How to use strace

strace is a tool that shows you the system calls and signals called by a program. It is a very useful tool, especially to check what files and libraries are opened, read or written by a program.

  • Installing strace is easy:
$ sudo apt install strace
  • To view the system calls made by the execution of a program named foobar:
$ strace ./foobar

You will see that strace prints out every system call made by the program, with its input arguments and its output. However, since this verbose listing is printed to the console, you will find it difficult to view the actual output of the program or to interact with it.

  • Usually, strace is asked to write its output to a log file:
$ strace -o strace.log ./foobar
  • Anything but the simplest program will usually fork itself into child processes. By default, strace only traces the parent process launched initially. To request it to trace all child processes, use the -f option:
$ strace -f -o strace.log ./foobar
  • To trace only a few specific system calls, say open and close:
$ strace -e trace=open -o strace.log ./foobar
$ strace -e trace=open,close -o strace.log ./foobar
  • To trace only system calls from a specific category, say those calls that take filename as argument:
$ strace -e trace=file -o strace.log ./foobar

The other categories include process, network, signal, ipc, desc and memory. See the strace manpage for more details on these categories.

  • To trace only specific signals:
$ strace -e signal=sigkill,sigint -o strace.log ./foobar

The full list of signals can be seen in man 7 signal.

  • A very useful option is to trace calls that access a particular path. This can be done using the -P option:
$ strace -P /home/joe/somefile -o strace.log ./foobar

Note that strace is clever enough to show all calls related to the file descriptor produced by the particular path too.

  • By default, the input argument structures to the calls are abbreviated. To view the full structures, use the verbose option:
$ strace -v -o strace.log ./foobar
  • By default, all strings that are read or written are displayed, but only the first 32 characters. To view more of the strings, specify how many characters you want to see to the -s option:
$ strace -s 100 -o strace.log ./foobar
  • Another formatting option that I find useful is to align the output values of all calls to a particular column, say 100:
$ strace -a 100 -o strace.log ./foobar
  • Looking at file descriptors in strace output can be confusing. To ask strace to show the path associated with each file descriptor whenever it prints a file descriptor, use the -y option:
$ strace -y -o strace.log ./foobar

Tried with: strace 4.11 and Ubuntu 16.04

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s