My laptop's fan ran a bit harder than usual for a few days. It was consistent even when only my browser and text editor were open, and nothing visible seemed to trigger it. Using htop showed normal CPU and memory usage, but I knew something was off.
I needed to see what the task manager wasn't showing, so I used the lsof command. This command produced a live map of all open files and resources on the computer. The results were stunning and changed the way I think of the software I run.
What lsof is
And why "list open files" is the most misleading name in Linux
On Linux, files aren't just documents in folders; they can be inter-process pipes, device nodes, or network sockets. This makes lsof's list of open files a live map of everything the Linux system is touching. The tool is far more powerful than its name suggests.
Your standard Linux installation already includes this tool; it may be absent on minimal installations of Ubuntu, Fedora, or Debian, but can be installed by running a single command:
-
Debian/Ubuntu:
sudo apt install lsof -
Fedora/RHEL:
sudo dnf install lsof
Running lsof produces an intimidating output, but you have to focus on these four columns to make any sense of it:
|
Column |
What it means |
|---|---|
|
COMMAND |
The app or process that has something open |
|
PID |
Its unique ID number (you'll need this if you want to act on it) |
|
TYPE |
What kind of resource it has open (a regular file, a network socket, a pipe, or a device) |
|
NAME |
The specific file path, IP address, or port it is touching |
On macOS, running lsof with sudo reveals processes beyond the current user, though some system daemons remain inaccessible due to macOS security.
The commands I ran
In the order I actually ran them, including the one that made me stop
I started by running broad lsof commands and gradually narrowed them down:
First: lsof -i
It shows a current list of processes with active network connections. Running it with sudo shows processes beyond the current user, including background daemons. The results I saw felt like much more than I expected for an idle machine.
Second: lsof -p $(pgrep -d','
With this command, you can see everything a specific app currently has open. pgrep -d','
Make sure the app is running when you run the command; if not, lsof will throw an error since there is no value for pgrep to return.
Third: lsof -i :443
Encrypted HTTPS traffic uses port 443. Running the command above shows processes actively making encrypted outbound calls. It was another point where I saw more entries than I expected when I ran it with only my browser and text editor open.
Fourth: lsof +D /home/afam
This command revealed all the processes actively touching files in my home directory. Adding +D allows it to search recursively through all subdirectories, but this also means that the command may run slower. The lowercase +d gives you just the top-level directory. Most of the results I got were expected, but one surprised me.
I finally tried Linux and realized every reason I avoided it was outdated
Linux in 2026 feels nothing like most people still imagine.
What was actually running on my machine
One thing was harmless, one thing I couldn't explain away
The false alarm — sockets in TIME_WAIT
I observed several connections showing as TIME_WAIT, which led me to believe something was hanging, but I was wrong. TIME_WAIT is normal on the endpoint that closed a connection: sockets linger briefly to drain stray packets and avoid port collisions. So even if it looks alarming in the lsof results, it's an expected and temporary occurrence.
The genuine surprise — my text editor phoning home
lsof -i :443 showed my text editor maintained an outbound HTTPS connection even when I thought it was idle. The IP resolved to a cloud infrastructure provider for telemetry and extension update checks. This wasn't malicious, but before this test I had no idea it ran on its own schedule.
The relatable one — the browser that never fully closes
lsof -p showed my browser had open file descriptors, and even after I closed it, at least two network sockets remained. This seems to be common practice with browsers, as it's important for notifications and updates.
While all this data was good to observe, you should understand that lsof has limitations. The most notable is that while it shows you an open connection and where it's going, it doesn't reveal what data is passing through. You would need a different tool to see traffic content.
What you can do with the output
With the level of detail lsof exposes, what should be your next step? Well, you have a few options. The first is to look up an unknown connection. Run whois on an address copied from the NAME column. I have found that many unexpected addresses typically trace back to AWS, Google Cloud, Akamai, or other popular infrastructure providers. However, it is more useful to investigate a process name when it's unfamiliar.
You can also choose to monitor for an extended period, because a single result may not tell the whole story. Running a command like watch -n 2 lsof -i gives a live feed for this purpose. But in some cases, you should safely stop the process with the command kill
Optionally, you may use the strace tool on Linux. strace is complementary to lsof: it traces a program's system calls and runtime behavior rather than listing open resources.