strace Linux Command

strace is a Linux command that traces system calls and signals made by a process. It can track a process’s execution based on PID, show which system calls it makes, and perform statistical analysis on their execution. It’s commonly used to troubleshoot program faults, debug issues, or identify reasons for slow performance.

Basic Usage

Trace a command:

strace ls /tmp

This runs ls /tmp and shows all system calls made during execution.

Advanced Example

Trace a running process with options:

strace -o /tmp/output -f -r -s 4096 -p 16742

• -o /tmp/output: Output to file instead of stdout.
• -f: Follow child processes (forks).
• -r: Print relative timestamps between system calls.
• -s 4096: Limit string output to 4096 characters.
• -p 16742: Attach to process with PID 16742.

Common Options

• -c: Count system calls and provide a summary.
• -e trace=network: Trace only network-related calls.
• -t: Print absolute timestamps.
• -T: Show time spent in each call.
• -v: Verbose output.

Use Cases

• Debugging: Identify where a program fails by seeing the last system call.
• Performance: Analyze slow operations by timing system calls.
• Security: Monitor what files or network connections a process accesses.
• Learning: Understand how programs interact with the kernel.

Important Notes

• Requires appropriate permissions; use sudo for system processes.
• Attaching to a running process with -p can affect performance.
• For library calls, use ltrace instead.
• Output can be verbose; redirect to file with -o.

References

• IBM DeveloperWorks: System Calls
• Brendan Gregg Blog: strace
• Linux.cn: strace Tutorial
• strace Man Page