[ Team LiB ] Previous Section Next Section

C.7 lsof Program

The name lsof stands for "list open files." Like tcpdump, it is a publicly available tool that is handy for debugging and has been ported to many versions of Unix.

One common use for lsof with networking is to find which process has a socket open on a specified IP address or port. netstat tells us which IP addresses and ports are in use, and the state of the TCP connections, but it does not identify the process. For example, to find out which process provides the daytime server, we execute the following:


freebsd % lsof -i TCP:daytime
COMMAND   PID USER    FD       TYPE             DEVICE SIZE/OFF NODE NAME
inetd     561 root     5u      IPv4 0xfffff8003027a260      0t0  TCP *:daytime (LISTEN)
inetd     561 root     7u      IPv6 0xfffff800302b6720      0t0  TCP *:daytime

This tells us the command (this service is provided by the inetd server), its PID, the owner, descriptor (5 for IPv4 and 7 for IPv6, and the u means it is open for read/write), type of socket, address of the protocol control block, size or offset of the file (not meaningful for a socket), protocol type, and name.

One common use for this program is when we start a server that binds its well-known port and get the error that the address is already in use. We then use lsof to find the process that is using the port.

Since lsof reports on open files, it cannot report on network endpoints that are not associated with an open file: TCP endpoints in the TIME_WAIT state.

ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/ is the location for this program. It was written by Vic Abell.

Some vendors supply their own utility that does similar things. For example, FreeBSD supplies the fstat program. The advantage in lsof is that it works under so many versions of Unix, and using a single tool in a heterogeneous environment, instead of a different tool for each environment, is a big advantage.

    [ Team LiB ] Previous Section Next Section