strace command in Linux with examples

The strace command is a powerful debugging and diagnostic tool in Linux. It records every system call and the response it receives by a particular process. It is similar to the truss tool in other Unix-like operating systems. So, you can debug a program without needing to read its code. It is also a great tool to learn about system calls.

A system call is like an interface through which a software requests a service from the kernel.

System Calls 2
System Calls

There are a lots of system calls in an operating system, but to learn about them is beyond the scope of this article.

How to install strace on Linux?

If you don’t have strace already on your system, use your system’s default package manager to install it.

For Ubuntu/Debian based systems, execute the following apt command with sudo:

sudo apt install strace

For CentOS/RedHat based systems, execute the following yum command:

sudo yum install strace

Syntax

The syntax for the strace command is given below:

strace [-ACdffhikqqrtttTvVwxxyyzZ] [-I n] [-b execve] [-e expr]... [-O overhead] [-S sortby] [-U columns] [-a column] [-o file] [-s strsize] [-X format] [-P path]... [-p pid]... [--seccomp-bpf] { -p pid | [-DDD][-E var[=val]]... [-u username] command [args] }
strace -c [-dfwzZ] [-I n] [-b execve] [-e expr]... [-O overhead] [-S sortby] [-U columns] [-P path]... [-p pid]... [--seccomp-bpf] { -p pid | [-DDD] [-E var[=val]]...[-u username] command [args] }

Executing a simple strace

Using strace without any option will output all the system calls in the same order the program made the system calls during execution.

To try it out, let’s try the strace command with the curl command:

strace curl google.com
Strace On Curl Command
strace on curl command

In the above image, you can see the strace command gave us a lot of output. These are all the systems calls made to print the final result, given below.

Curl Google.com Output
curl google.com output

Writing output of strace to a file

Executing strace command with -o will write the output to a file, which you can review later.

To write the output to a file of strace command for curl command execute:

strace -o curl.out curl google.com
Writing Output Of Strace To A File
Writing output of the strace command to a file

Tracing particular system call by a process with strace

To trace a particular system call, the trace expression is used with the -e option in the strace command.

The syntax for trace expression to be used with strace command for curl command execute:

strace -e trace=syscall_set curl google.com

Where syscall_set is the specified set of the system calls.

Strace Command Output For The Sockets System Call Only
strace command output for the socket system call only

In the above image, you can see that when we specify the socket system call in the strace command, it only prints out the socket system calls.

Similarly, we can define a set of system calls that we want to print with the strace command.

Strace Command Output With A Particular Set Of System Calls
strace command output with a particular set of system calls

In the above image, you can see that when we define a particular set of system calls in the strace command, it only outputs those system calls made by that program in execution time.

Tracing a process with PID and the child processes with the strace command

The -p option is used to define the PID (process ID) and, the -f option is used to specify strace to follow the child processes.

Child processes are nothing but the processes created by another process. Syntax to trace a process with PID and follow the child processes:

sudo strace -f -p pid

To test it out, let’s attach strace to the bash:

Using the ps command you can quickly find out the PID. We got two terminal sessions, one for the output of the strace command and the other terminal for an idle bash session. The PID for the other idle bash session on our system is 3804.

When we execute the above syntax, you can see that the idle bash session is waiting for the input.

Attaching Process To The Idle Bash Session
Attaching process to the idle bash session

Now if we give input on the idle bash session, you can see strace giving output on the other terminal session.

Strace Output For An Attached Process
strace output for an attached process

Summary of system calls made by a process using strace

To get the summary of all the system calls made by a process, the -c option is used with strace command.

Syntax to get summary of the system calls with the strace command:

strace -c curl google.com
Summary Of System Calls In Tabular Form
Summary of system calls in a tabular form

Conclusion

strace is a great utility for debugging, diagnostics, learning system calls, and much more. It is a very powerful and handy tool. It is available across all Linux distributions.

Thank you for reading! 😀