Docu review done: Wed 31 Jul 2024 02:40:03 PM CEST
strace
Table of Content
General
strace traces system calls and signals and is an invaluable tool for gathering context when debugging.
Commands
| Commands | Description |
|---|---|
-c | Print a histogram of the number of system calls and the time spent at the termination of strace. |
-e trace=[syscalls] | Trace only specified syscalls |
--trace=[syscalls] | Trace only specified syscalls (same as -e trace=) |
-f | Follow threads and child processes that are created. Useful option because many programs will spawn additional processes or threads to do work. |
-p [pid] | attaches to running pid |
-s [size] | Print [size] characters per string displayed. This is useful if you are trying to trace what a program is writing to a file descriptor. |
-t | Print the time of day at the start of each line. |
-T | Print time spent in system call. This can be useful if you are trying to determine if a particular system call is taking a lot of time to return |
Filter by type of syscall
Used by parameter -e
| Syscall | Description |
|---|---|
open | Trace syscalls open on filesystemk. |
close | Trace syscalls close on filesystemk. |
read | Trace syscalls read on filesystemk. |
write | Trace syscalls writ on filesystemk. |
%desc | Trace all file descriptor related system calls. |
%file | Trace all system calls which take a file name as an argument. |
%fstat | Trace fstat and fstatat syscall variants. |
%fstatfs | Trace fstatfs, fstatfs64, fstatvfs, osf_fstatfs, and osf_fstatfs64 system calls. |
%ipc | Trace all IPC related system calls, for com. analysis between processes |
%lstat | Trace lstat syscall variants. |
%memory | Trace all memory mapping related system calls. |
%network | Trace all the network related system calls. |
%process | Trace all system calls which involve process management. |
%pure | Trace syscalls that always succeed and have no arguments. |
%signal | Trace all signal related system calls. |
%stat | Trace stat syscall variants. |
%statfs | Trace statfs, statfs64, statvfs, osf_statfs, and osf_statfs64 system calls. |
%%stat | Trace syscalls used for requesting file status. |
%%statfs | Trace syscalls related to file system statistics. |
Examples
$ strace -Tfe trace=open,read,write ./my_script.sh
$ strace -fp 1337 -e trace=open,read,write
$ strace -fp 1337 -e trace=file
$ strace -c ls > /dev/null
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
89.76 0.008016 4 1912 getdents
8.71 0.000778 0 11778 lstat
0.81 0.000072 0 8894 write
0.60 0.000054 0 943 open
0.11 0.000010 0 942 close
0.00 0.000000 0 1 read
0.00 0.000000 0 944 fstat
0.00 0.000000 0 8 mmap
0.00 0.000000 0 4 mprotect
0.00 0.000000 0 1 munmap
0.00 0.000000 0 7 brk
0.00 0.000000 0 3 3 access
0.00 0.000000 0 1 execve
0.00 0.000000 0 1 sysinfo
0.00 0.000000 0 1 arch_prctl
------ ----------- ----------- --------- --------- ----------------
100.00 0.008930 25440 3 total
Network sample
$ strace -f -e trace=network curl http://google.at
The network trace allows you to get more information about the network traffic of a serivce, but you should think of piping it to a
grepor similar commands, as it can be very verbose.For example, if you are only interested on the IPs which are source/dest, add
2>&1 | grep sin_addr:strace -f -e trace=network curl http://google.at 2>&1 | grep sin_addr [pid 780784] connect(7, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("142.250.186.99")}, 16 ) = 0 connect(5, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("142.250.186.99")}, 16) = -1 EINPROGRESS (Operation now in progress) getsockname(5, {sa_family=AF_INET, sin_port=htons(39392), sin_addr=inet_addr("10.0.1.2")}, [128 => 16]) = 0 getsockname(5, {sa_family=AF_INET, sin_port=htons(39392), sin_addr=inet_addr("10.0.1.2")}, [128 => 16]) = 0 getsockname(5, {sa_family=AF_INET, sin_port=htons(39392), sin_addr=inet_addr("10.0.1.2")}, [128 => 16]) = 0