and
. Consult those header files for the meaning of the flags, options, states and val‐
ues.
``SO='' precedes socket options and values; ``SS='', socket states; and ``TF='', TCP flags and values.
If a flag or option has a value, the value will follow an '=' and the name -- e.g., ``SO=LINGER=5'',
``SO=QLIM=5'', ``TF=MSS=512''. The following seven values may be reported:
Name
Reported Description (Common Symbol)
KEEPALIVE keep alive time (SO_KEEPALIVE)
LINGER linger time (SO_LINGER)
MSS maximum segment size (TCP_MAXSEG)
PQLEN partial listen queue connections
QLEN established listen queue connections
QLIM established listen queue limit
RCVBUF receive buffer length (SO_RCVBUF)
SNDBUF send buffer length (SO_SNDBUF)
Details on what socket options and values, socket states, and TCP flags and values may be displayed for
particular UNIX dialects may be found in the answer to the ``Why doesn't lsof report socket options,
socket states, and TCP flags and values for my dialect?'' and ``Why doesn't lsof report the partial lis‐
ten queue connection count for my dialect?'' questions in the lsof FAQ (The FAQ section gives its loca‐
tion.)
-t This option specifies that lsof should produce terse output with process identifiers only and no header -
e.g., so that the output may be piped to kill(1). This option selects the -w option.
-u s This option selects the listing of files for the user whose login names or user ID numbers are in the
comma-separated set s - e.g., ``abe'', or ``548,root''. (There should be no spaces in the set.)
Multiple login names or user ID numbers are joined in a single ORed set before participating in AND
option selection.
If a login name or user ID is preceded by a `^', it becomes a negation - i.e., files of processes owned
by the login name or user ID will never be listed. A negated login name or user ID selection is neither
ANDed nor ORed with other selections; it is applied before all other selections and absolutely excludes
the listing of the files of the process. For example, to direct lsof to exclude the listing of files
belonging to root processes, specify ``-u^root'' or ``-u^0''.
-U This option selects the listing of UNIX domain socket files.
-v This option selects the listing of lsof version information, including: revision number; when the lsof
binary was constructed; who constructed the binary and where; the name of the compiler used to construct
the lsof binary; the version number of the compiler when readily available; the compiler and loader flags
used to construct the lsof binary; and system information, typically the output of uname's -a option.
-V This option directs lsof to indicate the items it was asked to list and failed to find - command names,
file names, Internet addresses or files, login names, NFS files, PIDs, PGIDs, and UIDs.
When other options are ANDed to search options, or compile-time options restrict the listing of some
files, lsof may not report that it failed to find a search item when an ANDed option or compile-time
option prevents the listing of the open file containing the located search item.
For example, ``lsof -V [email protected] -a -d 999'' may not report a failure to locate open files at
``[email protected]'' and may not list any, if none have a file descriptor number of 999. A similar situation
arises when HASSECURITY and HASNOSOCKSECURITY are defined at compile time and they prevent the listing of
open files.
+|-w Enables (+) or disables (-) the suppression of warning messages.
The lsof builder may choose to have warning messages disabled or enabled by default. The default warning
message state is indicated in the output of the -h or -? option. Disabling warning messages when they
are already disabled or enabling them when already enabled is acceptable.
The -t option selects the -w option.
-x [fl] This option may accompany the +d and +D options to direct their processing to cross over symbolic links
and|or file system mount points encountered when scanning the directory (+d) or directory tree (+D).
If -x is specified by itself without a following parameter, cross-over processing of both symbolic links
and file system mount points is enabled. Note that when -x is specified without a parameter, the next
argument must begin with '-' or '+'.
The optional 'f' parameter enables file system mount point cross-over processing; 'l', symbolic link
cross-over processing.
The -x option may not be supplied without also supplying a +d or +D option.
-X This is a dialect-specific option.
AIX:
This IBM AIX RISC/System 6000 option requests the reporting of executed text file and shared library ref‐
erences.
WARNING: because this option uses the kernel readx() function, its use on a busy AIX system might cause
an application process to hang so completely that it can neither be killed nor stopped. I have never
seen this happen or had a report of its happening, but I think there is a remote possibility it could
happen.
By default use of readx() is disabled. On AIX 5L and above lsof may need setuid-root permission to per‐
form the actions this option requests.
The lsof builder may specify that the -X option be restricted to processes whose real UID is root. If
that has been done, the -X option will not appear in the -h or -? help output unless the real UID of the
lsof process is root. The default lsof distribution allows any UID to specify -X, so by default it will
appear in the help output.
When AIX readx() use is disabled, lsof may not be able to report information for all text and loader file
references, but it may also avoid exacerbating an AIX kernel directory search kernel error, known as the
Stale Segment ID bug.
The readx() function, used by lsof or any other program to access some sections of kernel virtual memory,
can trigger the Stale Segment ID bug. It can cause the kernel's dir_search() function to believe erro‐
neously that part of an in-memory copy of a file system directory has been zeroed. Another application
process, distinct from lsof, asking the kernel to search the directory - e.g., by using open(2) - can
cause dir_search() to loop forever, thus hanging the application process.
