The LSOF command-line tool is highly beneficial for system administrators and developers by allowing them to:
- Determine the processes that are currently utilizing a specific file or port, particularly important in the event of port conflicts
- Detect the files that have been deleted but are still open by processes which can lead to unnecessary space consumption; the LSOF command serves to identify and address such instances
- Helps in troubleshooting errors, such as “port is already in use”, effectively
- Keep track of network activity and open network connections for monitoring purposes
- Investigate file access patterns, contributing to the identification of potential security breaches
In this tutorial, you will learn how to use the LSOF command to monitor the real-time ports.
- 1 Basic Syntax of the LSOF Command
- 2 Monitor Ports in Real-Time Using the LSOF Command
The syntax of the LSOF command is as follows:
Options are the flags that are used with the LSOF command. Names represent the filenames, PIDs (Process IDs), user names, or network files (IPv4, IPv6). Depending on the provided options, the LSOF command displays a list of open files that correspond to these names.
LSOF is included by default in many Linux systems. You have to manually download and install one of the available packages if it is not installed. To check the LSOF installation on your system, use the following command to display the installed version:
It is important to note that to use the LSOF command with appropriate permissions, some information about processes and network connections may require the elevated superuser privileges, and you may need to use “sudo” to run the command with administrative rights.
When you run the LSOF command with “-i” option, it displays the information about processes that have network connections such as listening sockets or established connections.
The previous command displays the information about the process name (COMMAND), process ID (PID), user (USER), file descriptor (FD), type of connection (TYPE), local and remote addresses, and the connection state. You should see the following output:
You can filter the output based on specific criteria such as the particular types of connections or ports. For example, you could use “lsof -i tcp” to list only the processes associated with a TCP connection.
The previous command filters the information about processes that have open TCP connections within the specified port range from 1 to 1024. This can be useful for identifying which processes are using the well-known ports associated with common services.
Using LSOF, you can monitor a specific port in real-time. For example, you want to monitor the processes related to “HTTP” on port 80 which updates every 3 seconds. To do this, monitor port 80 in real time with the following command:
To monitor all SSHD connections that run on port 22, run the following command:
This command continuously monitors and displays the real-time information about network connections on port 22 every 3 seconds. This is particularly useful for tracking the changes, such as new SSH connections or disconnections, as they happen in real-time.
To monitor the information about processes in real-time that have open TCP connections within the specified port range from 1 to 1024, you can use the following command:
You can monitor all network connections in real-time using the LSOF command. For example, you want to run continuously monitor and display the real-time information about network connections every 5 seconds.
The following output includes the details about processes and their associated network sockets in real time after every 5 seconds:
Similarly, you can also monitor only the “established” connections with the LSOF command:
In this tutorial, we learned how to monitor the ports in real-time using the LSOF command. This command can also help the system administrators and other Linux users to monitor the network connections, including all active or open ports. We hope that this guide will help you to understand how to use the LSOF command with different options and monitor the different ports and processes in real-time.