|-f||Restrict examination to files open in the same file systems as the named file arguments, or to the file system containing the current directory if there are no additional filename arguments. For example, to find all files open in the file system where the directory /usr/src resides, type "fstat -f /usr/src".|
|-M||Extract values associated with the name list from the specified core instead of the default /dev/kmem.|
|-N||Extract the name list from the specified system instead of the default, which is the kernel image the system has booted from.|
|-m||Include memory-mapped files in the listing; normally these are excluded due to the extra processing required.|
|-n||Numerical format. Print the device number (maj,min) of the file system the file resides in rather than the mount point name; for special files, print the device number that the special device refers to rather than the filename in /dev; and print the mode of the file in octal instead of symbolic form.|
|-p||Report all files open by the specified process.|
|-u||Report all files open by the specified user.|
|-v||Verbose mode. Print error messages upon failures to locate particular system data structures rather than silently ignoring them. Most of these data structures are dynamically created or deleted and it is possible for them to disappear while fstat is running. This is normal and unavoidable since the rest of the system is running while fstat itself is running.|
|Restrict reports to the specified files.|
The following fields are printed:
|USER||The username of the owner of the process (effective uid).|
|CMD||The command name of the process.|
|PID||The process id.|
The file number in the per-process open file table or one of the following
jail - jail root directory mmap - memory-mapped file root - root inode text - executable text inode tr - kernel trace file wd - current working directory
If the file number is followed by an asterisk (*), the file is not an inode, but rather a socket, FIFO, or there is an error. In this case the remainder of the line does not correspond to the remaining headers -- the format of the line is described later under SOCKETS.
|MOUNT||If the -n flag was not specified, this header is present and is the pathname that the file system the file resides in is mounted on.|
|DEV||If the -n flag is specified, this header is present and is the number of the device that this file resides in.|
|INUM||The inode number of the file.|
|MODE||The mode of the file. If the -n flag is not specified, the mode is printed using a symbolic format (see strmode(3)); otherwise, the mode is printed as an octal number.|
|SZ|DV||If the file is a semaphore, prints the current value of the semaphore. If the file is not a character or block special, prints the size of the file in bytes. Otherwise, if the -n flag is not specified, prints the name of the special file as located in /dev. If that cannot be located, or the -n flag is specified, prints the major/minor device number that the special device refers to.|
|R/W||This column describes the access mode that the file allows. The letter r indicates open for reading; the letter w indicates open for writing. This field is useful when trying to find the processes that are preventing a file system from being down graded to read-only.|
|NAME||If filename arguments are specified and the -f flag is not, then this field is present and is the name associated with the given file. Normally the name cannot be determined since there is no mapping from an open file back to the directory entry that was used to open that file. Also, since different directory entries may reference the same file (via ln(1)), the name printed may not be the actual name that the process originally used to open that file.|
The formatting of open sockets depends on the protocol domain. In all cases the first field is the domain name, the second field is the socket type (stream, dgram, etc), and the third is the socket flags field (in hex). The remaining fields are protocol dependent. For tcp, it is the address of the tcpcb, and for udp, the inpcb (socket pcb). For unix domain sockets, its the address of the socket pcb and the address of the connected pcb (if connected). Otherwise the protocol number and address of the socket itself are printed. The attempt is to make enough information available to permit further analysis without duplicating netstat(1).
For example, the addresses mentioned above are the addresses which the "netstat -A" command would print for tcp, udp, and unixdomain. Note that since pipes are implemented using sockets, a pipe appears as a connected unix domain stream socket. A unidirectional unix domain socket indicates the direction of flow with an arrow (<- or ->), and a full duplex socket shows a double arrow (<->).
netstat(1), nfsstat(1), procstat(1), ps(1), sockstat(1), systat(1), tcp(4), unix(4), iostat(8), pstat(8), vmstat(8)
The fstat command appeared in BSD 4.3 tahoe .
Since fstat takes a snapshot of the system, it is only correct for a very short period of time.