lsof -c <process name> -r

Monitoring file handles used by a particular process

-r : repeat mode

By: frank514
2010-10-13 20:16:51

These Might Interest You

  • whowatch is a interactive, ncurses-based, process and users monitoring tool, which updates information in real time. This is a perfect tool for local and remote servers. It displays information about the users currently logged on to the machine, in real-time. Besides standard information (login name, tty, host, user's process), the type of the connection (ie. telnet or ssh) is shown. Display of users command line can be switch to tty idle time. Certain user can be selected and his processes tree may be viewed as well as tree of all system processes. Tree may be displayed with additional column that shows owner of each process. In the process tree mode SIGINT and SIGKILL signals can be sent to the selected process. Killing processes is just as simple and fun as deleting lines on the screen.

    cryptema · 2011-06-30 22:45:39 1
  • This command uses the debugger to attach to a running process, and reassign a filehandle to a file. The two commands executed in gdb are p close(1) which closes STDOUT and p creat("/tmp/filename",0600) which creates a file and opens it for output. Since file handles are assigned sequentially, this command opens the file in place of STDOUT and once the process continues, new output to STDOUT will instead be written to our capture file. Show Sample Output

    yes 'Y'|gdb -ex 'p close(1)' -ex 'p creat("/tmp/output.txt",0600)' -ex 'q' -p pid
    adminzim · 2009-02-20 17:36:57 4
  • Monitoring a log file with 'tail -f' is handy, but for emacs users monitoring the file with emacs is even better, because you can use all your familiar key bindings for copying regions, etc.

    function emon { emacs "$1" --eval '(auto-revert-tail-mode)' --eval '(setq buffer-read-only t)' --eval '(goto-char (point-max))' }
    wytten12 · 2012-11-21 17:24:27 0
  • dsniff is general purpose password sniffer, it handles *lots* of different protocols, but it also handles tcp-style expressions for limiting analyzed traffic - so I can limit it to work on pop3 only. Show Sample Output

    dsniff -i any 'tcp port pop3'
    depesz · 2010-11-18 09:43:40 0

  • 0
    watch "ls -al myfile"
    tonk · 2013-05-08 12:40:40 0
  • I have come across a situation in the past where someone has unlinked a file by running an 'rm' command against it while it was still being written to by a running process. The problem manifested itself when a 'df' command showed a filesystem at 100%, but this did not match the total value of a 'du -sk *'. When this happens, the process continues to write to the file but you can no longer see the file on the filesystem. Stopping and starting the process will, more often than not, get rid of the unlinked file, however this is not always possible on a live server. When you are in this situation you can use the 'lsof' command above to get the PID of the process that owns the file (in the sample output this is 23521). Run the following command to see a sym-link to the file (marked as deleted): cd /proc/23521/fd && ls -l Truncate the sym-link to regain your disk space: > /proc/23521/fd/3 I should point out that this is pretty brutal and *could* potentially destabilise your system depending on what process the file belongs to that you are truncating. Show Sample Output

    lsof +L1
    dopeman · 2010-07-14 17:21:01 2

What Others Think

All this shows me is a row of ======= ======= continuously.
Habitual · 396 weeks and 6 days ago
Habitual, I reckon the -c argument is not picking up the command name you are passing to it. Try: $ lsof -t -c commandname It should return a PID, if not then recheck your command name. Note case sensitivity is import.
zlemini · 396 weeks and 5 days ago
Well, stupid me, as usual didn't READ the post. lsof -c 21029 -r vs lsof -c skype -r Thanks for the assist! :)
Habitual · 396 weeks and 5 days ago

What do you think?

Any thoughts on this command? Does it work on your machine? Can you do the same thing with only 14 characters?

You must be signed in to comment.

What's this? is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.


Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: