Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
Let The Music Play: Join EFF Today

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 56 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here




       strace  [ -dffhiqrtttTvxx ] [ -acolumn ] [ -eexpr ] ...  [
       -ofile ] [ -ppid ] ...  [ -sstrsize ]  [  -uusername  ]  [
       -Evar=val ] ...  [ -Evar ] ...  [ command [ arg ...  ] ]

       strace  -c  [  -eexpr ] ...  [ -Ooverhead ] [ -Ssortby ] [
       command [ arg ...  ] ]


       In the simplest case strace  runs  the  specified  command
       until  it  exits.   It  intercepts  and records the system
       calls which are called by a process and the signals  which
       are  received by a process.  The name of each system call,
       its arguments and its return value are printed on standard
       error or to the file specified with the -o option.

       strace  is  a useful diagnostic, instructional, and debug­
       ging tool.  System adminstrators, diagnosticians and trou­
       ble-shooters  will find it invaluable for solving problems
       with programs for which the source is not  readily  avail­
       able  since  they do not need to be recompiled in order to
       trace them.  Students, hackers and the overly-curious will
       find  that  a great deal can be learned about a system and
       its system calls by tracing even ordinary  programs.   And
       programmers  will find that since system calls and signals
       are events that happen at  the  user/kernel  interface,  a
       close  examination of this boundary is very useful for bug
       isolation, sanity checking and attempting to capture  race

       Each line in the trace contains the system call name, fol­
       lowed by its  arguments  in  parentheses  and  its  return
       value.    An  example  from  stracing  the  command  ``cat
       /dev/null'' is:

       open("/dev/null", O_RDONLY) = 3

       Errors (typically a return value of  -1)  have  the  errno
       symbol and error string appended.

       open("/foo/bar", O_RDONLY) = -1 ENOENT (No such file or directory)

       Signals  are  printed  as  a  signal  symbol  and a signal
       string.  An excerpt from  stracing  and  interrupting  the
       command ``sleep 666'' is:

       sigsuspend([] <unfinished ...>
       --- SIGINT (Interrupt) ---
       +++ killed by SIGINT +++

       Arguments  are  printed  in  symbolic form with a passion.
       This example shows the shell peforming ``>>xyzzy''  output
       matted  in the most C-like fashion possible.  For example,
       the essence of the command ``ls -l /dev/null'' is captured

       lstat("/dev/null", {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 3), ...}) = 0

       Notice  how the `struct stat' argument is dereferenced and
       how each member is displayed symbolically.  In particular,
       observe how the st_mode member is carefully decoded into a
       bitwise-OR of symbolic and numeric values.  Also notice in
       this  example that the first argument to lstat is an input
       to the system call and the second argument is  an  output.
       Since output arguments are not modified if the system call
       fails, arguments may  not  always  be  dereferenced.   For
       example,  retrying  the ``ls -l'' example with a non-exis­
       tent file produces the following line:

       lstat("/foo/bar", 0xb004) = -1 ENOENT (No such file or directory)

       In this case the porch light is on but nobody is home.

       Character pointers  are  dereferenced  and  printed  as  C
       strings.   Non-printing characters in strings are normally
       represented by ordinary C escape codes.   Only  the  first
       strsize  (32  by  default)  bytes  of strings are printed;
       longer strings have an  ellipsis  appended  following  the
       closing  quote.   Here  is a line from ``ls -l'' where the
       getpwuid library routine is reading the password file:

       read(3, "root::0:0:System Administrator:/"..., 1024) = 422

       While structures are annotated using curly braces,  simple
       pointers and arrays are printed using square brackets with
       commas separating elements.  Here is an example  from  the
       command ``id'' on a system with supplementary group ids:

       getgroups(32, [100, 0]) = 2

       On  the  other  hand, bit-sets are also shown using square
       brackets but set elements are separated only by  a  space.
       Here  is  the  shell preparing to execute an external com­

       sigprocmask(SIG_BLOCK, [CHLD TTOU], []) = 0

       Here the second argument is  a  bit-set  of  two  signals,
       SIGCHLD and SIGTTOU.  In some cases the bit-set is so full
       that printing out the unset elements is more valuable.  In
       that case, the bit-set is prefixed by a tilde like this:

       sigprocmask(SIG_UNBLOCK, ~[], NULL) = 0

                   new process is attached to as  soon  as
                   its  pid  is  known (through the return
                   value of fork(2)  in  the  parent  pro­
                   cess).  This  means  that such children
                   may run uncontrolled for a while (espe­
                   cially  in  the  case  of  a vfork(2)),
                   until the parent is scheduled again  to
                   complete  its  (v)fork(2) call.  If the
                   parent process decides to wait(2) for a
                   child  that  is currently being traced,
                   it is suspended  until  an  appropriate
                   child   process  either  terminates  or
                   incurs a signal that would cause it  to
                   terminate   (as   determined  from  the
                   child's current signal disposition).

