Re: lsof information

prodigal1 <prodig@xxxxxx> wrote:
Can anyone point me to some clearly written explanations of the output of
lsof? Man lsof gives ather densely worded pages that presume more
background knowledge than I have. Just dicking around here with a
Mandriva 2006 install, and doing lsof with no parameters produced a huge
list. I read disturbing things in there like "unknown protocol" and
"heap: unknown file or directory".
any clues happily taken

For the default output, my version of lsof (4.76) on my machine
(amd64) starts out with the following:

sh 5050 klausman cwd DIR 8,5 73728 258048 /home/klausman
sh 5050 klausman rtd DIR 8,1 4096 2 /
sh 5050 klausman txt REG 8,1 767152 200617 /bin/bash
sh 5050 klausman mem REG 0,0 0 [heap] (stat: No such...
sh 5050 klausman mem REG 8,1 115690 899694 /lib64/
sh 5050 klausman mem REG 8,1 378 913703 /usr/lib64/locale/en_...

(I removed some whitespace and cut the last part of too-long

COMMAND is the binary name of the program that has a reference to this file.
PID is the program id of the very same program
USER is the user who the program runs as
FD is a description of the meaning this file has for the program.
For example: cwd=current working dir, rtd=root dir, txt=text
file (binary program), mem=piece of mapped memory (this is
the heap but also shared libraries)
TYPE is the type of file (DIR=directory, REG=regular file, FIFO=
fifo/pipe, unix=unix domain socket)
DEVICE is the major and minor device number of the device the
file is on (if applicable). The numbers correspond with the
major and minor device numbers used for /dev. More info can be
found in /usr/src/linux/Documentation/devices.txt
SIZE is just that, the size of the file.
NODE The I-Node of the file (if applicable). This is what you'd
see if you'd run stat on the file.
NAME The name of the file (if applicable).

Note that on most systems, lsof only reports the files of the
user it runs as if not running as root. Also note that it's much
better (faster) to let lsof filter stuff using its command line
switches than to use convoluted regexen with grep.


You don't need eyes to see, you need vision.

Relevant Pages

  • Re: etch to lenny upgrade - X apps no longer see keystrokes?
    ... lsof $ ... COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME ... Did you run this in single user mode, or did you deliberately kill dbus? ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
  • Re: [opensuse] zypper/rpm tricks question
    ... negative hits with the "lsof | grep DEL" command? ... When you issue the command zypper ps, you get a list of processes ... from a system with no deleted libraries in use: ...
  • Re: Unknown ports
    ... > lsof | grep LISTEN ... Wrong command. ... clearly that you are running a NFS server. ... And there is still the problem with port 32768: ...
  • RE: Have I been kitted?
    ... You have 1 process hidden for ps command ... use lsof ... LKM kits are much more difficult to detect (you can mess with argv, ...
  • Re: What command to see which file is opened by a program during execution?
    ... > I forgot this command which could be used to see what files are ... >accessed by a program during it's execution time, the syntax was like ... Lsof by itself will show all ... open files, ...