🖥️strace

➡️This is a command-line reference manual for commands and command combinations that you don’t use often enough to remember it. This cheatsheet explains the strace command with important options and switches using examples.

6 minute read

▁ ▂ ▃ ▄ ꧁ 🔴☠ COMMANDLINE-KUNGFU WITH CHEATSHEETS ☠🔴꧂▅ ▃ ▂ ▁

#                ███████╗████████╗██████╗  █████╗  ██████╗███████╗
#                ██╔════╝╚══██╔══╝██╔══██╗██╔══██╗██╔════╝██╔════╝
#                ███████╗   ██║   ██████╔╝███████║██║     █████╗  
#                ╚════██║   ██║   ██╔══██╗██╔══██║██║     ██╔══╝  
#                ███████║   ██║   ██║  ██║██║  ██║╚██████╗███████╗
#                ╚══════╝   ╚═╝   ╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝╚══════╝
                

                                                                 
# Basic stracing
strace <command>

# save the trace to a file
strace -o strace.out <other switches> <command>

# follow only the open() system call
strace -e trace=open <command>

# follow all the system calls which open a file
strace -e trace=file <command>

# follow all the system calls associated with process
# management
strace -e trace=process <command>

# follow child processes as they are created
strace -f <command>

# count time, calls and errors for each system call
strace -c <command>

# trace a running process (multiple PIDs can be specified)
strace -p <pid>

#==============================#
# CMD STRACE
#==============================##==============================#
tee $tmpdir/stdin | strace -f -o $tmpdir/strace.out $origin "$@"
tee $tmpdir/stdin | strace -f -o $tmpdir/strace.out $origin "$@" | tee $tmpdir/stdout

# strace has a two new flags for displaying file and network names instead of numbers - this excites me far more than is healthy: http://jvns.ca/blog/2016/06/07/strace-y/ 

strace -y 
# gives filenames in output 

strace -yy 
# does networks lookups too - I lowered by two octaves to save memory by keeping the pitches under 255 hz (unsigned char). Then I just multiply by 4. Thanks Pythagoras.

strace -e open openssl s_client -crlf -quiet -starttls smtp -connect smtp.example\.com:25
# Use strace to show the files openssl is opening.

strace ping -c1 localhost 2>&1|grep EPERM
# socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM

# strace has a two new flags for displaying file and network names instead of numbers. this excites me far more than is healthy: http://jvns.ca/blog/2016/06/07/strace-y/ strace -y gives filenames in output -yy does networks lookups too

strace -e open openssl s_client -crlf -quiet -starttls smtp -connect smtp.example\.com:25
# Use strace to show the files openssl is opening.

strace -p 927 -o smtpd -ff -tt 
# strace is a sysadmin godsend. This will follow pid 927 and its children, writing to smtpd.<pid>

strace df -h
# Trace Linux Command System Calls - You can simply run a command with strace like this, here we are tracing of all system calls made by the df command.

strace -p 3569
# Trace Linux Process PID - If a process is already running, you can trace it by simply passing its PID as follows; this will fill your screen with continues output that shows system calls being made by the process, to end it, press [Ctrl + C].

strace -c -p 3569
# Get Summary of Linux Process - Using the -c flag, you can generate a report of total time, calls, and errors for each system call, as follows.

strace -i df -h
# Print Instruction Pointer During System Call - The -i option displays the instruction pointer at the time of each system call made by the program.

strace -t df -h
# Show Time of Day For Each Trace Output Line - You can also print the time of day for each line in the trace output, by passing the -t flag.

strace -T df -h
# Print Command Time Spent in System Calls - To shows the time difference between the starting and the end of each system call made by a program, use the -T option.

strace -e trace=write df -h
# Trace Only Specific System Calls - In the command below, trace=write is known as a qualifying expression, where trace is a qualifier (others include signal, abbrev, verbose, raw, read, or write). Here, write is the value of the qualifier. The following command actually shows the system calls to print df output on standard output.

strace -e trace=open,close df -h
strace -e trace=open,close,read,write df -h
strace -e trace=all df -h	
# Here are some additional commands about trace qualifier.

strace -q -e trace=process df -h	
# Trace System Calls Based on a Certain Condition - Let’s look at how to trace system calls relating to a given class of events. This command can be used to trace all system calls involving process management.

strace -q  -e trace=file df -h
# To trace all system calls that take a filename as an argument, run this command.

strace -q -e trace=memory df -h	
# To trace all system calls involving memory mapping, type.

strace -e trace=network df -h
strace -e trace=signal df -h
# You can trace all network and signals related system calls.

strace -o df_debug.txt df -h
# Redirect Trace Output to File - To write the trace messages sent to standard error to a file, use the -o option. This means that only the command output is printed on the screen as shown below.

strace -d df -h
# Show Some Debugging Output of Strace - To show debugging information for strace tool, use the -d flag.

strace -e open -p 4450 -p 5523 
# What the hell are process ids 4450 and 5523 trying to open that's driving up the system load so much? This only filters out the open syscalls. For all of them, just leave the -e open part off.

# pipe waldwuffel
ps auxw | grep sbin/apache | grep nws | awk '{print"-p " $2}' | xargs strace

# Linux shell processes discovery - more details about some process with PID, for example, 10406
strace -p 10406

# See syscalls of PID 1205. Processes don't have to be a black box, you can use strace (on Linux) to view the system calls made by a process, which may give some clue as to why it's misbehaving, where it is saving a file, etc.
strace -p 1205 

# Find which config-file is read
strace 2>&1 geany |grep geany.conf

# Linux system calls of MySQL process
strace -c -p $(pidof -s mysqld) -f -e trace=all

#==============================##==============================#
# CMD STRACE
#==============================##==============================#

Cheatsheets are an excellent complement to other information sources like Linux man-pages, Linux help, or How-To’s and tutorials, as they provide compact and easily accessible information. While man-pages and detailed tutorials often contain comprehensive explanations and extensive guides, cheatsheets summarize the most important options forthe command strace in a clear format. This allows users to quickly access the needed information for strace without having to sift through lengthy texts. Especially in stressful situations or for recurring tasks, cheatsheets for strace are a valuable resource to work efficiently and purposefully.

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

  █║▌│║█║▌★ KALI ★ PARROT ★ DEBIAN 🔴 PENTESTING ★ HACKING ★ █║▌│║█║▌

              ██╗ ██╗ ██████╗  ██████╗ ██╗  ██╗███████╗██████╗
             ████████╗██╔══██╗██╔═══██╗╚██╗██╔╝██╔════╝██╔══██╗
             ╚██╔═██╔╝██║  ██║██║   ██║ ╚███╔╝ █████╗  ██║  ██║
             ████████╗██║  ██║██║   ██║ ██╔██╗ ██╔══╝  ██║  ██║
             ╚██╔═██╔╝██████╔╝╚██████╔╝██╔╝ ██╗███████╗██████╔╝
              ╚═╝ ╚═╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚══════╝╚═════╝

               █║▌│║█║▌ WITH COMMANDLINE-KUNGFU POWER █║▌│║█║▌

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.