strace

strace cheatsheet by Thamizhiniyan C S

Introduction

strace is a command-line linux tool used to trace system calls and signals

Use Cases:

Debugging Programs
Troubleshooting Programs
Intercept System calls by a process
Record system calls by a process
Signals received by a process
Trace running processes

Installation

# Debian
sudo apt install strace

# Fedora
yum install strace

Syntax

strace [OPTIONS] [EXECUTABLE_FILE]

Important Flags

Flag Description

Flag	Description
`-c, --summary-only`	count time, calls, and errors for each syscall and report summary
`-C, --summary`	like -c, but also print the regular output
`-e trace=TRACE`	trace only specified syscalls
`-e signal=SET, --signal=SIGNALS`	trace only the specified set of signals. print only the signals from SET
`-e status=SET, --status=STATUS`	print only system calls with the return statuses in SET
`-f`	Follow threads and child processes that are created.
`-r`	print relative timestamp
`-i`	print instruction pointer at time of syscall
`-T, --syscall-times[=PRECISION]`	print time spent in each syscall [precision: default is microseconds]
`-t, --fields=LIS`	print absolute timestamp of each system call (wall clock time)
`-o FILE, --output=FILE`	send trace output to FILE instead of stderr
`-p PID, --attach=PID`	trace process with process id PID, may be repeated
`-u USERNAME, --user=USERNAME`	run command as USERNAME handling setuid and/or setgid
`-s [size]`	Print [size] characters per string displayed. This is useful if you are trying to trace what a program is writing to a file descriptor.

-c, --summary-only

count time, calls, and errors for each syscall and report summary

-C, --summary

like -c, but also print the regular output

-e trace=TRACE

trace only specified syscalls

-e signal=SET, --signal=SIGNALS

trace only the specified set of signals. print only the signals from SET

-e status=SET, --status=STATUS

print only system calls with the return statuses in SET

-f

Follow threads and child processes that are created.

-r

print relative timestamp

-i

print instruction pointer at time of syscall

-T, --syscall-times[=PRECISION]

print time spent in each syscall [precision: default is microseconds]

-t, --fields=LIS

print absolute timestamp of each system call (wall clock time)

-o FILE, --output=FILE

send trace output to FILE instead of stderr

-p PID, --attach=PID

trace process with process id PID, may be repeated

-u USERNAME, --user=USERNAME

run command as USERNAME handling setuid and/or setgid

-s [size]

Print [size] characters per string displayed. This is useful if you are trying to trace what a program is writing to a file descriptor.

TRACE values

open, close, write, network, signal

STATUS values

successful, failed, unfinished, unavailable, detached

PRECISION values

s, ms, us, ns

Examples

Command Description

Command	Description
`strace ls`	Trace system calls of the `ls` command.
`strace -c ls`	Count the number of system calls.
`strace -e trace=write ls`	Trace only the `write` system calls of the `ls` command.
`strace -e trace=network nc -v -n 127.0.0.1 801`	Trace network-related system calls of the `nc` command.
`strace -e trace=signal nc -v -n 127.0.0.1 801`	Trace signal-related system calls of the `nc` command.
`strace -r ls`	Print the timestamp of each system call.
`strace -T ls`	Print time spent on each system call.
`strace -t ls`	Print wall clock time of each system call.
`strace -i ls`	Print the instruction pointer of each system call.
`strace pid`	Trace a running process by PID.
`strace -p [pid]`	Trace a running process by PID.
`strace -fp [pid]`	Trace a running process and its threads.
`strace -s 80 -fp [pid]`	Trace a running process, print first 80 characters of strings.
`strace ./program`	Trace a program.
`strace -f ./program`	Trace a program and its threads.
`strace -s 80 -f ./program`	Trace a program, print first 80 characters of strings.
`strace -Tf ./program 2>&1 \| grep -v futex`	To exclude futex calls
`strace -Tfe trace=open,read,write ./program`	Trace specific system calls (open, read, write) for a program and its threads.

strace ls

Trace system calls of the `ls` command.

strace -c ls

Count the number of system calls.

strace -e trace=write ls

Trace only the `write` system calls of the `ls` command.

strace -e trace=network nc -v -n 127.0.0.1 801

Trace network-related system calls of the `nc` command.

strace -e trace=signal nc -v -n 127.0.0.1 801

Trace signal-related system calls of the `nc` command.

strace -r ls

Print the timestamp of each system call.

strace -T ls

Print time spent on each system call.

strace -t ls

Print wall clock time of each system call.

strace -i ls

Print the instruction pointer of each system call.

strace pid

Trace a running process by PID.

strace -p [pid]

Trace a running process by PID.

strace -fp [pid]

Trace a running process and its threads.

strace -s 80 -fp [pid]

Trace a running process, print first 80 characters of strings.

strace ./program

Trace a program.

strace -f ./program

Trace a program and its threads.

strace -s 80 -f ./program

Trace a program, print first 80 characters of strings.

strace -Tf ./program 2>&1 | grep -v futex

To exclude futex calls

strace -Tfe trace=open,read,write ./program

Trace specific system calls (open, read, write) for a program and its threads.

References

https://www.geeksforgeeks.org/strace-command-in-linux-with-examples/

https://blog.packagecloud.io/strace-cheat-sheet/

Nextgdb

Last updated 3 months ago