strace

Trace system calls and signals

Syntax

strace [options] command [args]

or

strace [options] -p PID

Basic Usage

Trace a command

strace ls -l

Traces the ls command and shows all system calls.

Attach to running process

strace -p 1234

Attaches to process with PID 1234.

Trace with output to file

strace -o trace.log command

Trace only specific system calls

strace -e trace=open,read,write command

Common Options

  • -c, --summary: Count time, calls, and errors for each syscall
  • -f, --follow-forks: Follow child processes
  • -F, --follow-forks-and: Follow child processes and threads
  • -e, --trace: Trace only specified system calls
  • -o, --output: Write trace output to file
  • -p, --attach: Attach to process with PID
  • -s, --string-limit: Limit string length in output
  • -t, --timestamp: Prefix each line with timestamp
  • -tt, --timestamp: Prefix each line with timestamp with microseconds
  • -T, --syscall-times: Show time spent in each syscall
  • -v, --verbose: Unabbreviated arguments
  • -x, --hex: Print non-ASCII strings in hex
  • -xx, --hex: Print all strings in hex
  • -y, --decode-fds: Print paths associated with file descriptors
  • -q, --quiet: Suppress messages about attaching/detaching
  • -r, --relative-timestamps: Show relative timestamps
  • -w, --wall-clock: Show wall clock time

System Call Categories

Trace Categories

  • network: Network-related system calls
  • file: File operation system calls
  • process: Process management system calls
  • memory: Memory management system calls
  • signal: Signal handling system calls
  • ipc: Inter-process communication calls
  • desc: File descriptor operations

Practical Examples

Basic tracing

strace ls -la

Trace with summary

strace -c ls -la

Trace only file operations

strace -e trace=file ls -la

Trace only network calls

strace -e trace=network curl example.com

Trace with timestamps

strace -t ls -la

Trace with microsecond timestamps

strace -tt ls -la

Trace with syscall timing

strace -T ls -la

Trace with output to file

strace -o trace.log ls -la

Trace with string length limit

strace -s 100 ls -la

Trace with hex output

strace -x ls -la

Trace with file descriptor paths

strace -y ls -la

Trace child processes

strace -f command

Trace specific system calls

strace -e trace=open,read,write,close command

Trace with relative timestamps

strace -r command

Understanding Output

Output Format

  • System Call Name: Name of the system call
  • Arguments: Parameters passed to the system call
  • Return Value: Result of the system call
  • Error Information: Error details if call fails
  • Timing: Time spent in system call (with -T)
  • File Descriptors: Associated file paths (with -y)

Common System Calls

Frequently Traced Calls

  • open: Open files and directories
  • read/write: Read from or write to files
  • close: Close file descriptors
  • execve: Execute programs
  • fork/clone: Create new processes
  • socket: Create network sockets
  • connect/accept: Network connections
  • mmap: Memory mapping
  • brk: Change data segment size
  • stat: Get file status

Best Practices

When to Use

  • Debugging program behavior
  • Performance analysis
  • Security auditing
  • Understanding program flow
  • Troubleshooting system issues
  • Reverse engineering

Important Notes

  • strace can significantly slow down traced programs
  • Use -c option for performance analysis
  • Be careful with -f option on complex programs
  • Output can be very verbose
  • Some system calls may not be traced
  • Consider using ltrace for library calls
  • strace requires appropriate permissions

See Also

  • ltrace - Library call tracer
  • gdb - GNU debugger
  • ps - Process status
  • lsof - List open files