       -ff         If the -o filename option is in effect,
                   each  processes  trace  is  written  to
                   filename.pid where pid is  the  numeric
                   process id of each process.

       -F          Attempt  to  follow  vforks.  (On SunOS
                   4.x, this  is  accomplished  with  some
                   dynamic linking trickery.  On Linux, it
                   requires some kernel functionality  not
                   yet  in  the  standard kernel.)  Other­
                   wise, vforks will not be followed  even
                   if -f has been given.

       -h          Print the help summary.

       -i          Print  the  instruction  pointer at the
                   time of the system call.

       -q          Suppress  messages   about   attaching,
                   detaching  etc.  This happens automati­
                   cally when output is  redirected  to  a
                   file  and  the  command is run directly
                   instead of attaching.

       -r          Print a relative timestamp  upon  entry
                   to  each system call.  This records the
                   time difference between  the  beginning
                   of successive system calls.

       -t          Prefix  each line of the trace with the
                   time of day.

       -tt         If given twice, the time  printed  will
                   include the microseconds.

       -ttt        If  given thrice, the time printed will
                   members.  Use this option to get all of
                   the gory details.

       -V          Print the version number of strace.

       -x          Print all non-ASCII strings in hexadec­
                   imal string format.

       -xx         Print all strings in hexadecimal string

       -a column   Align  return values in a specific col­
                   umn (default column 40).

       -e expr     A qualifying expression which  modifies
                   which  events  to trace or how to trace
                   them.  The format of the expression is:


                   where  qualifier  is  one   of   trace,
                   abbrev,  verbose, raw, signal, read, or
                   write and value is  a  qualifier-depen­
                   dent  symbol  or  number.   The default
                   qualifier is trace.  Using an  exclama­
                   tion  mark  negates  the set of values.
                   For example, -eopen means literally  -e
                   trace=open  which  in  turn means trace
                   only the open  system  call.   By  con­
                   trast,  -etrace=!open  means  to  trace
                   every  system  call  except  open.   In
                   addition,  the  special  values all and
                   none have the obvious meanings.

                   Note that some shells use the  exclama­
                   tion  point  for history expansion even
                   inside quoted arguments.   If  so,  you
                   must  escape the exclamation point with
                   a backslash.

       -e trace=set
                   Trace only the specified set of  system
                   calls.   The  -c  option  is useful for
                   determining which system calls might be
                   useful    to   trace.    For   example,
                   trace=open,close,read,write  means   to
                   only trace those four system calls.  Be
                   careful when  making  inferences  about
                   the user/kernel boundary if only a sub­
                   set of system  calls  are  being  moni­
                   tored.  The default is trace=all.
                   Trace  all  system  calls which involve
                   process management.  This is useful for
                   watching the fork, wait, and exec steps
                   of a process.

       -e trace=network
                   Trace all the  network  related  system

       -e trace=signal
                   Trace  all signal related system calls.

       -e trace=ipc
                   Trace all IPC related system calls.

       -e abbrev=set
                   Abbreviate  the  output  from  printing
                   each  member  of large structures.  The
                   default is abbrev=all.  The  -v  option
                   has the effect of abbrev=none.

       -e verbose=set
                   Dereference  structures  for the speci­
                   fied set of system calls.  The  default
                   is verbose=all.

       -e raw=set  Print  raw, undecoded arguments for the
                   specifed set  of  system  calls.   This
                   option  has  the  effect of causing all
                   arguments to be printed in hexadecimal.
                   This  is  mostly  useful  if  you don't
                   trust the decoding or you need to  know
                   the  actual  numeric  value of an argu­

       -e signal=set
                   Trace only the specified subset of sig­
                   nals.   The default is signal=all.  For
                   example, signal=!SIGIO (or  signal=!io)
                   causes  SIGIO signals not to be traced.

       -e read=set Perform a full  hexadecimal  and  ASCII
                   dump  of  all  the  data read from file
                   descriptors  listed  in  the  specified
                   set.   For  example,  to  see all input
                   activity on file descriptors  3  and  5
                   use  -e  read=3,5.   Note  that this is
                   independent from the normal tracing  of
                   the  read(2)  system call which is con­
                   trolled by the option -e trace=read.

