2. Discover zombie process
COMMAND  PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
node    9999 app     22u  IPv6 1234567      0t0  TCP *:3000 (LISTEN)

# 3. Check process state
cat /proc/9999/status | grep State
# State: Z (zombie)

# 4. Find parent process
ps -o ppid= -p 9999

# 5. Restart parent service
systemctl restart myapp

Tool Comparison#

Tool Advantage Limitation
lsof Comprehensive, supports file/port/process queries Slower, needs root for full info
ss Extremely fast for network queries Only network, no file info
fuser Lightweight, script-friendly Sparse output, limited features
netstat Established, good compatibility Deprecated, poor performance

Conclusion#

lsof is an essential tool for Linux system administration. Mastering its key use cases—port conflict resolution, file recovery, resource leak detection—prepares you to handle production issues confidently. Remember: everything is a file, and lsof lets you see it all.