Skip to content

linux strace

Jump to bottom
ghdrako edited this page Nov 30, 2023 · 9 revisions

strace is a diagnostic, debugging and instructional userspace utility for Linux. The strace command allows us to trace the system calls made by a program. By default, strace writes its output to stderr, but we can change this using the –o filename option.

strace date 2>&1 | grep open

strace -e trace=open,close date # select the events to be traced. 
                                # In example we trace open() and close() system calls

Options:

  • The –p pid option is used to trace an existing process, by specifying its process ID.
  • The –c option causes strace to print a summary of all system calls made by the program. For each system call, the summary information includes the total number of calls, the number of calls that failed, and the total time spent executing the calls.
  • The –f option causes children of this process also to be traced. If we are sending trace output to a file (–o filename), then the alternative –ff option causes each process to write its trace output to a file named filename.PID.
  strace -e trace=open,read /bin/ls #  trace only open and read system calls made by the ls command
  strace -e	read=3 /bin/ls  # to see all of the data that was being read into file descriptor 3
  strace -e	write=fd	# to see written	data        
  ltrace  # library	trace   
  ftrace  # Function	trace https://github.com/elfmaster/ftrace

Track with child processes

# 1)
strace -f -p $(pidof glusterfsd)

# 2)
strace -f $(pidof php-fpm | sed 's/\([0-9]*\)/\-p \1/g')

Track process with 30 seconds limit

timeout 30 strace $(< /var/run/zabbix/zabbix_agentd.pid)

Track processes and redirect output to a file

ps auxw | grep '[a]pache' | awk '{print " -p " $2}' | \
xargs strace -o /tmp/strace-apache-proc.out

Track with print time spent in each syscall and limit length of print strings

ps auxw | grep '[i]init_policy' | awk '{print " -p " $2}' | \
xargs strace -f -e trace=network -T -s 10000

Track the open request of a network port

strace -f -e trace=bind nc -l 80

Track the open request of a network port (show TCP/UDP)

strace -f -e trace=network nc -lu 80

Test

Clone this wiki locally