System insights with command line tools: lsof and lsblk

Posted by on September 11, 2024

Photo by Hunter Harritt on Unsplash cropped

in this series

1. System insights with command-line tools: lscpu and lsusb

2. System insights with command-line tools: dmidecode and lspci

3. System insights with command line tools: lsof and lsblk

In our ongoing series on Linux system insights, we have a look into essential command-line utilities that provide information about the system’s hardware and status. Following our previous discussions on lscpu, lsusb, dmidecode and lspci, we now turn our attention to lsof and lsblk. These tools are particularly useful for investigating open files, active network connections, and mounted block devices on your Fedora Linux system.

Exploring open files with lsof

lsof (list open files) is a powerful command-line tool. Since almost everything in Linux is treated as a file, lsof provides detailed insight into many parts of your system by listing what files are being used, which processes are accessing them, and even which network ports are open (see e.g. Wikipedia on Network socket for more information).

Basic usage

To start with, execute the basic lsof command to get an overview of the system’s open files:

$ sudo lsof

sudo was used for extended privileges. This is needed to get information about files not opened by processes started by your user. The command outputs a lot of information which can be overwhelming. We are going to narrow down the output to specific information about some common use cases in the following examples.

Example 1: Finding open files by user or process

To identify which files a specific user or process has open, lsof can be very helpful.

To list all files opened by a specific user:

$ sudo lsof -u <username>

This will return a list of open files owned by the given user. For example:

$ sudo lsof -u johndoe

You’ll see details such as the process ID (PID), the file descriptor, the type of file, and the file’s path.

To filter by process, use the -p flag:

$ lsof -p <PID>

This is particularly useful for troubleshooting issues related to specific processes or when you need to check which files a service is holding open. Use sudo if the process is not owned by your user.

Example output:

$ lsof -p 873648
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
bash    873648 user  cwd    DIR   0,39     8666      257 /home/user
bash    873648 user  rtd    DIR   0,35      158      256 /
bash    873648 user  txt    REG   0,35  1443376 12841259 /usr/bin/bash
bash    873648 user  mem    REG   0,33          12841259 /usr/bin/bash (path dev=0,35)
bash    873648 user  mem    REG   0,33          14055145 /usr/lib/locale/locale-archive (path dev=0,35)
bash    873648 user  mem    REG   0,33          14055914 /usr/lib64/libc.so.6 (path dev=0,35)
bash    873648 user  mem    REG   0,33          13309071 /usr/lib64/libtinfo.so.6.4 (path dev=0,35)
bash    873648 user  mem    REG   0,33          14059926 /usr/lib64/gconv/gconv-modules.cache (path dev=0,35)
bash    873648 user  mem    REG   0,33          14055911 /usr/lib64/ld-linux-x86-64.so.2 (path dev=0,35)
bash    873648 user    0u   CHR  136,3      0t0        6 /dev/pts/3
bash    873648 user    1u   CHR  136,3      0t0        6 /dev/pts/3
bash    873648 user    2u   CHR  136,3      0t0        6 /dev/pts/3
bash    873648 user  255u   CHR  136,3      0t0        6 /dev/pts/3

Example 2: identifying open network connections via sockets

With its ability to list network connections, lsof also becomes a handy tool for diagnosing network-related issues as it is usually even available on hardened, minimal systems.

To display all open network connections (TCP/UDP sockets), run:

$ sudo lsof -i

This will list active Internet connections along with the associated protocol, port, and process details.

You can filter for specific protocols (like TCP or UDP), include or exclude IPv4 and v6 and combine several values (the example section of man lsof provides a lot of useful information, including negation):

$ sudo lsof -i tcp
$ sudo lsof -i udp
$ sudo lsof -i 4tcp
$ sudo lsof -i 6tcp
$ sudo lsof -i 4tcp@example.com

For connections associated with a particular port:

$ sudo lsof -i :<port_number>

For example, to list connections to port 22 (SSH):

$ sudo lsof -i :22
COMMAND    PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd    904379 root    3u  IPv4 5622530      0t0  TCP *:ssh (LISTEN)
sshd    904379 root    4u  IPv6 5622532      0t0  TCP *:ssh (LISTEN)

This information can be critical for identifying unauthorized connections or simply monitoring network activity on a system for debugging.

Investigating block devices with lsblk

Another useful tool is lsblk, which displays information about all available block devices on your system. Block devices include hard drives, SSDs, and USB storage. This command provides a tree-like view, helping you understand the relationships between partitions, devices, and their mount points.

Basic usage

Running lsblk without any options provides a clean hierarchical structure of the block devices:

$ lsblk

This shows all block devices in a tree structure, including their size, type (disk, partition), and mount point (if applicable).

Examples

For a deeper look into the file systems on your block devices, use the -f flag:

$ lsblk -f

This will display not just the block devices, but also details about the file systems on each partition, including the type (e.g., ext4, vfat, swap), the UUID, and the current mount points.

If you want less information about the devices themselves (without showing partitions or mount points), the -d option is useful:

$ lsblk -d

There is also a -J or –json option. If used, the command outputs the information in JSON format. This provides a structured view that is particularly useful for scripting and automation.

