NAME
fstat —
display status of open
files
SYNOPSIS
fstat |
[-Afnv]
[-M core]
[-N
system]
[-p pid]
[-u user]
[file ...] |
DESCRIPTION
fstat identifies open files. A file is considered open by a
process if it was explicitly opened, is the working directory, root directory,
active pure text, or kernel trace file for that process. If no options are
specified,
fstat reports on all open files in the system.
Options:
-
-
- -A
- Add an output column with the address of the kernel object
(vnode or file), that can be matched with
pstat(8) output.
-
-
- -f
- Restrict examination to files open in the same file systems
as the named file arguments, or to the file system containing the current
directory if there are no additional filename arguments. For example, to
find all files open in the file system where the directory
/var/log resides, type “
fstat -f
/var/log
”. Please see the BUGS
section for issues with this option.
-
-
- -M
- Extract values associated with the name list from the
specified core instead of the default /dev/kmem.
-
-
- -N
- Extract the name list from the specified system instead of
the default /netbsd.
-
-
- -n
- Numerical format. Print the device number (maj,min) of the
file system the file resides in rather than the mount point name; for
special files, print the device number that the special device refers to
rather than the filename in /dev; and print the mode of
the file in octal instead of symbolic form.
-
-
- -p
- Report all files open by the specified process.
-
-
- -u
- Report all files open by the specified user.
-
-
- -v
- Verbose mode. Print error messages upon failures to locate
particular system data structures rather than silently ignoring them. Most
of these data structures are dynamically created or deleted and it is
possible for them to disappear while fstat is running.
This is normal and unavoidable since the rest of the system is running
while fstat itself is running.
-
-
- file
...
- Restrict reports to the specified files.
The following fields are printed:
-
-
USER
- The username of the owner of the process (effective
UID).
-
-
CMD
- The command name of the process.
-
-
PID
- The process ID.
-
-
FD
- The file number in the per-process open file table or one
of the following special names:
text
- pure text inode
wd
- current working directory
root
- root inode
tr
- kernel trace file
If the file number is followed by an asterisk (“*”), the file is
not an inode, but rather a socket, FIFO, or there is an error. In this
case the remainder of the line doesn't correspond to the remaining headers
-- the format of the line is described later under
SOCKETS.
-
-
MOUNT
- If the -n flag wasn't specified, this
header is present and is the pathname that the file system the file
resides in is mounted on.
-
-
DEV
- If the -n flag is specified, this header
is present and is the major/minor number of the device that this file
resides in.
-
-
INUM
- The inode number of the file.
-
-
MODE
- The mode of the file. If the -n flag
isn't specified, the mode is printed using a symbolic format (see
strmode(3)); otherwise, the
mode is printed as an octal number.
-
-
SZ|DV
- If the file is not a character or block special file,
prints the size of the file in bytes. Otherwise, if the
-n flag is not specified, prints the name of the special
file as located in /dev. If that cannot be located, or
the -n flag is specified, prints the major/minor device
number that the special device refers to.
-
-
R/W
- This column describes the access mode that the file allows.
The letter “r” indicates open for reading; the letter
“w” indicates open for writing. This field is useful when
trying to find the processes that are preventing a file system from being
downgraded to read-only.
-
-
NAME
- If filename arguments are specified and the
-f flag is not, then this field is present and is the
name associated with the given file. Normally the name cannot be
determined since there is no mapping from an open file back to the
directory entry that was used to open that file. Also, since different
directory entries may reference the same file (via
ln(1)), the name printed may not
be the actual name that the process originally used to open that
file.
SOCKETS
The formatting of open sockets depends on the protocol domain. In all cases the
first field is the domain name and the second field is the socket type
(stream, dgram, etc.). The remaining fields are protocol dependent. For TCP,
it is the address of the tcpcb, and for UDP, the inpcb (socket pcb). For
UNIX domain sockets, its the address of the socket pcb
and the name of the file if available. Otherwise the address of the connected
pcb is printed (if connected). For other domains, the protocol number and
address of the socket itself are printed. The attempt is to make enough
information available to permit further analysis without duplicating
netstat(1).
For example, the addresses mentioned above are the addresses which the
“
netstat -A
” command would print for TCP,
UDP, and
UNIX domain. For kernels compiled with
PIPE_SOCKETPAIR
pipes appear as connected
UNIX domain stream sockets. A unidirectional
UNIX domain socket indicates the direction of flow
with an arrow (“<-” or “->”), and a full duplex
socket shows a double arrow (“<->”).
For internet sockets
fstat also attempts to print the internet
address and port for the local end of a connection. If the socket is
connected, it also prints the remote internet address and port. An asterisk
(“*”) is used to indicate an INADDR_ANY binding.
SEE ALSO
netstat(1),
nfsstat(1),
ps(1),
sockstat(1),
systat(1),
vmstat(1),
fstat(2),
iostat(8),
pstat(8)
HISTORY
The
fstat command appeared in
4.3BSD-Tahoe.
BUGS
Since
fstat takes a snapshot of the system, it is only correct
for a very short period of time.
Moreover, because DNS resolution and YP lookups cause many file descriptor
changes,
fstat does not attempt to translate the internet
address and port numbers into symbolic names.
Note that the
-f option will not list
UNIX domain sockets open in the file system, because
the pathnames in the sockets may not be absolute and are not deterministic. To
find all the
UNIX domain sockets, use
fstat to list all the sockets, and look for the ones that
maybe belong in the file system.