lsof is a command that shows information about files opened by processes in unix systems. As in unix a lot of things are considered a file, you can list very useful information:

List all processes accessing a specific file:

lsof <file>

(specify the full path to the file, for example: lsof /var/log/messages)

List all files accessed by a given process:

lsof -p <pid>

List all files accesed by a given user:

lsof -u <user>

List all files accessed below a specific directory

lsof +D <dir>

List all files opened by processes executing commands that begin with a given string:

lsof -c <string>

(example: lsof -c firefox)

List all network connections:

lsof -i

List the traffic in a specific port:

lsof -i :<port>

List the traffic to a specific IP address:

lsof -i@<ip_address>

List traffic using TCP protocol:

lsof -iTCP

List traffic using UDP protocol:

lsof -iUDP

List all IPv6 traffic:

lsof -i6


– Internet options (-i) can be combined, the general syntax is:

lsof -i[46][protocol][@hostname|hostaddr][:service|port]


  • lsof -i@
  • lsof -iUDP@

– More than one option at the same time can be specified in the command line, in this case the output will be the list of any open files tha meet ANY of the selection criteria (logical OR). In order to specify only the files that meet ALL the selection criteria (logical AND), use the ‘-a’ option.

For example, to list only the traffic in port 22 of the user ‘admin’, use the following:

  • lsof -a -i:22 -u admin