Linux command of the day, 2 of 31 - lsof

By Gavin Davies on 1 August 2020

Page image
I’m looking briefly at a Linux command every day for a month. Today: lsof

I’m looking briefly at a Linux command every day for a month. Today: lsof. This isn’t intended to be a tutorial, just some brief notes for fun

lsof stands for LiSt Open Files. That’s a lot of data on my mac - it returns 7071 commands at the time of writing!

One interesting function is you can list ‘files’ that are internet connections. Here I query ipv6 files:

$ lsof -i 6
COMMAND     PID  USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
rapportd   2035 gavin    4u  IPv6 0xbd982c33be41c1d1      0t0  TCP *:53048 (LISTEN)
Dropbox   21828 gavin  118u  IPv6 0xbd982c33be41b651      0t0  TCP *:17500 (LISTEN)
BetterTou 69537 gavin   18u  IPv6 0xbd982c33be41de91      0t0  TCP *:50635 (LISTEN)
BetterTou 69537 gavin   23u  IPv6 0xbd982c33bd8b6001      0t0  UDP *:50635

I can see from this that Dropbox and BetterTouchTool both have internet connections. Dropbox I’m not surprised by, but BTT I guess is phoning home to check for updates? Hopefully nothing nefarious!

I can check what files it’s got by looking up its process ID:

$ lsof -p 69548
COMMAND     PID  USER   FD   TYPE DEVICE   SIZE/OFF       NODE NAME
BTTRelaun 69548 gavin  cwd    DIR    1,4       1024          2 /
BTTRelaun 69548 gavin  txt    REG    1,4      88576   38621184 /Applications/BetterTouchTool.app/Contents/Resources/BTTRelaunch.app/Contents/MacOS/BTTRelaunch
BTTRelaun 69548 gavin  txt    REG    1,4   26771408 8590595237 /usr/share/icu/icudt59l.dat
BTTRelaun 69548 gavin  txt    REG    1,4     240192 8609954822 /private/var/db/timezone/tz/2020a.1.0/icutz/icutz44l.dat
BTTRelaun 69548 gavin  txt    REG    1,4    4411240 8590235035 /System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/SystemAppearance.car
BTTRelaun 69548 gavin  txt    REG    1,4     889636 8590379840 /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Resources/AppleKeyboardLayouts-L.dat
BTTRelaun 69548 gavin  txt    REG    1,4     107968 8609448427 /System/Library/Caches/com.apple.IntlDataCache.le.kbdx
BTTRelaun 69548 gavin  txt    REG    1,4     841504 8609443264 /usr/lib/dyld
BTTRelaun 69548 gavin  txt    REG    1,4 1172283392 8610102707 /private/var/db/dyld/dyld_shared_cache_x86_64h
BTTRelaun 69548 gavin    0r   CHR    3,2        0t0        311 /dev/null
BTTRelaun 69548 gavin    1u   CHR    3,2        0t0        311 /dev/null
BTTRelaun 69548 gavin    2u   CHR    3,2        0t0        311 /dev/null

The file TYPE that’s listed can be one of dozens of things - PIPE for pipes, REG for regular files, CHR for character special files … So many options it’s bewildering and intimidating, but isn’t that always the case with computers?

FD is auto generated and referred to as a “File Descriptor”

The NODE column tells us all sorts, like the protocol or inode the file is ‘using’ for want of a better word. inode is a facet of Unixish file systems:

“The inode (index node) is a data structure in a Unix-style file system that describes a file-system object such as a file or a directory. Each inode stores the attributes and disk block locations of the object’s data.”

So it’s sort of an address of a piece of data, plus some metadata. You can see inode numbers with ls -i.

So I can find what files a process has open:

$ ps aux | fgrep -i readme
gavin            71619   0.0  0.0  4297628   3688 s000  S+    7:23am   0:00.06 vim readme.md
gavin            72481   0.0  0.0  4267752    740 s001  R+    7:40am   0:00.00 fgrep -i readme

$ lsof -p 71619
COMMAND   PID  USER   FD   TYPE DEVICE   SIZE/OFF       NODE NAME
vim     71619 gavin  cwd    DIR    1,4        544 8599720008 /private/var/www/gavd
vim     71619 gavin  txt    REG    1,4    1867952 8609443214 /usr/bin/vim
vim     71619 gavin  txt    REG    1,4     841504 8609443264 /usr/lib/dyld
vim     71619 gavin  txt    REG    1,4 1172283392 8610102707 /private/var/db/dyld/dyld_shared_cache_x86_64h
vim     71619 gavin    0u   CHR   16,0  0t2166038        851 /dev/ttys000
vim     71619 gavin    1u   CHR   16,0  0t2166038        851 /dev/ttys000
vim     71619 gavin    2u   CHR   16,0  0t2166038        851 /dev/ttys000
vim     71619 gavin    4u   REG    1,4      12288 8610551924 /private/var/www/gavd/.readme.md.swp

So I can see that Vim doesn’t have readme.md open, instead, it uses a swapfile for its persistent connection and flushes on write. Vim also has a bunch of other files open, including its own binary, and something called dyld, which seems to be part of OSX.

Handy command that if I live to be 5000 years old I may master 10% of the switches for!

Sometimes programs go nuts with opening files and never closing them, so lsof is a handy tool in diagnosing issues like that.