Consult the lsof FAQ (The FAQ section gives its location.) and the 00README file of the lsof distribu‐
tion for a more complete description of the Stale Segment ID bug, its APAR, and methods for defining
readx() use when compiling lsof.
Linux:
This Linux option requests that lsof skip the reporting of information on all open TCP, UDP and UDPLITE
IPv4 and IPv6 files.
This Linux option is most useful when the system has an extremely large number of open TCP, UDP and
UDPLITE files, the processing of whose information in the /proc/net/tcp* and /proc/net/udp* files would
take lsof a long time, and whose reporting is not of interest.
Use this option with care and only when you are sure that the information you want lsof to display isn't
associated with open TCP, UDP or UDPLITE socket files.
Solaris 10 and above:
This Solaris 10 and above option requests the reporting of cached paths for files that have been deleted
- i.e., removed with rm(1) or unlink(2).
The cached path is followed by the string `` (deleted)'' to indicate that the path by which the file was
opened has been deleted.
Because intervening changes made to the path - i.e., renames with mv(1) or rename(2) - are not recorded
in the cached path, what lsof reports is only the path by which the file was opened, not its possibly
different final path.
-z [z] specifies how Solaris 10 and higher zone information is to be handled.
Without a following argument - e.g., NO z - the option specifies that zone names are to be listed in the
ZONE output column.
The -z option may be followed by a zone name, z. That causes lsof to list only open files for processes
in that zone. Multiple -z z option and argument pairs may be specified to form a list of named zones.
Any open file of any process in any of the zones will be listed, subject to other conditions specified by
other options and arguments.
-Z [Z] specifies how SELinux security contexts are to be handled. This option and 'Z' field output character
support are inhibited when SELinux is disabled in the running Linux kernel. See OUTPUT FOR OTHER PRO??‐
GRAMS for more information on the 'Z' field output character.
Without a following argument - e.g., NO Z - the option specifies that security contexts are to be listed
in the SECURITY-CONTEXT output column.
The -Z option may be followed by a wildcard security context name, Z. That causes lsof to list only open
files for processes in that security context. Multiple -Z Z option and argument pairs may be specified
to form a list of security contexts. Any open file of any process in any of the security contexts will
be listed, subject to other conditions specified by other options and arguments. Note that Z can be
A:B:C or *:B:C or A:B:* or *:*:C to match against the A:B:C context.
-- The double minus sign option is a marker that signals the end of the keyed options. It may be used, for
example, when the first file name begins with a minus sign. It may also be used when the absence of a
value for the last keyed option must be signified by the presence of a minus sign in the following option
and before the start of the file names.
names These are path names of specific files to list. Symbolic links are resolved before use. The first name
may be separated from the preceding options with the ``--'' option.
If a name is the mounted-on directory of a file system or the device of the file system, lsof will list
all the files open on the file system. To be considered a file system, the name must match a mounted-on
directory name in mount(8) output, or match the name of a block device associated with a mounted-on
directory name. The +|-f option may be used to force lsof to consider a name a file system identifier
(+f) or a simple file (-f).
If name is a path to a directory that is not the mounted-on directory name of a file system, it is
treated just as a regular file is treated - i.e., its listing is restricted to processes that have it
open as a file or as a process-specific directory, such as the root or current working directory. To
request that lsof look for open files inside a directory name, use the +d s and +D D options.
If a name is the base name of a family of multiplexed files - e. g, AIX's /dev/pt[cs] - lsof will list
all the associated multiplexed files on the device that are open - e.g., /dev/pt[cs]/1, /dev/pt[cs]/2,
etc.
If a name is a UNIX domain socket name, lsof will usually search for it by the characters of the name
alone - exactly as it is specified and is recorded in the kernel socket structure. (See the next para‐
graph for an exception to that rule for Linux.) Specifying a relative path - e.g., ./file - in place of
the file's absolute path - e.g., /tmp/file - won't work because lsof must match the characters you spec‐
ify with what it finds in the kernel UNIX domain socket structures.
If a name is a Linux UNIX domain socket name, in one case lsof is able to search for it by its device and
inode number, allowing name to be a relative path. The case requires that the absolute path -- i.e., one
beginning with a slash ('/') be used by the process that created the socket, and hence be stored in the
/proc/net/unix file; and it requires that lsof be able to obtain the device and node numbers of both the
absolute path in /proc/net/unix and name via successful stat(2) system calls. When those conditions are
met, lsof will be able to search for the UNIX domain socket when some path to it is is specified in name.
Thus, for example, if the path is /dev/log, and an lsof search is initiated when the working directory is
/dev, then name could be ./log.
If a name is none of the above, lsof will list any open files whose device and inode match that of the
specified path name.
If you have also specified the -b option, the only names you may safely specify are file systems for
which your mount table supplies alternate device numbers. See the AVOIDING KERNEL BLOCKS and ALTERNATE
DEVICE NUMBERS sections for more information.
Multiple file names are joined in a single ORed set before participating in AND option selection.