linux-open-files
Queries the list of open files per process on a Linux system from the /proc filesystem. You can view all resources held open by processes, including file descriptors, memory-mapped files, and sockets.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query |
| Required permission | Administrator |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Output fields
| Field | Type | Description |
|---|---|---|
pid | integer | Process ID |
cmd_line | string | Process command line |
user | string | User account that opened the file |
fd | integer | File descriptor number. Returns null for memory-mapped files or the current working directory. |
type | string | File type. REG: regular file, DIR: directory, CHR: character device, BLK: block device, FIFO: pipe, unix: Unix socket, IPv4: IPv4 socket, IPv6: IPv6 socket, netlink: netlink socket, a_inode: anonymous inode, unknown: unknown |
file_size | long | File size (bytes) |
target | string | File path or socket information |
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
95040 | no-read-permission | A user without administrator privileges executed the command |
Runtime errors
N/A
Description
The linux-open-files command traverses the /proc filesystem to collect the list of files open by each process.
For each process, it queries three types of resources:
/proc/PID/cwd: The current working directory of the process.typeis returned asDIR./proc/PID/map_files: Files memory-mapped to the process.typeis returned asREG./proc/PID/fd: File descriptors open by the process. Classified as regular file, socket, pipe, etc., based on the type of the symbolic link target.
If a file descriptor points to a socket, it is cross-referenced with network status information from /proc/net/tcp, /proc/net/udp, etc., to determine the socket type. TCP or UDP sockets are classified as IPv4 or IPv6 based on the IP address version; netlink sockets are classified as netlink.
Examples
-
Query all open files
linux-open-filesQueries the open file list for all processes.
-
Query open files for a specific process
linux-open-files | search pid == 1Queries the open file list for the process with PID 1 (init/systemd).
-
Query processes with deleted files still open
linux-open-files | search type == "REG" and target == "*(deleted)*"Queries processes that still have deleted regular files open.
-
Query processes using network sockets
linux-open-files | search type == "IPv4" or type == "IPv6" | stats dc(target) as socket_count by pid, cmd_lineAggregates the number of sockets per process using network sockets.