strace

debuggingLinux
The strace command is one of the most frequently used commands in Linux/Unix-like operating systems. strace Trace system calls and signals

Quick Reference

Command Name:

strace

Category:

debugging

Platform:

Linux

Basic Usage:

strace [options] [arguments]

Common Use Cases

    Syntax

    strace [options] [command [args]]

    Options

    Option Description
    -c Count time, calls, and errors for each system call and report a summary
    -d Show debug output of strace itself
    -f Trace child processes as they are created by currently traced processes
    -ff With -o, write each process trace to filename.pid
    -h Print help summary
    -i Print instruction pointer at time of system call
    -k Print stack trace for each system call (experimental)
    -o filename Write the trace output to filename instead of stderr
    -p pid Attach to the process with the process ID pid and begin tracing
    -s strsize Specify the maximum string size to print (default 32)
    -t Prefix each line of the trace with the time of day
    -tt Prefix each line of the trace with the time of day including microseconds
    -ttt Prefix each line with seconds since epoch
    -T Show the time spent in system calls
    -v Print unabbreviated versions of environment, stat, termios, etc.
    -V Print the version of strace
    -x Print all non-ASCII strings in hexadecimal
    -xx Print all strings in hexadecimal
    -y Print paths associated with file descriptor arguments
    -e expr A qualifying expression which modifies which events to trace
    Expression (-e) Option Description
    -e trace=set Trace only the specified set of system calls
    -e trace=file Trace all system calls which take a file name as an argument
    -e trace=process Trace all system calls related to process management
    -e trace=network Trace all network-related system calls
    -e trace=signal Trace all signal-related system calls
    -e trace=ipc Trace all IPC-related system calls
    -e trace=desc Trace all file descriptor-related system calls
    -e trace=memory Trace all memory mapping related system calls
    -e signal=set Trace only the specified signals
    -e read=set Show only read operations on specified file descriptors
    -e write=set Show only write operations on specified file descriptors

    Examples

    How to Use These Examples

    The examples below show common ways to use the strace command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

    # Basic Examples Basic
    strace ls -l
    Trace all system calls made by the 'ls -l' command.
    strace -p 1234
    Attach to process ID 1234 and trace its system calls.
    strace -o output.txt command
    Save trace output to a file instead of stderr. # Advanced Examples Advanced # Trace only specific system calls strace -e open,read,write ls -l # Count time, calls, and errors for each system call strace -c ls -l # Show timestamps for each system call strace -t ls -l # Show timestamps with microsecond precision strace -tt ls -l # Show timestamps with microseconds and leading time delta strace -ttt ls -l # Track child processes too strace -f ls -l # Track specific file operations strace -e trace=file ls -l # Track only network-related calls strace -e trace=network wget example.com # Track and print strings up to 256 characters strace -s 256 ls -l # See where program spends time (microsecond precision) strace -T ls -l # Print instruction pointer at time of syscall strace -i ls -l # Filter processes that match a specific pattern strace -f -e trace=process firefox # Save output to a file in a more detailed format strace -v -o detailed_trace.txt ls -l # Trace a running process until it exits strace -p $(pidof nginx) -e trace=network -o nginx_network.log # Print only a summary of syscall counts/times/errors strace -c -p $(pidof httpd) # Show file descriptor path names strace -y ls -l

    Try It Yourself

    Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

    Understanding Syntax

    Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

    Notes

    The `strace` command is a powerful diagnostic, instructional, and debugging tool for Linux and other Unix-like operating systems. It allows users to monitor the interaction between processes and the Linux kernel by tracing system calls and signals. System calls are the interface through which user-space applications request services from the kernel, such as file operations, network communications, and process management. By intercepting and recording these system calls and their results, `strace` provides valuable insights into what a program is doing at the operating system level. This makes it an invaluable tool for debugging, performance analysis, learning about system internals, and understanding application behavior. Key features and uses of the `strace` command include: 1. Troubleshooting: When applications fail or behave unexpectedly, `strace` can reveal what system calls are failing and why, often pointing directly to the source of problems like missing files, permission issues, or configuration errors. 2. Performance Analysis: The timing options (`-c`, `-T`) allow identification of slow system calls, helping to pinpoint performance bottlenecks in applications. 3. Learning Tool: For those studying operating systems or wanting to understand how applications interact with the system, `strace` provides a real-time view of these interactions. 4. Security Analysis: By monitoring what files, network connections, and other resources a program accesses, `strace` can help identify potential security issues or unexpected behavior. 5. Reverse Engineering: When source code is unavailable, `strace` can help understand how a program works by revealing its interaction with the system. 6. Filtering Capabilities: The extensive filtering options allow focusing on specific types of system calls (file operations, network activity, etc.), making it easier to isolate relevant information in complex applications. While extremely useful, `strace` does have some limitations to be aware of: - Performance Impact: Tracing adds significant overhead to the traced process, potentially slowing it down considerably. - Privilege Requirements: Tracing other users' processes typically requires root privileges. - Output Volume: Without appropriate filtering, the output can be overwhelming, especially for complex applications. - Limited to System Calls: `strace` only shows system calls, not internal application logic or library calls (for which tools like `ltrace` would be more appropriate). Despite these limitations, `strace` remains one of the most valuable tools in a Linux administrator's or developer's toolkit, often providing insights that would be difficult or impossible to obtain through other means.

    Related Commands

    These commands are frequently used alongside strace or serve similar purposes:

    Use Cases

    Learn By Doing

    The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the strace command works in different scenarios.

    $ strace
    View All Commands