strace

strace cheatsheet by Thamizhiniyan C S

Introduction

strace is a command-line linux tool used to trace system calls and signals

Use Cases:

Debugging Programs
Troubleshooting Programs
Intercept System calls by a process
Record system calls by a process
Signals received by a process
Trace running processes

Installation

# Debian
sudo apt install strace

# Fedora
yum install strace

Syntax

strace [OPTIONS] [EXECUTABLE_FILE]

Important Flags

Flag

Description

-c, --summary-only

count time, calls, and errors for each syscall and report summary

-C, --summary

like -c, but also print the regular output

-e trace=TRACE

trace only specified syscalls

-e signal=SET, --signal=SIGNALS

trace only the specified set of signals. print only the signals from SET

-e status=SET, --status=STATUS

print only system calls with the return statuses in SET

-f

Follow threads and child processes that are created.

-r

print relative timestamp

-i

print instruction pointer at time of syscall

-T, --syscall-times[=PRECISION]

print time spent in each syscall [precision: default is microseconds]

-t, --fields=LIS

print absolute timestamp of each system call (wall clock time)

-o FILE, --output=FILE

send trace output to FILE instead of stderr

-p PID, --attach=PID

trace process with process id PID, may be repeated

-u USERNAME, --user=USERNAME

run command as USERNAME handling setuid and/or setgid

-s [size]

Print [size] characters per string displayed. This is useful if you are trying to trace what a program is writing to a file descriptor.

TRACE values

open, close, write, network, signal

STATUS values

successful, failed, unfinished, unavailable, detached

PRECISION values

s, ms, us, ns

Examples

Command

Description

strace ls

Trace system calls of the `ls` command.

strace -c ls

Count the number of system calls.

strace -e trace=write ls

Trace only the `write` system calls of the `ls` command.

strace -e trace=network nc -v -n 127.0.0.1 801

Trace network-related system calls of the `nc` command.

strace -e trace=signal nc -v -n 127.0.0.1 801

Trace signal-related system calls of the `nc` command.

strace -r ls

Print the timestamp of each system call.

strace -T ls

Print time spent on each system call.

strace -t ls

Print wall clock time of each system call.

strace -i ls

Print the instruction pointer of each system call.

strace pid

Trace a running process by PID.

strace -p [pid]

Trace a running process by PID.

strace -fp [pid]

Trace a running process and its threads.

strace -s 80 -fp [pid]

Trace a running process, print first 80 characters of strings.

strace ./program

Trace a program.

strace -f ./program

Trace a program and its threads.

strace -s 80 -f ./program

Trace a program, print first 80 characters of strings.

strace -Tf ./program 2>&1 | grep -v futex

To exclude futex calls

strace -Tfe trace=open,read,write ./program

Trace specific system calls (open, read, write) for a program and its threads.

References

https://www.geeksforgeeks.org/strace-command-in-linux-with-examples/

https://blog.packagecloud.io/strace-cheat-sheet/

Nextgdb

Last updated 7 months ago

Was this helpful?