System insights with command line tools: lsof and lsblk

Photo by Hunter Harritt on Unsplash cropped

In our ongoing series on Linux system insights, we have a look into essential command-line utilities that provide information about the system’s hardware and status. Following our previous discussions on lscpu, lsusb, dmidecode and lspci, we now turn our attention to lsof and lsblk. These tools are particularly useful for investigating open files, active network connections, and mounted block devices on your Fedora Linux system.

Exploring open files with lsof

lsof (list open files) is a powerful command-line tool. Since almost everything in Linux is treated as a file, lsof provides detailed insight into many parts of your system by listing what files are being used, which processes are accessing them, and even which network ports are open (see e.g. Wikipedia on Network socket for more information).

Basic usage

To start with, execute the basic lsof command to get an overview of the system’s open files:

$ sudo lsof

sudo was used for extended privileges. This is needed to get information about files not opened by processes started by your user. The command outputs a lot of information which can be overwhelming. We are going to narrow down the output to specific information about some common use cases in the following examples.

Example 1: Finding open files by user or process

To identify which files a specific user or process has open, lsof can be very helpful.

To list all files opened by a specific user:

$ sudo lsof -u <username>

This will return a list of open files owned by the given user. For example:

$ sudo lsof -u johndoe

You’ll see details such as the process ID (PID), the file descriptor, the type of file, and the file’s path.

To filter by process, use the -p flag:

$ lsof -p <PID>

This is particularly useful for troubleshooting issues related to specific processes or when you need to check which files a service is holding open. Use sudo if the process is not owned by your user.

Example output:

$ lsof -p 873648
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 873648 user cwd DIR 0,39 8666 257 /home/user
bash 873648 user rtd DIR 0,35 158 256 /
bash 873648 user txt REG 0,35 1443376 12841259 /usr/bin/bash
bash 873648 user mem REG 0,33 12841259 /usr/bin/bash (path dev=0,35)
bash 873648 user mem REG 0,33 14055145 /usr/lib/locale/locale-archive (path dev=0,35)
bash 873648 user mem REG 0,33 14055914 /usr/lib64/libc.so.6 (path dev=0,35)
bash 873648 user mem REG 0,33 13309071 /usr/lib64/libtinfo.so.6.4 (path dev=0,35)
bash 873648 user mem REG 0,33 14059926 /usr/lib64/gconv/gconv-modules.cache (path dev=0,35)
bash 873648 user mem REG 0,33 14055911 /usr/lib64/ld-linux-x86-64.so.2 (path dev=0,35)
bash 873648 user 0u CHR 136,3 0t0 6 /dev/pts/3
bash 873648 user 1u CHR 136,3 0t0 6 /dev/pts/3
bash 873648 user 2u CHR 136,3 0t0 6 /dev/pts/3
bash 873648 user 255u CHR 136,3 0t0 6 /dev/pts/3

Example 2: identifying open network connections via sockets

With its ability to list network connections, lsof also becomes a handy tool for diagnosing network-related issues as it is usually even available on hardened, minimal systems.

To display all open network connections (TCP/UDP sockets), run:

$ sudo lsof -i

This will list active Internet connections along with the associated protocol, port, and process details.

You can filter for specific protocols (like TCP or UDP), include or exclude IPv4 and v6 and combine several values (the example section of man lsof provides a lot of useful information, including negation):

$ sudo lsof -i tcp
$ sudo lsof -i udp
$ sudo lsof -i 4tcp
$ sudo lsof -i 6tcp
$ sudo lsof -i 4tcp@example.com

For connections associated with a particular port:

$ sudo lsof -i :<port_number>

For example, to list connections to port 22 (SSH):

$ sudo lsof -i :22
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 904379 root 3u IPv4 5622530 0t0 TCP *:ssh (LISTEN)
sshd 904379 root 4u IPv6 5622532 0t0 TCP *:ssh (LISTEN)

This information can be critical for identifying unauthorized connections or simply monitoring network activity on a system for debugging.

Investigating block devices with lsblk

Another useful tool is lsblk, which displays information about all available block devices on your system. Block devices include hard drives, SSDs, and USB storage. This command provides a tree-like view, helping you understand the relationships between partitions, devices, and their mount points.

Basic usage

Running lsblk without any options provides a clean hierarchical structure of the block devices:

$ lsblk

This shows all block devices in a tree structure, including their size, type (disk, partition), and mount point (if applicable).

Examples

For a deeper look into the file systems on your block devices, use the -f flag:

$ lsblk -f

This will display not just the block devices, but also details about the file systems on each partition, including the type (e.g., ext4, vfat, swap), the UUID, and the current mount points.

If you want less information about the devices themselves (without showing partitions or mount points), the -d option is useful:

$ lsblk -d

There is also a -J or –json option. If used, the command outputs the information in JSON format. This provides a structured view that is particularly useful for scripting and automation.