Example outputs from my laptop (some long information like UUIDs stripped for readability):

$ lsblk
NAME                     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda                        8:0    1     0B  0 disk  
sdb                        8:16   1     0B  0 disk  
sdc                        8:32   1     0B  0 disk  
zram0                    252:0    0     8G  0 disk  [SWAP]
nvme0n1                  259:0    0 931,5G  0 disk  
├─nvme0n1p1              259:1    0   600M  0 part  /boot/efi
├─nvme0n1p2              259:2    0     1G  0 part  /boot
└─nvme0n1p3              259:3    0 929,9G  0 part  
  └─luks-84257c20[...]   253:0    0 929,9G  0 crypt /home


$ lsblk -d
NAME    MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
sda       8:0    1     0B  0 disk 
sdb       8:16   1     0B  0 disk 
sdc       8:32   1     0B  0 disk 
zram0   252:0    0     8G  0 disk [SWAP]
nvme0n1 259:0    0 931,5G  0 disk

$ lsblk -f
NAME                FSTYPE [...]LABEL    UUID           FSAVAIL FSUSE% MOUNTPOINTS
sda
sdb
sdc
zram0                                                                  [SWAP]
nvme0n1             
├─nvme0n1p1         vfat                 4C5B-4355      579,7M  3%     /boot/efi
├─nvme0n1p2         ext4                 30eff827[...]  605M    31%    /boot
└─nvme0n1p3         crypto_LUKS          84257c20[...]              
  └─luks-84257[...] btrfs       fe[...]  666f9d6f[...]  303,1G  67%    /home
                                                                       /

$ lsblk -f -J
{
   "blockdevices": [
   [...],{
         "name": "nvme0n1",
         "fstype": null,
         "fsver": null,
         "label": null,
         "uuid": null,
         "fsavail": null,
         "fsuse%": null,
         "mountpoints": [
             null
         ],
         "children": [
            {
               "name": "nvme0n1p1",
               "fstype": "vfat",
               "fsver": "FAT32",
               "label": null,
               "uuid": "4C5B-4355",
               "fsavail": "579,7M",
               "fsuse%": "3%",
               "mountpoints": [
                   "/boot/efi"
               ]
            },{
               "name": "nvme0n1p2",
               "fstype": "ext4",
               "fsver": "1.0",
               "label": null,
               "uuid": "30eff827-[...]",
               "fsavail": "605M",
               "fsuse%": "31%",
               "mountpoints": [
                   "/boot"
               ]
            },{
               "name": "nvme0n1p3",
               "fstype": "crypto_LUKS",
               "fsver": "2",
               "label": null,
               "uuid": "84257c20-[...]",
               "fsavail": null,
               "fsuse%": null,
               "mountpoints": [
                   null
               ],
               "children": [
                  {
                     "name": "luks-[...]",
                     "fstype": "btrfs",
                     "fsver": null,
                     "label": "fedora_localhost-live",
                     "uuid": "666f9d6f-[...]",
                     "fsavail": "303,1G",
                     "fsuse%": "67%",
                     "mountpoints": [
                         "/home", "/"
                     ]
                  }
               ]
            }
         ]
      }
   ]
}

Conclusion

The lsof and lsblk commands are providing insights into file usage, network activity, and block device structures. Whether you’re tracking down open file handles, diagnosing network connections, or reviewing storage devices; whether you’re troubleshooting, optimizing, or simply curious; these tools provide valuable data that can help you better understand and manage your Fedora Linux environment. See you next time when we will have a look at more useful listing and information command line tools and how to use them.

Fedora Project community

Andreas Haerter

3 Comments

  1. Ricky Tigg

    Hello to you, author. Regarding the ZRAM device, on a system built with the systemd component included, like Fedora is, the lsblk command, when compiled with udev support, among other things, reads the udev database to gather information. However, upstream, in systemd v. 256.6 – the latest –, as demonstrated by the output resulting from

    udevadm info --export /dev/zram0

    , in which there are no ‘ID_FS_’ variables present, udevd does not collect file system-related information from ZRAM devices. that is therefore reflected by the lsblk tool; illustration:

    $ lsblk -o fstype,fsver,mountpoint,pttype /dev/zram0
    FSTYPE FSVER MOUNTPOINT PTTYPE
                 [SWAP]

    This is about to change, however. On github.com/systemd/systemd, a code brought by the maintainer of the component util-linux, allowing persistent storage rules for ZRAM devices, was merged. However, as usual, you will need to be patient to see this change made to Fedora, which at this time only offers v. 255.12 at best.

    By then, the

    --properties-by

    option, currently only available via the master branch of the git tree, might be introduced in the util-linux v. 2.41 release. It forces

    lsblk

    to read data directly from the device by using libblkid. As a result, all properties are retrieved; command illustration:

    sudo ./lsblk --properties-by blkid -o fstype,fsver,pttype /dev/zram0

    . Regards.

    September 13, 2024

  2. null_pointer_00

    Why not “lsgpu”?

    September 16, 2024

  3. null_pointer_00

    GPU is plugged to a PCI slot, sorry!

    September 16, 2024

Comments are Closed

Fedora Linux 41 is available now. Read the release announcement for all the details.

Subscribe to Fedora Magazine via Email

Join 10K other subscribers

Contribute to the Magazine

Fedora Magazine is looking for contributors!

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions