Temporary files listed by lsof don't exist
Solution 1:
On some unix variants, lsof shows files that have been deleted but are still open. More precisely, these files have a “link count” of 0, meaning that there is no directory entry (no link, i.e. no name) that leads to them, but the file data still exists. The file data will be deleted when the file is closed.
The ability of lsof to display files with a link count of 0 depends on the platform, and I can't find anything in the documentation regarding the situation on OS X. Try running lsof +L to see the files' link count, or lsof +L1 to list only files with a link count of 0.
I wouldn't be surprised if the flash plugin created the file and immediately deleted in, it's a simple technique for making the data harder to obtain from outside the application. In other words, it's what the plugin author would do precisely to make it hard to do what you're trying to do. If that's what going on, you could counter it with something like libtrash for OSX.
Solution 2:
lsof without sudo may not list all open files
Rule of thumb:
- to ensure comprehensive results from
lsof, usesudo
Example
Run the two commands below. Observe the differences in output. With privileges, expect to find many more lines.
Without superuser privileges
lsof / | grep root
Result:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
Spotlight 325 user_name_here txt REG 1,5 257996 8609539837 /System/Library/PrivateFrameworks/NLP.framework/Versions/A/Resources/root.cache
With privileges
sudo lsof / | grep root
Result:
Password:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
launchd 1 root cwd DIR 1,5 928 2 /
launchd 1 root txt REG 1,5 345584 8624629318 /sbin/launchd
launchd 1 root txt REG 1,5 973824 8624630575 /usr/lib/dyld
launchd 1 root 44r REG 1,5 358 8609644469 /private/etc/security/audit_control
launchd 1 root 46r REG 1,5 652 8609644467 /private/etc/security/audit_class
UserEvent 60 root cwd DIR 1,5 928 2 /
UserEvent 60 root txt REG 1,5 35184 8624631345 /usr/libexec/UserEventAgent
... ...