Drill: Find Open Files with lsof

Goal

Use lsof to find open files, detect deleted files still holding disk space, and identify network connections by process.

Setup

• Linux system with lsof installed (apt install lsof or yum install lsof)
• Root access for viewing all processes

Commands

List all files open by a specific process:

lsof -p <PID>

Find which process has a specific file open:

lsof /var/log/syslog

Find deleted files still holding disk space:

lsof +L1

List all network connections for a process:

lsof -i -a -p <PID>

Find what is listening on a specific port:

lsof -i :8080

List all files opened by a specific user:

lsof -u www-data

Find processes using files in a specific directory:

lsof +D /var/log

Show established TCP connections:

lsof -i TCP -s TCP:ESTABLISHED

What to Look For

• (deleted) marker on files means the file is removed from the filesystem but the process still holds a file descriptor
• FD column shows file descriptor number and access mode (r, w, u for read/write/both)
• TYPE column distinguishes regular files (REG), directories (DIR), sockets (IPv4/IPv6)
• Deleted files holding space require restarting the process or truncating via /proc/PID/fd

Common Mistakes

• Using +D on large directories (it recurses and can be slow); use +d for non-recursive
• Forgetting to use -a (AND) when combining flags; without it lsof uses OR logic
• Not running as root and missing other users' processes
• Confusing file descriptor numbers with PIDs

Cleanup

No cleanup needed. lsof is read-only.