lsof (List Open Files) is one of the most indispensible tools in the sysadmins toolkit. With it, you can look for processes that have opened a specific file or directory, find processes that have unlinked (removed from directory) files still open, find all the files opened by a specific process, or match network connections to processes.

What’s wrong with fuser? Unfortunately, it has not been updated for years and fails to find open files and directories about 50% of the time. lsof has not been part of a standard HP-UX installation so you may need to get a copy. It is very specific to the OS version. You can download a copy for 10.20 through 11.31 from:

    FTP://FTP.SOURCEDIRECT.COM/PUB/TOOLS/LSOF/

These are copied from either the lsof website, the Porting and Archive Centre for HP-UX

(http://hpux.connect.org.uk/hppd/hpux/Sysadmin/lsof-4.84/)

or from HP’s Internet Express bundle.
These are standard self contained depots (except the 10.20 PA1.1 version which is just the program with no man page) so install like this:

swinstall -s /tmp/lsof_whatever.depot *

(don’t forget the * at the end). No reboot is needed and there will be a man page for lsof.

Now for the good stuff. Here are examples of common usage for lsof:

File open: lsof /path_to/file

# lsof /etc/rc.log
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
PowerMoni 1012 root 1u REG 64,0×3 43729 1533 /etc/rc.log
PowerMoni 1012 root 2u REG 64,0×3 43729 1533 /etc/rc.log
xfs 1175 root 1u REG 64,0×3 43729 1533 /etc/rc.log
xfs 1175 root 2u REG 64,0×3 43729 1533 /etc/rc.log
ttd 1315 root 1u REG 64,0×3 43729 1533 /etc/rc.log
perfalarm 1342 root 7u REG 64,0×3 43729 1533 /etc/rc.log
perfalarm 1342 root 8u REG 64,0×3 43729 1533 /etc/rc.log
vxsvc 1637 root 1u REG 64,0×3 43729 1533 /etc/rc.log
vxsvc 1637 root 2u REG 64,0×3 43729 1533 /etc/rc.log
dtrc 1894 root 1u REG 64,0×3 43729 1533 /etc/rc.log
dtrc 1894 root 2u REG 64,0×3 43729 1533 /etc/rc.log

Directory open: lsof /path_to/directory

# lsof /tmp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
PowerMoni 1012 root 5u unix 64,0×4 0t0 155 /tmp/s.ls3 (0x509d0c80)
postmaste 1068 sfmdb 5u unix 64,0×4 0t0 143 /tmp/.s.PGSQL.10864 (0x50c3b900)

Find unlinked file owner:
lsof -a +L1 /directory

# cd /tmp
# touch TObeREMOVED

# sleep 999 < TObeREMOVED &

# lsof TObeREMOVED

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sleep 5451 root 0u REG 64,0×4 0 209 TObeREMOVED

# rm TObeREMOVED

TObeREMOVED: ? (y/n) y
# ll TObeREMOVED

TObeREMOVED not found

# lsof -a +L1 /tmp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NLINK NODE NAME
sleep 5451 root 0u REG 64,0×4 0 0 209 /tmp (/dev/vg00/lvol4)

In the above example, the file TObeREMOVED is created, then sleep 999 is run with TObeREMOVED attached to the sleep process. While sleep is running in the background, TObeREMOVED is removed. However, the removal is a removal only from the directory listing (ie, unlinked). But the file still exists because sleep has the file open. Until sleep terminates (or is killed), the unnamed file still occupies space. lsof -a +L1 applied to the directory will find the open file. By stopping the program, the space can be released.

Network connections

Find all processes associated with a port 23 (telnet) connection: lsof -i tcp:23

# lsof -i tcp:23
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
inetd 1005 root 6u IPv6 0x42f443c0 0t0 TCP *:telnet (LISTEN)

Since the telnet port is managed by inetd (which spawns telnetd to perform the protocol), inetd is shown as the process using port 23. Use pstree to see the parent/child list for inetd:

# pstree 1005
-+- 01005 root /usr/sbin/inetd

|— 02328 root bootpd
|— 02295 root /etc/opt/resmon/lbin/registrar
-+- 06158 root telnetd -b /etc/issue
— 06159 blh -sh

NOTE: pstree is also available from: ftp://ftp.sourcedirect.com/pub/tools/pstree

Find port 22 (default Secure Shell) processes: lsof -i tcp:22

# lsof -i tcp:22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 937 root 3u IPv6 0x509d0740 0t0 TCP *:22 (LISTEN)
sshd 937 root 4u IPv4 0x42f44040 0t0 TCP *:22 (LISTEN)
sshd 5088 root 3u IPv4 0x52054ac0 0t904536 TCP atl1:22->atldhcp30:3233 (ESTABLISHED)
sshd 6114 root 3u IPv4 0x52191c80 0t27882 TCP atl1:22->atldhcp30:3844 (ESTABLISHED)

As before, you can use pstree to see the process tree for a given PID (process ID):

# pstree 6114
-+- 06114 root sshd: root@pts/0
-+- 06117 root -sh
-+- 06287 root pstree 6114
-+- 06288 root sh -c ps -ef
— 06289 root ps -ef

Monitor (repeat) port 21 (ftp): lsof -i tcp:21 -r

# lsof -i tcp:21 -r
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
inetd 1005 root 5u IPv6 0x42f44200 0t0 TCP *:ftp (LISTEN)
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
inetd 1005 root 5u IPv6 0x42f44200 0t0 TCP *:ftp (LISTEN)
ftpd 6354 root 0u IPv6 0x5227c900 0t241 TCP atl1:ftp->atl6:52021 (ESTABLISHED)
ftpd 6354 root 1u IPv6 0x5227c900 0t241 TCP atl1:ftp->atl6:52021 (ESTABLISHED)
=======
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
inetd 1005 root 5u IPv6 0x42f44200 0t0 TCP *:ftp (LISTEN)

Miscellaneous file listings:

Show open files for a given process: lsof -p 1234

# sleep 999 < /etc/issue &
[1] 6376

# lsof -p 6376
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sleep 6376 root cwd DIR 64,0×3 8192 2401 /root
sleep 6376 root txt REG 64,0×7 24576 732 /usr/bin/sleep
sleep 6376 root mem REG 64,0×7 1966080 33586 /usr/lib/libc.2
sleep 6376 root mem REG 64,0×7 24576 33983 /usr/lib/libdld.2
sleep 6376 root mem REG 64,0×7 393216 33982 /usr/lib/dld.sl
sleep 6376 root 0u REG 64,0×3 551 1872 /etc/issue
sleep 6376 root 1u STR 157,0 0t8563 1758 /dev/pts/0->ldterm->ptem->pts
sleep 6376 root 2u STR 157,0 0t8563 1758 /dev/pts/0->ldterm->ptem->pts

Show open files for all processes with a given name: lsof -c lvmkd

# lsof -c lvmkd
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
lvmkd 19 root cwd DIR 64,0×3 8192 2 /
lvmkd 20 root cwd DIR 64,0×3 8192 2 /

Show open files for a specific user: lsof -u blh

$ lsof -u blh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sh 25268 blh cwd DIR 64,0×5 8192 16 /home/blh
sh 25268 blh txt REG 64,0×3 1469936 2646 /sbin/sh
sh 25268 blh 0u STR 157,0 0t763245 983 /dev/pts/0->ldterm->ptem->pts
sh 25268 blh 1u STR 157,0 0t763245 983 /dev/pts/0->ldterm->ptem->pts
sh 25268 blh 2u STR 157,0 0t763245 983 /dev/pts/0->ldterm->ptem->pts
sh 25268 blh 27u REG 64,0×8 0 228 /var (/dev/vg00/lvol8)
sh 25268 blh 29uw REG 64,0×5 1240 24 /home/blh/.sh_history
lsof 25310 blh cwd DIR 64,0×5 8192 16 /home/blh
lsof 25310 blh txt REG 64,0×6 293112 43445 /opt/iexpress/lsof/bin/lsof
lsof 25310 blh mem REG 64,0×7 292876 15127 /usr/lib/hpux32/libxti.so.1
lsof 25310 blh mem REG 64,0×7 5021192 30401 /usr/lib/hpux32/libc.so.1
lsof 25310 blh mem REG 64,0×7 169484 8758 /usr/lib/hpux32/libnss_files.so.1
lsof 25310 blh mem REG 64,0×7 1407744 30829 /usr/lib/hpux32/libnsl.so.1
lsof 25310 blh mem REG 64,0×7 76240 8776 /usr/lib/hpux32/libdl.so.1
lsof 25310 blh mem REG 64,0×7 1148332 8775 /usr/lib/hpux32/dld.so
lsof 25310 blh mem REG 64,0×7 181240 8778 /usr/lib/hpux32/uld.so
lsof 25310 blh 0u STR 157,0 0t763245 983 /dev/pts/0->ldterm->ptem->pts
lsof 25310 blh 1u STR 157,0 0t763245 983 /dev/pts/0->ldterm->ptem->pts
lsof 25310 blh 2u STR 157,0 0t763245 983 /dev/pts/0->ldterm->ptem->pts
lsof 25310 blh 5w FIFO 0xe000000174053808 0t0 372575
lsof 25310 blh 6r FIFO 0xe000000174053088 0t0 372576

Show open files from an NFS import: lsof -N

# lsof -N
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sh 25150 root cwd DIR 4,0×3 1024 2 /mnt3
lsof 25231 root cwd DIR 4,0×3 1024 2 /mnt3

lsof -N is run from the client side to report on files that have been opened on this system from a remote NFS server.

– See more at: http://serviceitdirect.com/blog/using-lsof#sthash.loNHKKMt.dpuf