strace

strace cheatsheet by Thamizhiniyan C S

Introduction

strace is a command-line linux tool used to trace system calls and signals

Use Cases:

• Debugging Programs

• Troubleshooting Programs

• Intercept System calls by a process

• Record system calls by a process

• Signals received by a process

• Trace running processes

---

Installation

# Debian
sudo apt install strace

# Fedora
yum install strace

---

Syntax

strace [OPTIONS] [EXECUTABLE_FILE]

---

Important Flags

Flag	Description
-c, --summary-only	count time, calls, and errors for each syscall and report summary
-C, --summary	like -c, but also print the regular output
-e trace=TRACE	trace only specified syscalls
-e signal=SET, --signal=SIGNALS	trace only the specified set of signals. print only the signals from SET
-e status=SET, --status=STATUS	print only system calls with the return statuses in SET
-f	Follow threads and child processes that are created.
-r	print relative timestamp
-i	print instruction pointer at time of syscall
-T, --syscall-times[=PRECISION]	print time spent in each syscall [precision: default is microseconds]
-t, --fields=LIS	print absolute timestamp of each system call (wall clock time)
-o FILE, --output=FILE	send trace output to FILE instead of stderr
-p PID, --attach=PID	trace process with process id PID, may be repeated
-u USERNAME, --user=USERNAME	run command as USERNAME handling setuid and/or setgid
-s [size]	Print [size] characters per string displayed. This is useful if you are trying to trace what a program is writing to a file descriptor.

TRACE values

open, close, write, network, signal

STATUS values

successful, failed, unfinished, unavailable, detached

PRECISION values

s, ms, us, ns

---

Examples

Command	Description
strace ls	Trace system calls of the `ls` command.
strace -c ls	Count the number of system calls.
strace -e trace=write ls	Trace only the `write` system calls of the `ls` command.
strace -e trace=network nc -v -n 127.0.0.1 801	Trace network-related system calls of the `nc` command.
strace -e trace=signal nc -v -n 127.0.0.1 801	Trace signal-related system calls of the `nc` command.
strace -r ls	Print the timestamp of each system call.
strace -T ls	Print time spent on each system call.
strace -t ls	Print wall clock time of each system call.
strace -i ls	Print the instruction pointer of each system call.
strace pid	Trace a running process by PID.
strace -p [pid]	Trace a running process by PID.
strace -fp [pid]	Trace a running process and its threads.
strace -s 80 -fp [pid]	Trace a running process, print first 80 characters of strings.
strace ./program	Trace a program.
strace -f ./program	Trace a program and its threads.
strace -s 80 -f ./program	Trace a program, print first 80 characters of strings.
strace -Tf ./program 2>&1 | grep -v futex	To exclude futex calls
strace -Tfe trace=open,read,write ./program	Trace specific system calls (open, read, write) for a program and its threads.

---

References

https://www.geeksforgeeks.org/strace-command-in-linux-with-examples/

https://blog.packagecloud.io/strace-cheat-sheet/