       -e write=set
                   then  the  rest  of  the  argument   is
                   treated  as a command and all output is
                   piped to it.  This  is  convenient  for
                   piping  the  debugging output to a pro­
                   gram without affecting the redirections
                   of executed programs.

       -O overhead Set  the  overhead  for  tracing system
                   calls to overhead  microseconds.   This
                   is  useful  for  overriding the default
                   heuristic for guessing how much time is
                   spent  in  mere  measuring  when timing
                   system calls using the -c option.   The
                   acuracy  of the heuristic can be gauged
                   by timing a given program  run  without
                   tracing  (using  time(1)) and comparing
                   the accumulated system call time to the
                   total produced using -c.

       -p pid      Attach  to the process with the process
                   ID pid and begin  tracing.   The  trace
                   may be terminated at any time by a key­
                   board   interrupt   signal    (CTRL-C).
                   strace will respond by detaching itself
                   from the traced process(es) leaving  it
                   (them)  to  continue running.  Multiple
                   -p options can be used to attach to  up
                   to  32 processes in addition to command
                   (which is optional if at least  one  -p
                   option is given).

       -s strsize  Specify  the  maximum  string  size  to
                   print (the default is 32).   Note  that
                   filenames  are  not  considered strings
                   and are always printed in full.

       -S sortby   Sort  the  output  of   the   histogram
                   printed  by the -c option by the speci­
                   fied critereon.  Legal values are time,
                   calls,   name,   and  nothing  (default

       -u username Run command with the user ID, group ID,
                   and  supplementary  groups of username.
                   This option is only useful when running
                   as  root and enables the correct execu­
                   tion of setuid and/or setgid  binaries.
                   Unless  this  option is used setuid and
                   setgid programs  are  executed  without
                   effective privileges.

       -E var=val  Run command with var=val in its list of
       install strace as setuid to root when the users who
       can execute it are restricted to  those  users  who
       have  this  trust.   For example, it makes sense to
       install a  special  version  of  strace  with  mode
       `rwsr-xr--',  user root and group trace, where mem­
       bers of the trace group are trusted users.  If  you
       do  use  this feature, please remember to install a
       non-setuid version of strace for ordinary lusers to


       ptrace(2), proc(4), time(1), trace(1), truss(1)


       It  is  a pity that so much tracing clutter is pro­
       duced by systems employing shared libraries.

       It is instructive to think about system call inputs
       and  outputs  as  data-flow  across the user/kernel
       boundary.  Because user-space and kernel-space  are
       separate  and  address-protected,  it  is sometimes
       possible to make deductive inferences about process
       behavior  using inputs and outputs as propositions.

       In some cases, a system call will differ  from  the
       documented  behavior or have a different name.  For
       example,  on  System  V-derived  systems  the  true
       time(2)  system  call does not take an argument and
       the stat function is  called  xstat  and  takes  an
       extra  leading  argument.   These discrepancies are
       normal but  idiosyncratic  characteristics  of  the
       system  call  interface  and are accounted for by C
       library wrapper functions.

       On some platforms a process that has a system  call
       trace applied to it with the -p option will receive
       a SIGSTOP.  This signal may interrupt a system call
       that  is  not restartable.  This may have an unpre­
       dictable effect on the process if the process takes
       no action to restart the system call.


       Programs that use the setuid bit do not have effec­
       tive user ID privileges while being traced.

       A traced process ignores  SIGSTOP  except  on  SVR4

       A  traced process which tries to block SIGTRAP will
       be sent a SIGSTOP in an attempt to force  continua­
       tion of tracing.

       utility.  The SunOS version of strace was ported to
       Linux  and  enhanced  by Branko Lankester, who also
       wrote the Linux kernel support.  Even  though  Paul
       released  strace  2.5  in  1992,  Branko's work was
       based on Paul's strace 1.5 release from  1991.   In
       1993,  Rick Sladkey merged strace 2.5 for SunOS and
       the second release of strace for Linux, added  many
       of the features of truss(1) from SVR4, and produced
       an strace that worked on both platforms.   In  1994
       Rick  ported  strace  to SVR4 and Solaris and wrote
       the automatic configuration support.   In  1995  he
       ported  strace  to  Irix and tired of writing about
       himself in the third person.


       Problems with strace should  be  reported  via  the
       Debian  Bug Tracking System, or to the strace mail­
       ing list at <strace-devel@lists.sourceforge.net>.

                            2003-01-21                  STRACE(1)
Show your Support for the Linux Tutorial

Purchase one of the products from our new online shop. For each product you purchase, the Linux Tutorial gets a portion of the proceeds to help keep us going.



Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
You can get all the latest Site and Linux news by checking out our news page.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.09 Seconds