Utkarsh's blog

Use LSOF to Monitor Ports in Real-Time

Utkarsh Maurya's photo
Utkarsh Maurya
·

4 min read

Table of contents

LSOF (List Open Files) is a command line monitoring tool used in Linux/Unix-like operating systems. LSOF command provides information about active files and processes that are currently accessing them.

The LSOF command-line tool is highly beneficial for system administrators and developers by allowing them to:

  • Determine the processes that are currently utilizing a specific file or port, particularly important in the event of port conflicts

  • Detect the files that have been deleted but are still open by processes which can lead to unnecessary space consumption; the LSOF command serves to identify and address such instances

  • Helps in troubleshooting errors, such as “port is already in use”, effectively

  • Keep track of network activity and open network connections for monitoring purposes

  • Investigate file access patterns, contributing to the identification of potential security breaches

Basic Syntax of the LSOF Command

The syntax of the LSOF command is as follows:

$ lsof [options] [names]

Options are the flags that are used with the LSOF command. Names represent the filenames, PIDs (Process IDs), user names, or network files (IPv4, IPv6). Depending on the provided options, the LSOF command displays a list of open files corresponding to these names.

Monitor Ports in Real-Time Using the LSOF Command

LSOF is included by default in many Linux systems. You have to manually download and install one of the available packages if it is not installed. To check the LSOF installation on your system, use the following command to display the installed version:

$ lsof -v

It is important to note that to use the LSOF command with appropriate permissions, some information about processes and network connections may require elevated superuser privileges, and you may need to use “sudo” to run the command with administrative rights.

List the Network Files

When you run the LSOF command with the “-i” option, it displays the information about processes that have network connections such as listening sockets or established connections.

$ lsof –i

The previous command displays the information about the process name (COMMAND), process ID (PID), user (USER), file descriptor (FD), type of connection (TYPE), local and remote addresses, and the connection state. You should see the following output:

List the TCP Connections

You can filter the output based on specific criteria such as the particular types of connections or ports. For example, you could use “lsof -i tcp” to list only the processes associated with a TCP connection.

$ lsof -i tcp:1-1024

The previous command filters the information about processes that have open TCP connections within the specified port range from 1 to 1024. This can be useful for identifying which processes are using the well-known ports associated with common services.

Monitor a Specific Port in Real-Time

Using LSOF, you can monitor a specific port in real-time. For example, you want to monitor the processes related to “HTTP” on port 80 which updates every 3 seconds. To do this, monitor port 80 in real time with the following command:

$ lsof -i :80 -r3

Monitor the SSHD Port 22 in Real-Time

To monitor all SSHD connections that run on port 22, run the following command:

$ sudo lsof -i :22 -r3

This command continuously monitors and displays the real-time information about network connections on port 22 every 3 seconds. This is particularly useful for tracking the changes, such as new SSH connections or disconnections, as they happen in real-time.

Monitor the Port Range in Real-Time

To monitor the information about processes in real-time that have open TCP connections within the specified port range from 1 to 1024, you can use the following command:

$ lsof -i tcp:1-1024 -r3

Monitor All Ports in Real-Time

You can monitor all network connections in real-time using the LSOF command. For example, you want to run continuously monitor and display the real-time information about network connections every 5 seconds.

$ lsof -i -r5

The following output includes the details about processes and their associated network sockets in real-time every 5 seconds:

Similarly, you can also monitor only the “established” connections with the LSOF command:

$ lsof -i -E -r10

I hope that this guide will help you understand how to use the LSOF command with different options and monitor the different ports and processes in real-time.

Linuxports