Have you ever tried to umount a filesystem, only to find that some process was still using it?
[root@host]# umount /mnt umount: /mnt: device is busy
To quickly hunt down what processes are still using /mnt, try the lsof tool:
[root@host]# lsof /mnt COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME bash 30951 rob cwd DIR 7,0 1024 2 /mnt
Ah, apparently rob is cd'd to /mnt (since his bash process has it set as its cwd). lsof will list all open files, directories, libraries, sockets, and devices associated with a particular process. In the above example, we specified a mount point and had lsof show us the associated processes. To do the reverse (show files associated with a PID), use the -p switch:
[root@host]# lsof -p 30563
If you'd rather specify the process by name, use -c:
[root@host]# lsof -c syslogd
You can also specify special devices on the command line. For example, let's see what the user on pts/0 is up to:
[root@host]# lsof /dev/pts/0
If you need to specify multiple switches, they are ORed with each other by default. To require all switches (that is, to AND them) include the -a flag on each switch you want to AND. For example, to see all of the open files associated with vi processes that rob is running, try this:
[root@host]# lsof -u rob -ac vi
If you'd like to examine open sockets and their associated processes (like a netstat -p), try the -i switch:
[root@host]# lsof -i -n COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME sshd 302 kivanov 3u IPv4 2726435534 0t0 TCP 126.96.36.199:ssh->188.8.131.52:56727 (ESTABLISHED) puppetmas 946 puppet 7u IPv4 2707586260 0t0 TCP *:8140 (LISTEN) snmpd 1118 snmp 8u IPv4 4053 0t0 UDP *:snmp [root@host]# lsof -i TCP:443 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME apache2 4364 root 4u IPv4 1700297415 0t0 TCP *:https (LISTEN) python 8766 www-data 5u IPv4 1991759475 0t0 TCP 184.108.40.206:56247->220.127.116.11:https (ESTABLISHED) apache2 15045 www-data 4u IPv4 1700297415 0t0 TCP *:https (LISTEN) python 16524 www-data 5u IPv4 1865357034 0t0 TCP 18.104.22.168:42225->22.214.171.124:https (CLOSE_WAIT) python 16524 www-data 6u IPv4 1865357436 0t0 TCP 126.96.36.199:47789->188.8.131.52:https (CLOSE_WAIT) python 16524 www-data 7u IPv4 1865357514 0t0 TCP 184.108.40.206:57493->220.127.116.11:https (ESTABLISHED) apache2 22970 www-data 4u IPv4 1700297415 0t0 TCP *:https (LISTEN)
Note that you must be root to run lsof for many functions, including retrieving open socket information. lsof is a complex and very flexible tool, giving you as much (or as little) detail as you need about what files are in use by every running process on your system.