strace
Chapter 87: strace, ltrace, and syscalls - Deep Dive
Section titled “Chapter 87: strace, ltrace, and syscalls - Deep Dive”Mastering System Call Tracing for Troubleshooting
Section titled “Mastering System Call Tracing for Troubleshooting”Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”strace is essential for debugging application issues:
- Deep Troubleshooting: See exactly what system calls an application makes
- Performance: Identify slow syscalls causing delays
- Debugging: Find missing files, permission issues, network problems
- Security: Detect suspicious system call patterns
- Root Cause: Get to the actual failure, not just symptoms
strace is the go-to tool when logs don’t provide enough information.
87.1 Understanding System Calls
Section titled “87.1 Understanding System Calls”What are System Calls?
Section titled “What are System Calls?”System calls (syscalls) are the fundamental interface between user applications and the Linux kernel. They provide a way for programs to request services from the kernel.
System Call Flow+------------------------------------------------------------------+| || User Space Kernel Space || || +----------------+ || | Application | || +--------+-------+ || | || | syscall instruction || v || +--------+-------+ || | libc (glibc) | - syscall wrapper || +--------+-------+ || | || | system call || v || +-------------------------------------------------+ || | System Call Interface | || | - Validates parameters | || | - Switches to kernel mode | || | - Routes to appropriate handler | || +-------------------------------------------------+ || | || v || +-------------------------------------------------+ || | Kernel Subsystem | || | - File system | || | - Process management | || | - Memory management | || | - Network | || +-------------------------------------------------+ || |+------------------------------------------------------------------+Common System Calls
Section titled “Common System Calls” Common System Calls+------------------------------------------------------------------+| || Process Management: || +----------------------------------------------------------+ || | fork() - Create new process | || | execve() - Execute program | || | waitpid() - Wait for process | || | exit() - Terminate process | || | getpid() - Get process ID | || | getppid() - Get parent process ID | || | nice() - Change process priority | || | kill() - Send signal to process | || +----------------------------------------------------------+ || || File Operations: || +----------------------------------------------------------+ || | open() - Open file | || | close() - Close file | || | read() - Read from file | || | write() - Write to file | || | lseek() - Change file position | || | stat() - Get file status | || | chmod() - Change file permissions | || | rename() - Rename file | || +----------------------------------------------------------+ || || Memory: || +----------------------------------------------------------+ || | mmap() - Map memory | || | munmap() - Unmap memory | || | brk() - Change data segment size | || | mprotect() - Set memory protection | || +----------------------------------------------------------+ || || Network: || +----------------------------------------------------------+ || | socket() - Create socket | || | bind() - Bind socket to address | || | listen() - Listen for connections | || | accept() - Accept connection | || | connect() - Connect to socket | || | send() - Send data | || | recv() - Receive data | || +----------------------------------------------------------+ || || Information: || +----------------------------------------------------------+ || | getuid() - Get user ID | || | getgid() - Get group ID | || | uname() - Get system information | || | time() - Get current time | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+87.2 strace Fundamentals
Section titled “87.2 strace Fundamentals”Using strace
Section titled “Using strace”# =============================================================================# BASIC USAGE# =============================================================================
# Trace new processstrace ls -la
# Attach to running processstrace -p 1234
# Trace with timingstrace -t ls -lastrace -tt ls -la # Microsecondsstrace -T ls -la # Time in syscall
# =============================================================================# OUTPUT OPTIONS# =============================================================================
# Redirect to filestrace -o output.txt ls
# Append to filestrace -a output.txt ls
# Show instruction pointerstrace -i ls
# Show relative timestrace -r ls
# Compact outputstrace -q ls
# Color outputstrace -C ls
# =============================================================================# FILTERING# =============================================================================
# Trace specific syscallsstrace -e trace=open,read,write ls
# Trace by categorystrace -e trace=file lsstrace -e trace=network lsstrace -e trace=process lsstrace -e trace=memory lsstrace -e trace=signal lsstrace -e trace=ipc ls
# Trace all exceptstrace -e trace=!read ls
# Trace file creationstrace -e trace=creat ls
# =============================================================================# FOLLOW FORK# =============================================================================
# Follow child processesstrace -f ls
# Trace fork+execstrace -f -e trace=execve bash -c "ls"
# =============================================================================# CONDITIONAL TRACING# =============================================================================
# Trace after conditionstrace -P /path/to/file ls
# Filter by resultstrace -e trace=open -e success ls
# Filter by errorstrace -e trace=open -e failed ls
# =============================================================================# STRACE