Tables
Fleet uses osquery tables to query operating system, hardware, and software data. Each table provides specific data for analysis and filtering.
Apple
Linux
Windows
ChromeOS
process_open_sockets
process_open_sockets
Processes which have open network sockets on the system.
| Column | Type | Description |
|---|---|---|
| family | integer | Network protocol (IPv4, IPv6). Learn more |
| fd | bigint | Socket file descriptor number |
| local_address | text | Socket local address |
| local_port | integer | Socket local port |
| net_namespace | text | The inode number of the network namespace Only available on Linux |
| path | text | For UNIX sockets (family=AF_UNIX), the domain path |
| pid | integer | Process (or thread) ID |
| protocol | integer | Transport protocol (TCP/UDP) |
| remote_address | text | Socket remote address |
| remote_port | integer | Socket remote port |
| socket | bigint | Socket handle or inode number |
| state | text | TCP socket state Only available on Windows, Linux, and macOS |
Example
This table allows you to see network activity by process. With this query, list all connections made to or from a process, excluding connections to localhost and RFC1918 IP addresses.
SELECT pos.local_port, pos.remote_port, pos.remote_address, p.pid, p.path FROM process_open_sockets pos JOIN processes p ON pos.pid = p.pid WHERE remote_address NOT LIKE '192.168%' AND remote_address NOT LIKE '10.%' AND remote_address NOT LIKE '172.16.%' AND remote_address NOT LIKE '127.%' AND remote_address!='0.0.0.0' AND remote_address NOT LIKE 'fe80%' AND remote_port!='0';
Edit page
Ask us anything
Questions?
SOC2 Type 2
© 2025 Fleet Inc.
Privacy
