identify active files
utility identifies open files. A
file is considered open by a process if it was explicitly opened, is the
working directory, root directory, jail root directory, active executable
text, or kernel trace file for that process. If no options are specified,
reports on all open files in the
The following options are available:
- Restrict examination to files open in the same file systems as the named
file arguments, or to the file system containing the current directory if
there are no additional filename arguments. For example, to find all files
open in the file system where the directory
/usr/src resides, type
fstat -f /usr/src”.
- Extract values associated with the name list from the specified core
instead of the default /dev/kmem.
- Extract the name list from the specified system instead of the default,
which is the kernel image the system has booted from.
- Include memory-mapped files in the listing; normally these are excluded
due to the extra processing required.
- Numerical format. Print the device number (maj,min) of the file system the
file resides in rather than the mount point name; for special files, print
the device number that the special device refers to rather than the
filename in /dev; and print the mode of
the file in octal instead of symbolic form.
- Report all files open by the specified process.
- Report all files open by the specified user.
- Verbose mode. Print error messages upon failures to locate particular
system data structures rather than silently ignoring them. Most of these
data structures are dynamically created or deleted and it is possible for
them to disappear while
running. This is normal and unavoidable since the rest of the system is
fstat itself is
- file ...
- Restrict reports to the specified files.
The following fields are printed:
- The username of the owner of the process (effective uid).
- The command name of the process.
- The process id.
- The file number in the per-process open file table or one of the following
If the file number is followed by an asterisk (``*''), the file is not an
inode, but rather a socket, FIFO, or there is an error. In this case the
remainder of the line does not correspond to the remaining headers -- the
format of the line is described later under
jail - jail root directory
mmap - memory-mapped file
root - root inode
text - executable text inode
tr - kernel trace file
wd - current working directory
- If the
-n flag was not specified, this
header is present and is the pathname that the file system the file
resides in is mounted on.
- If the
-n flag is specified, this
header is present and is the number of the device that this file resides
- The inode number of the file.
- The mode of the file. If the
-n flag is
not specified, the mode is printed using a symbolic format (see
otherwise, the mode is printed as an octal number.
- If the file is a semaphore, prints the current value of the semaphore. If
the file is not a character or block special, prints the size of the file
in bytes. Otherwise, if the
-n flag is
not specified, prints the name of the special file as located in
/dev. If that cannot be located, or the
-n flag is specified, prints the
major/minor device number that the special device refers to.
- This column describes the access mode that the file allows. The letter
``r'' indicates open for reading; the letter ``w'' indicates open for
writing. This field is useful when trying to find the processes that are
preventing a file system from being down graded to read-only.
- If filename arguments are specified and the
-f flag is not, then this field is
present and is the name associated with the given file. Normally the name
cannot be determined since there is no mapping from an open file back to
the directory entry that was used to open that file. Also, since different
directory entries may reference the same file (via
the name printed may not be the actual name that the process originally
used to open that file.
The formatting of open sockets depends on the protocol domain. In all cases the
first field is the domain name, the second field is the socket type (stream,
dgram, etc), and the third is the socket flags field (in hex). The remaining
fields are protocol dependent. For tcp, it is the address of the tcpcb, and
for udp, the inpcb (socket pcb). For unix domain sockets, its the address of
the socket pcb and the address of the connected pcb (if connected). Otherwise
the protocol number and address of the socket itself are printed. The attempt
is to make enough information available to permit further analysis without
For example, the addresses mentioned above are the addresses which the
” command would print for
tcp, udp, and unixdomain. Note that since pipes are implemented using sockets,
a pipe appears as a connected unix domain stream socket. A unidirectional unix
domain socket indicates the direction of flow with an arrow (``<-'' or
``->''), and a full duplex socket shows a double arrow (``<->'').
command appeared in
takes a snapshot of the system,
it is only correct for a very short period of time.