STATISTICS# =============================================================================
# Summary of syscallsstrace -c ls
# Summary with errorsstrace -c -e trace=open,read,write ls
# Print time summarystrace -c -w ls
# =============================================================================# DIAGNOSTIC OPTIONS# =============================================================================
# Print raw syscallsstrace -n ls
# Print command namestrace -s ls
# Help diagnose crashesstrace -o crash.txt -f -g command
# Show failed calls onlystrace -z ls
# =============================================================================# PROCESS OPTIONS# =============================================================================
# Read from stdinstrace -I 2 ls
# Trace children on forkstrace -f ls
# Trace threadsstrace -f -ff ls87.3 Practical strace Examples
Section titled “87.3 Practical strace Examples”Troubleshooting Examples
Section titled “Troubleshooting Examples”# =============================================================================# DEBUGGING FILE ACCESS# =============================================================================
# Find what files a program opensstrace -e trace=open,openat,close ls 2>&1 | grep -v "ENOENT"
# Trace specific file accessstrace -e trace=open -P /etc/passwd cat /etc/passwd
# Watch for config file changesstrace -f -e trace=open,write nginx
# =============================================================================# DEBUGGING NETWORK# =============================================================================
# Trace network callsstrace -e trace=connect,accept,send,recv,close -f nginx
# Trace specific portstrace -e trace=network -p $(pgrep -f "port:8080")
# =============================================================================# DEBUGGING PERFORMANCE# =============================================================================
# Find slow syscallsstrace -T -c ls
# Time per syscallstrace -T ls
# Slow calls only (>1ms)strace -T -s 100 ls 2>&1 | grep -v "0.000" | head -20
# =============================================================================# DEBUGGING PERMISSIONS# =============================================================================
# Trace permission errorsstrace -e trace=access,open ls /root
# Trace failed opensstrace -e trace=open -z ls /nonexistent
# =============================================================================# DEBUGGING PROCESS# =============================================================================
# Find what process is doingstrace -p 1234 -c
# Trace system callsstrace -p 1234 -f
# =============================================================================# DEBUGGING STARTUP# =============================================================================
# Full trace with timingstrace -t -f -T -o /tmp/strace.log nginx
# Summary at exitstrace -c -f nginx87.4 ltrace - Library Tracing
Section titled “87.4 ltrace - Library Tracing”Using ltrace
Section titled “Using ltrace”# =============================================================================# BASIC USAGE# =============================================================================
# Trace library callsltrace ls
# Trace with timingltrace -t ls
# Trace with relative timeltrace -r ls
# =============================================================================# OUTPUT OPTIONS# =============================================================================
# Output to fileltrace -o output.txt ls
# Color outputltrace -C ls
# =============================================================================# FILTERING# =============================================================================
# Trace specific libraryltrace -e memcpy ls
# Trace by regexltrace -e '*alloc*' ls
# Trace by libraryltrace -l libc.so.6 ls
# Excludeltrace -e '!*malloc*' ls
# =============================================================================# STATISTICS# =============================================================================
# Summaryltrace -c ls
# Time summaryltrace -c -A 10 ls
# =============================================================================# ATTACH TO PROCESS# =============================================================================
# Attach to running processltrace -p 1234
# =============================================================================# COMMON OPTIONS# =============================================================================
# Follow forkltrace -f ls
# Align columnsltrace -A 20 ls
# Library pathltrace -L /lib ls87.5 syscall Reference
Section titled “87.5 syscall Reference”Common System Calls by Category
Section titled “Common System Calls by Category”# =============================================================================# FILE OPERATIONS# =============================================================================
# open, openat - Open file# close - Close file# read, pread - Read from file# write, pwrite - Write to file# lseek - Reposition read/write file offset# stat, fstat, lstat - Get file status# access, faccessat - Check file access# chmod, fchmod - Change file permissions# chown, fchown - Change file owner# rename - Rename file# mkdir - Create directory# rmdir - Remove directory# unlink, unlinkat - Remove file# link, linkat - Create hard link# symlink, readlink - Symbolic links
# =============================================================================# PROCESS MANAGEMENT# =============================================================================
# fork - Create process# vfork - Create process (optimized)# clone - Create thread/process# execve - Execute program# _exit - Terminate process# wait, waitpid, wait4 - Wait for process# getpid, getppid - Get process ID# getuid, geteuid - Get user ID# getgid, getegid - Get group ID# setuid, setgid - Set user/group ID# nice - Change priority# sched_setscheduler, sched_getscheduler - CPU scheduling# kill - Send signal# alarm - Set alarm clock
# =============================================================================# MEMORY# =============================================================================
# brk - Change data segment size# mmap, munmap - Map/unmap memory# mprotect - Set memory protection# mlock, munlock - Lock memory# mremap - Remap memory# madvise - Give advice about memory
# =============================================================================# NETWORKS# =============================================================================
# socket - Create socket# bind - Bind socket to address# listen - Listen for connections# accept, accept4 - Accept connection# connect - Connect to socket# send, sendto, sendmsg - Send data# recv, recvfrom, recvmsg - Receive data# shutdown - Shutdown socket# getsockopt, setsockopt - Socket options
# =============================================================================# IPC# =============================================================================
# msgget - Get message queue# msgsnd, msgrcv - Message operations# semget - Get semaphore set# semop, semtimedop - Semaphore operations# shmget - Get shared memory# shmat, shmdt - Attach/detach shared memory
# =============================================================================# TIME# =============================================================================
# time - Get current time# gettimeofday - Get time with microseconds# clock_gettime - Get clock time# nanosleep - High-resolution sleep
# =============================================================================# SYSTEM# =============================================================================
# uname - Get system information# sysinfo - Get system info# getrlimit, setrlimit - Resource limits# getrusage - Get resource usage# syslog - Read/write kernel messages# gettid - Get thread ID# set_thread_area - Thread local storage87.6 Performance Analysis
Section titled “87.6 Performance Analysis”Analyzing Performance Issues
Section titled “Analyzing Performance Issues”# =============================================================================# FIND SLOW OPERATIONS# =============================================================================
# Time spent in syscallsstrace -c -w ls
# Find slow syscalls (>1ms)strace -T -s 100 command 2>&1 | awk -F'=' '/0\.[0-9]+/ && $2 > 0.001 {print}'
# Analyze with perfperf record -g ./commandperf report
# =============================================================================# STRACE STATISTICS ANALYSIS# =============================================================================
# Full statisticsstrace -c -f ./script.sh
# Percentage-basedstrace -c -f --sort=time ./script.sh
# =============================================================================# REAL-TIME ANALYSIS# =============================================================================
# Monitor livestrace -p 1234 -c -e trace=write
# Trace specific durationtimeout 10 strace -p 1234 -c87.7 Exam Tips
Section titled “87.7 Exam Tips”
- strace: Trace system calls (kernel)
- ltrace: Trace library calls (userspace)
- Filters: Use -e trace= for specific syscalls
- Timing: -T shows time per syscall
- Statistics: -c summarizes all calls
- Attach: -p for running processes
- Fork: -f follows child processes
- Output: -o saves to file
- Errors: -z shows failed calls only
- Performance: Use -T to find slow operations
Common Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Tracing Without Filters
Section titled “1. Tracing Without Filters”WRONG:
# Tracing everything - overwhelming outputstrace -p $(pgrep nginx)CORRECT:
# Filter specific syscallsstrace -p $(pgrep nginx) -e trace=open,read,writestrace -p $(pgrep nginx) -e trace=networkstrace -p $(pgrep nginx) -e trace=fileWhy: Unfiltered output is unreadable and consumes massive disk space.
2. Not Using Timestamps
Section titled “2. Not Using Timestamps”WRONG:
# No timing informationstrace ./script.shCORRECT:
# Add timingstrace -t ./script.sh # Relative timestrace -tt ./script.sh # Microsecondsstrace -r ./script.sh # Relative time per callstrace -T ./script.sh # Time spent in callWhy: Timestamps identify slow operations.
3. Running in Production Without Care
Section titled “3. Running in Production Without Care”WRONG:
# Tracing production service with full outputstrace -p $(pgrep nginx) > /var/log/strace.log# System slows to a crawl!CORRECT:
# Use minimal overhead optionsstrace -p $(pgrep nginx) -e trace=write -qstrace -c -p $(pgrep nginx) # Summary only
# Or use BPF-based tools insteadperf record -g -p $(pgrep nginx)Why: strace adds significant overhead.
4. Not Following Child Processes
Section titled “4. Not Following Child Processes”WRONG:
# Only tracing main processstrace -p $(pgrep nginx)# Missing fork() childrenCORRECT:
# Follow forksstrace -f -p $(pgrep nginx)strace -ff -p $(pgrep nginx) # Separate files per childWhy: Many services fork child processes.
5. Ignoring Return Values
Section titled “5. Ignoring Return Values”WRONG:
# Not checking for errorsstrace -e trace=open ./script# Just looking at what opensCORRECT:
# Show failed callsstrace -e trace=open,openat ./script 2>&1 | grep -v "= -1"
# Show only errorsstrace -z -p $(pgrep nginx) # Show only successful callsstrace -Z -p $(pgrep nginx) # Show only failed callsWhy: Failed syscalls often indicate the actual problem.
Summary
Section titled “Summary”In this chapter, you learned:
- ✅ System call concepts and architecture
- ✅ strace fundamentals and usage
- ✅ Common system calls
- ✅ Practical troubleshooting examples
- ✅ ltrace for library calls
- ✅ Performance analysis with strace
- ✅ Best practices
Next Chapter
Section titled “Next Chapter”Chapter 88: tcpdump and Wireshark
Last Updated: February 2026