Example outputs from my laptop (some long information like UUIDs stripped for readability):

$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 0B 0 disk
sdb 8:16 1 0B 0 disk
sdc 8:32 1 0B 0 disk
zram0 252:0 0 8G 0 disk [SWAP]
nvme0n1 259:0 0 931,5G 0 disk
├─nvme0n1p1 259:1 0 600M 0 part /boot/efi
├─nvme0n1p2 259:2 0 1G 0 part /boot
└─nvme0n1p3 259:3 0 929,9G 0 part
└─luks-84257c20[...] 253:0 0 929,9G 0 crypt /home


$ lsblk -d
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 1 0B 0 disk
sdb 8:16 1 0B 0 disk
sdc 8:32 1 0B 0 disk
zram0 252:0 0 8G 0 disk [SWAP]
nvme0n1 259:0 0 931,5G 0 disk

$ lsblk -f
NAME FSTYPE [...]LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
sda
sdb
sdc
zram0 [SWAP]
nvme0n1
├─nvme0n1p1 vfat 4C5B-4355 579,7M 3% /boot/efi
├─nvme0n1p2 ext4 30eff827[...] 605M 31% /boot
└─nvme0n1p3 crypto_LUKS 84257c20[...]
└─luks-84257[...] btrfs fe[...] 666f9d6f[...] 303,1G 67% /home
/

$ lsblk -f -J
{
"blockdevices": [
[...],{
"name": "nvme0n1",
"fstype": null,
"fsver": null,
"label": null,
"uuid": null,
"fsavail": null,
"fsuse%": null,
"mountpoints": [
null
],
"children": [
{
"name": "nvme0n1p1",
"fstype": "vfat",
"fsver": "FAT32",
"label": null,
"uuid": "4C5B-4355",
"fsavail": "579,7M",
"fsuse%": "3%",
"mountpoints": [
"/boot/efi"
]
},{
"name": "nvme0n1p2",
"fstype": "ext4",
"fsver": "1.0",
"label": null,
"uuid": "30eff827-[...]",
"fsavail": "605M",
"fsuse%": "31%",
"mountpoints": [
"/boot"
]
},{
"name": "nvme0n1p3",
"fstype": "crypto_LUKS",
"fsver": "2",
"label": null,
"uuid": "84257c20-[...]",
"fsavail": null,
"fsuse%": null,
"mountpoints": [
null
],
"children": [
{
"name": "luks-[...]",
"fstype": "btrfs",
"fsver": null,
"label": "fedora_localhost-live",
"uuid": "666f9d6f-[...]",
"fsavail": "303,1G",
"fsuse%": "67%",
"mountpoints": [
"/home", "/"
]
}
]
}
]
}
]
}

Conclusion

The lsof and lsblk commands are providing insights into file usage, network activity, and block device structures. Whether you’re tracking down open file handles, diagnosing network connections, or reviewing storage devices; whether you’re troubleshooting, optimizing, or simply curious; these tools provide valuable data that can help you better understand and manage your Fedora Linux environment. See you next time when we will have a look at more useful listing and information command line tools and how to use them.

Fedora Project community

3 Comments

  1. Hello to you, author. Regarding the ZRAM device, on a system built with the systemd component included, like Fedora is, the lsblk command, when compiled with udev support, among other things, reads the udev database to gather information. However, upstream, in systemd v. 256.6 – the latest –, as demonstrated by the output resulting from

    udevadm info --export /dev/zram0

    , in which there are no ‘ID_FS_’ variables present, udevd does not collect file system-related information from ZRAM devices. that is therefore reflected by the lsblk tool; illustration:

    $ lsblk -o fstype,fsver,mountpoint,pttype /dev/zram0
    FSTYPE FSVER MOUNTPOINT PTTYPE
                 [SWAP]

    This is about to change, however. On github.com/systemd/systemd, a code brought by the maintainer of the component util-linux, allowing persistent storage rules for ZRAM devices, was merged. However, as usual, you will need to be patient to see this change made to Fedora, which at this time only offers v. 255.12 at best.

    By then, the

    --properties-by

    option, currently only available via the master branch of the git tree, might be introduced in the util-linux v. 2.41 release. It forces

    lsblk

    to read data directly from the device by using libblkid. As a result, all properties are retrieved; command illustration:

    sudo ./lsblk --properties-by blkid -o fstype,fsver,pttype /dev/zram0

    . Regards.

  2. null_pointer_00

    Why not “lsgpu”?

  3. null_pointer_00

    GPU is plugged to a PCI slot, sorry!

Leave a Reply


The interval between posting a comment and its appearance will be irregular so please DO NOT resend the same post repeatedly. All comments are moderated but this site is not monitored continuously so comments will not appear as soon as posted.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions