How To Find a File In Linux From the Command Line

Find files in Linux

Need to know how to find a file in Linux? Well, surprise, surprise, you’re going to need the find command in Linux to scour your directory or file system. The Linux find command can filter objects recursively using a simple conditional mechanism, and if you use the -exec flag, you’ll also be able to find a file in Linux straightaway and process it without needing to use another command.

Locate Linux Files by Their Name or Extension

Type find into the command line to track down a particular file by its name or extension. If you want to look for *.err files in the /home/username/ directory and all sub-directories, try this:

find /home/username/ -name "*.err"

Typical Linux Find Commands and Syntax

find command expressions look like this:

find command options starting/path expression

The options attribute controls the behavior and optimization method of the find process. The starting/path attribute defines the top-level directory where the find command in Linux begins the filtering process. The expression attribute controls the assessments that scour the directory tree to create output.

Let’s break down a Linux find command where we don’t just want Linux find file by name:

find -O3 -L /var/www/ -name "*.html"

It enables the top-level optimization (-O3) and permits find to follow symbolic links (-L). The find command in Linux searches through the whole directory hierarchy under /var/www/ for files that have .html on the end.

Basic Examples

1. find . -name thisfile.txt

If you need to know how to find a file in Linux called thisfile.txt, it will look for it in current and sub-directories.

2. find /home -name *.jpg

Look for all .jpg files in the /home and directories below it.

3. find . -type f -empty

Look for an empty file inside the current directory.

4. find /home -user randomperson-mtime 6 -iname ".db"

Look for all .db files (ignoring text case) that have been changed in the preceding 6 days by a user called randomperson.

Options and Optimization for Find Command for Linux

find is configured to ignore symbolic links (shortcut files) by default. If you’d like the find command to follow and show symbolic links, just add the -L option to the command, as we did in this example.

find can help Linux find file by name. The Linux find command enhances its approach to filtering so that performance is optimised. The user can find a file in Linux by selecting three stages of optimisation-O1, -O2, and -O3. -O1 is the standard setting and it causes find to filter according to filename before it runs any other tests.

-O2 filters by name and type of file before carrying on with more demanding filters to find a file in Linux. Level -O3 reorders all tests according to their relative expense and how likely they are to succeed.

  • -O1 – (Default) filter based on file name first
  • -O2 – File name first, then file-type
  • -O3 – Allow find to automatically re-order the search based on efficient use of resources and likelihood of success
  • -maxdepth X – Search this directory along with all sub-directories to a level of X
  • -iname – Search while ignoring text case.
  • -not – Only produce results that don’t match the test case
  • -type f – Look for files
  • -type d – Look for directories

Find Files by When They Were Modified

The Linux find command contains the ability to filter a directory hierarchy based on when the file was last modified:

find / -name "*jpg" -mtime 5

find /home/randomuser/ -name "*jpg" -mtime 4

The initial Linux find command pulls up a list of files in the whole system that end with the characters jpg and have been modified in the preceding 5 days. The next one filters randomuser’s home directory for files with names that end with the characters “conf” and have been modified in the preceding 4 days.

Use Grep to Find Files Based on Content

The find command in Linux is great but it can only filter the directory tree according to filename and meta data. To search files based on what they contain you’ll need a tool like grep. Take a look:

find . -type f -exec grep "forinstance" '{}' \; -print

This goes through every object in the current directory tree (.) that’s a file (-type f) and then runs grep ” forinstance ” for every file that matches, then prints them on the screen (-print). The curly braces ({}) are a placeholder for those results matched by the Linux find command. The {} go inside single quotes (‘) so that grep isn’t given a misshapen file name. The -exec command is ended with a semicolon (;), which also needs an escape (\;) so that it doesn’t end up being interpreted by the shell.

Before -exec was implemented, xargs would have been used to create the same kind of output:

find . -type f -print | xargs grep "forinstance"

How to Locate and Process Files Using the Find Command in Linux

The -exec option runs commands against every object that matches the find expression. Let’s see how that looks:

find . -name "rc.conf" -exec chmod o+r '{}' \;

This filters all objects in the current directory tree (.) for files named rc.conf and runs the chmod o+r command to alter file permissions of the results that find returns.

The root directory of the Linux is where the commands that -exec runs are executed. Use -execdir to execute the command you want in the directory where the match is sitting, because this might be more secure and improve performance under certain circumstances.

The -exec or -execdir options will continue to run on their own, but if you’d like to see prompts before they do anything, swap out -exec  -ok or -execdir for -okdir.

Finding and Deleting using the Linux Command Line

*Be very careful about using this option.*

If you put -delete at the end of a match expression it will delete every file that matches, so you need to be absolutely sure that the results you are going to get will definitely be for the files that you want to delete. It goes without saying that you could wreak havoc on the system if you get this wrong!

In this example, find turns up every file in the directory tree, beginning with the present one, and deletes all files that end with the characters .bak:

find . -name "*.bak" -delete

Easy Steps to List All Open Linux Ports

Open Linux Ports

If you wanted to know what you need to do to list all of the open ports in a Linux instance you’ve come to the right place. But, what is a port and why would you want to have a list of all the open ports?

In short, a port is an access point that an operating system makes available so that it can facilitate network traffic with other devices or servers, while also differentiating the traffic in order to understand what service or app the traffic is being sent to.

There are two common protocols when it comes to ports: TCP, or the transmission control protocol; and of course, UDP – the user datagram protocol. Each of these protocols have a range of port numbers which is commonly classified into three groups:

Linux System Ports

Also known as “well-known” ports. These are port numbers from 0 to 1023 which are considered important for typical system use, commonly these ports are considered quite critical for ensuring ongoing communications services.

Linux User Ports

Also know as “registered ports” which range from 1024 to 49151. It is possible to send a request to the Internet Assigned Numbers Authority (IANA) to request retention of one of these ports for your application.

Linux Private Ports

Also known as “dynamic ports” range from 49152 to 65535. These ports are open for whatever use case you deem privately necessary and so are dynamic in nature – they are not fixed to specific applications.

Now, even though many ports have specific uses, it is important to keep an eye on ports which are “open” without the need for that port to be open. This is because ports that are unnecessarily left open can be a security risk – and also a sign that an intrusion is actively occurring.

Understanding which ports are open and “listening” for communications is therefore absolutely crucial to ensuring that you block efforts to break into your systems. Of course, some common ports need to be left open in order to facilitate ordinary internet communications. For example:

  • FTP (the file transfer protocol) uses port 20 for data transfers
  • Likewise, FTP uses port 21 to issue commands and to control the FTP session
  • Port 22 is dedicated to SSH, or secure shell login
  • Telnet uses port 23 to facilitate remote logins but this port entails unencrypted messaging which is not secure so it’s not really recommended for use
  • E-mail routing via SMTP (the simple mail transfer protocol) is achieved on port 25
  • Port 43 is dedicated to the WHOIS system which can check who owns a domain
  • The domain name service (DNS) makes use of port 53
  • DHCP uses port 67 as the server port, and port 68 as the client port
  • HTTP, the hypertext transfer protocol, uses port 80 to deliver web pages
  • POP3, the e-mail centric “post office protocol” uses port 110
  • Port 119 is used by the news transfer protocol, NNTP
  • The network time protocol, NTP, uses port 123
  • IMAP, another email protocol, makes use of port 143 to retrieve email messages
  • SNP or the simple network management protocol uses port 161
  • Port 194 is dedicated to IRC, the internet relay chat app
  • Port 443 is dedicated to HTTPS, the secure version of HTTP delivered over TLS/SSL
  • SMTP, the simple mail transfer protocol, uses port 587 to submit emails

It is often possible to configure a specific service to use a port which is not the standard port, but this configuration needs to be made on both the sender and recipient side – in other words, on both client and server. Otherwise if only one side uses a non-standard port configuration communication won’t be possible.

How do you get a simple list of common ports that are open? Use this command:

$ cat /etc/services

Alternatively, you can modify the size of the list you get by adding “less” to your command

$ cat /etc/services | less

However, you can use a range of other commands on a Linux machine which will give you all the TCP and the UDP ports which are open and ready to receive communication from other machines. We will cover three in the following section – Isof, netstat and nmap.

The netstat or network statistics command

Most Linux distributions will include netstat by default, in their installations. It’s a really capable tool which can display all the TCP/IDP network connections that are active – both for incoming connections, and outgoing connections. It also displays routing tables plus the number of the network interface alongside comprehensive statistics for network protocols.

So, you can use netstat to troubleshoot and to measure the performance of your network. While basic, it is a useful and essential too for finding faults in network services. It clearly tells you which ports are open, and where a program or service is listening on a specific port. We will now give you some examples on how to make use of netstat.

Retrieving a list of all TCP and UDP ports which are currently listening

It’s simple really, just use the -a flag alongside a pipe that specifies less, this will give you TCP and UDP ports which are currently listening

$ netstat -a | less

To list all the connections that are listening

Make use of the -l flag in the netstat command to get a list of every port connection which is actively listening

$ netstat -l

Display ports that are open, alongside current TCP connections

Here, we combine a couple of flags in order to show a list of ports which are open and the established (TCP) connections.

$ netstat -vatn

A list of open UDP ports

You might only want to see the UDP ports which are open, excluding the open TCP ports. The command you need is this:

$ netstat -vaun

Get a list of your Linux services which are listening on TCP and UDP, a list of the open ports on your machine which are free, alongside the name and the PID of the service or program

This command gives you all the services and apps which listen on either TCP or UDP. It also gives you the open ports on your Linux instance which are free, plus the program name and process ID that is associated with every open socket.

$ netstat -tnlup

So you can see how the different commands you can use with netstat makes it very versatile, allowing you to see what the status quo is on your Linux machine. But what exactly does these individual flags mean? It’s simple really:

  • -a will show all sockets that are listening and all non-listening sockets too
  • -l only shows ports which are actively listening
  • -v means “verbose” and tells netstat to include additional information about any address families that are not currently configured
  • -t restricts the listing to TCP connections only
  • -u restricts the listing to UDP connections only
  • -n tells netstat to display the numerical addresses too
  • -p adds the process ID (PID) as well as the name of the program

Keep in mind that the seven flags we’ve shown above are just a couple of the many flags you can specify for netstat. Check out the help file by triggering

$ man netstat

You’ll get a full listing of all the options and features you can make use of with netstat.

nmap – the Network Mapper command

An open source tool, nmap is great for exploring your network, scanning it for security vulnerabilities and to audit your network. That said, new users might find nmap challenging to use because it is so feature-rich: nmap comes with so many options that you might find it difficult to figure out, even if it does mean it is a very robust tool.

It’s worth remembering that nmap will deliver very extensive information about the network that it is scanning. So, do not use nmap on a network unless you have permission to examine it – permission to scan it, basically. You need to have a reason to use nmap, in other words, and the permission of the network owner.

We will now give you a basic overview of nmap including typical usage of the map command. To start off with, here is the instructions you need to install nmap if you have Ubuntu or Debian server:

$ sudo apt-get install nmap

The command is slightly different if you’re using RHEL or CentOS:

$ sudo yum install nmap

There’s a file you can view for a wider picture of ports and services. Use this command:

$ less /usr/share/nmap/nmap-services

It’s an example of exactly how extensive the details are when you use nmap as a tool. If you want to experiment with nmap you could try to check out your own virtual private server, but you could also give nmap a go on the official nmap test server – located at

In order to try out some basic nmap commands we will make use of sudo privileges to ensure that the queries give complete results – not partial results. Remember, some nmap commands will take a little bit longer to execute.

Throughout these examples we will make use of as the example domain; replace your actual domain in place of when you run this command.

Scanning for open ports on a domain

$ sudo nmap -vv

Here you can see we have used the -vv flag, which has a specific function. When you use -vv it means “verbose”, in other words it will show you extensive output, including the process as nmap scans for open ports. Leave out the -vv flag and you will quickly see the difference.

List of ports that are listening for connections via TCP

$ sudo nmap -sT

You’ll note the -sT flag, this is usually what you’d specify to scan for TCP connections when a SYN scan cannot be performed.

List of ports that are listening for connections via UDP

$ sudo nmap -sU

So, -sU is what you use to get a UDP scan. However you can scan for both UDP and TCP connections by using another flag, -sS. You’ll get a list covering both UDP and TCP.

Look at a specific port (instead of all ports)

$ sudo nmap -p port_number

In this case, -p means that you only look at the port number specified in place of “port_number”.

Scan every open port on both TCP and UDP

$ sudo nmap -n -Pn -sT -sU -p-

We use two flags here: first -n which specified to nmap that it must not make a reverse domain resolution for an active IP address, where it finds one. -Pn disables pinging, treating all of the hosts as if they are online.

It’s just a few examples but nmap is a really fantastic tool than can help you a lot. Remember, typing $ man nmap will give you a full list of all the tools at your disposal; many of these are very useful for exploring the security of your network and to find potentially vulnerable points.

The lsof (List Open Files) command

It’s easy to remember what lsof means – the list open files command – just take ls as “list” and of as “open files” and you’ll clearly see why lsof means “list open files”.

Listing all active network connections

Use the -i flag with lsof in order to get a full list of every network connection which is both listening and established.

$ sudo lsof -i

Find a process that is using a specified port

As an example, for all processes which are currently operating on port 22, you’ll run this command:

$ sudo lsof -i TCP:22

Get a list of all the UDP and TCP connections

To list every single UDP and TCP connection just use this command:

$ sudo lsof -i tcp; sudo lsof -i udp;

Just like with nmap, you can check the manual for lsof in order to get a full view of all the options you have when you are using lsof.

So, to wrap up, Linux fans must understand at least a little bit about ports – particularly if they plan on managing Linux servers. We’ve given three examples of great tools – nmap, lsof and netstat – which will help you on the way to understanding which ports are open on your machine, and which services are active on your server.

We suggest that you take a look at the man pages for each of these commands so that you can get a better idea of what they do. While these tools are great for checking the exposure on your own network, never abuse any of these tools by scanning networks that do not belong to you.