Tales From The Command Line: What’s Going On? (lsof)

As mentioned in the previous installment, there is a very useful command buried deep within the confines of your OS X terminal. This command – lsof (LiSt Open Files) – is like the Swiss Army knife of utilities, proving information on files, directories, volumes and even what is happening on the network. Unlike iftop, lsof does not require any downloads. Simply open up a Terminal.app session and enter: lsof.

Give that command a minute to run and prepare to be overwhelmed with information in a cryptic, textual, tabular format. The command, used in that way, is actually pretty useless (from an interactive standpoint). Its true power becomes unleashed with the proper command-line options, execution privileges and when grouped with some other command-line-fu. After the small primer in this post, you should be well equipped to figure out what applications are talking on the network, what files your applications have open and what is keeping your volumes from being able to be ejected.

Before we begin, it may be a bit confusing when a utility that claims to list open files can provide information on network traffic. You have to remember that in OS X (UNIX-like systems in general) an open file may be a regular file, a directory, a block special (enables communication with device drivers) file, a character special (facilitates communication with a device one character at a time) file, a library, a stream or a network file (i.e. a network connection).

The examples in this post also make heavy use of CLIX (Command Line Interface for OS *X*). As you’ll see, lsof output can be a bit much for those just getting started with Terminal.app and CLIX provides a nice wrapper around the OS X command line utilities and allows you to keep similar commands organized with a much friendlier output window than the Terminal. It comes with an amazing set of pre-built command libraries that are well worth the time to go through. You will come away with a great education on the innards of OS X.

Files A-Plenty

While we do ultimately want to use lsof to find out what is happening on the network, seeing just what is “open” at any given moment on your Mac can be quite eye-opening. If you installed CLIX, navigate to the “CLIX Command Files” folder and double-click list.clix.

Sort the list that comes up by “Title” and locate “Open Files”, double-click and (command-line purists can just run lsof -l +L -R -V).

You should see a fairly substantial output list. These are all the open files you can see with your user privileges. CLIX has an option to enter your administrative password (Edit->Sudo…) that will let the lsof command use admin privileges (which will make the list even more substantial) if you prefix it with sudo (and a space). It can be very useful to add a series of CLIX entries with “sudo” prefixes to commands like lsof if you find yourself using them quite a bit.

A small modification (which you can add as an item to “list.clix” or just enter in the terminal gives you a way to see what process (application) has a file open on a mounted volume (which is problematic if you want to eject that volume). Just enter:

lsof -l +L -R -V | grep "/Volumes"

and look through the first and last columns to tie application name to the resource it has open. You can see from my example that Preview has one graphic open on another volume. You may need to execute this as sudo lsof -l +L -R -V | grep "/Volumes" if your user privleges are not sufficient to see what is open (this should not be the case, but it can help find those stubborn open files that are keeping your disk from dismounting).

A further small modification is to see what a particular application (process) has open. Simple change the command to be: lsof -l +L -R -V -c Safari (change “Safari” to the app you are interested in) and the output will be filtered to only include what is open by what you specify.

What Goes Where?

Back in CLIX, navigate to “Open Network Files” and run that command line (lsof -l -i +L -R -V) [again, prefix this with sudo to see more entries].

In this example, you can see that:

  • the Finder is connected to the local machine
  • Radioshift is listening for connetions
  • Dropbox is super busy
  • SystemUIServer (a background process that controls several aspects of the Mac OS X user interface) is chillin’
  • and Safari & Adium are engaged in some sort of external communication (both of which seem valid)

What you should be looking out for are network connections to or from destinations that you do not recognize or unfamiliar application (process) names that are engaged in network communication. Generally speaking, if you do not recognize the name (when running without sudo) then you may have some not-so-cool things going on.

A More Mac-like Experience

It’s A Very Good Thing to know how things work under the hood, but you may be the type of user who – like most drivers – want someone else to “change the oil”. As has been indicated previously, Little Snitch is a great program to both help you detect what is going on and give you control over it. The app is not free – it costs $29.95 – but if it helps prevent even one bad connection from getting through, then it may be a very justifiable expense.

If you have any questions or suggestions on this topic or come up with a cool CLIX command library you want to share, definitely drop a note in the comments.