Syscall trace with strace

One of the most effective tools for understanding system behavior is the strace command, which allows you to trace the system calls made by a process. In this blog post, we’ll explore the basics of system call tracing with strace and demonstrate its capabilities.

What is System Call Tracing?

System call tracing is a process of monitoring and analyzing the system calls made by a process. System calls are the interfaces between user-space applications and the kernel, which provide a way for applications to interact with the operating system. By tracing system calls, you can gain insights into how a process interacts with the kernel, identify performance bottlenecks, and troubleshoot issues.

Installing Strace

Strace is available on most Linux distributions and can be installed using the package manager. On Ubuntu-based systems, you can install it using the following command:

sudo apt-get install strace

On RPM-based systems like CentOS, you can install it using:

sudo yum install strace

Basic Usage:

strace

Common Options and Filters

• -r: Relative timestamping
• -t: Timestamp the actions
• -o: Specify an output file or pipe for tracing output
• -p: Trace a specific process by PID
• -f: Follow forks and execs (default is not to follow)
• -F: Follow forks and execs recursively
• -v: Increase verbosity (print more information)
• -t: Print timestamps for each system call

using -r (Relative timestamping)

strace -r ./addsub_debug 2 4 -o strace_output

using -t (Timestamp the actions)

strace -t ./addsub_debug 2 4 -o strace_output

using -o (Creating an output file with the result)

strace ./addsub_debug 2 4 -o strace_output

Filtering

filtering the output to a specific syscall

strace -e write ./addsub_debug 2 4

in the above command I have filtered write syscalls

Attaching to a running process

strace -p <process_id>

Statistics on syscalls

This allows to see the statistics of the syscalls

strace -c addsub 2 2

Use Cases for System Call Tracing

System call tracing is useful in various scenarios:

• Troubleshooting: Identify issues related to system calls, such as socket errors or file I/O problems.
• Performance analysis: Understand where bottlenecks occur in your application’s interaction with the kernel.
• Security auditing: Monitor suspicious system calls made by malicious processes or detect potential security vulnerabilities.
• Debugging: Identify issues related to library or application behavior by tracing their interactions with the kernel.

Conclusion

Strace is a powerful tool for understanding system behavior and troubleshooting issues related to system calls. By tracing system calls, you can gain valuable insights into how your applications interact with the kernel and identify potential problems early on. With its flexibility and customization options, strace is an essential tool in any Linux administrator’s toolkit.

Additional Resources

For more information on strace, refer to its man page or online documentation:

• man strace

man strace

• Strace documentation

I hope this blog post has provided you with a solid introduction to system call tracing with strace.

Tags: /strace/ /debugging/ /symbol-files/ /syscalls/