Runs a program and shows every system calls made (open files, network, etc). Nice to troubeshoot which config files are being used for example
Example:
sudo strace ls
$ sudo strace ls
execve("/bin/ls", ["ls"], [/* 16 vars */]) = 0
brk(NULL) = 0x10e0000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd601d0b000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=29290, ...}) = 0
mmap(NULL, 29290, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd601d03000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260Z\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=130224, ...}) = 0
mmap(NULL, 2234080, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd6018c6000
mprotect(0x7fd6018e5000, 2093056, PROT_NONE) = 0
mmap(0x7fd601ae4000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e000) = 0x7fd601ae4000
mmap(0x7fd601ae6000, 5856, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd601ae6000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1864888, ...}) = 0
mmap(NULL, 3967488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd6014fd000
mprotect(0x7fd6016bd000, 2093056, PROT_NONE) = 0
mmap(0x7fd6018bc000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bf000) = 0x7fd6018bc000
mmap(0x7fd6018c2000, 14848, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd6018c2000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\25\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=456632, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd601d02000
mmap(NULL, 2552072, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd60128d000
mprotect(0x7fd6012fb000, 2097152, PROT_NONE) = 0
mmap(0x7fd6014fb000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6e000) = 0x7fd6014fb000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14608, ...}) = 0
mmap(NULL, 2109680, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd601089000
mprotect(0x7fd60108c000, 2093056, PROT_NONE) = 0
mmap(0x7fd60128b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fd60128b000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360`\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=138744, ...}) = 0
mmap(NULL, 2212904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fd600e6c000
mprotect(0x7fd600e84000, 2093056, PROT_NONE) = 0
mmap(0x7fd601083000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7fd601083000
mmap(0x7fd601085000, 13352, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fd601085000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd601d01000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fd601cff000
arch_prctl(ARCH_SET_FS, 0x7fd601cff800) = 0
mprotect(0x7fd6018bc000, 16384, PROT_READ) = 0
mprotect(0x7fd601083000, 4096, PROT_READ) = 0
mprotect(0x7fd60128b000, 4096, PROT_READ) = 0
mprotect(0x7fd6014fb000, 4096, PROT_READ) = 0
mprotect(0x7fd601ae4000, 4096, PROT_READ) = 0
mprotect(0x61d000, 4096, PROT_READ) = 0
mprotect(0x7fd601d0d000, 4096, PROT_READ) = 0
munmap(0x7fd601d03000, 29290) = 0
set_tid_address(0x7fd601cffad0) = 59459
set_robust_list(0x7fd601cffae0, 24) = 0
rt_sigaction(SIGRTMIN, {0x7fd600e71b90, [], SA_RESTORER|SA_SIGINFO, 0x7fd600e7d3d0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7fd600e71c20, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7fd600e7d3d0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
statfs("/sys/fs/selinux", 0x7ffd342101f0) = -1 ENOENT (No such file or directory)
statfs("/selinux", 0x7ffd342101f0) = -1 ENOENT (No such file or directory)
brk(NULL) = 0x10e0000
brk(0x1101000) = 0x1101000
open("/proc/filesystems", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tr"..., 1024) = 406
read(3, "", 1024) = 0
close(3) = 0
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1668976, ...}) = 0
mmap(NULL, 1668976, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fd601b67000
close(3) = 0
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2995, ...}) = 0
read(3, "# Locale name alias data base.\n#"..., 4096) = 2995
read(3, "", 4096) = 0
close(3) = 0
open("/usr/lib/locale/UTF-8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/share/locale-langpack/UTF-8/LC_CTYPE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
ioctl(1, TCGETS, {B9600 opost isig icanon echo ...}) = 0
ioctl(1, TIOCGWINSZ, {ws_row=22, ws_col=90, ws_xpixel=0, ws_ypixel=0}) = 0
open(".", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
getdents(3, /* 22 entries */, 32768) = 776
getdents(3, /* 0 entries */, 32768) = 0
close(3) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
write(1, "libpng\t pdfnode\t\t\t pr"..., 67libpng pdfnode prince-10r7-ubuntu16.04-amd64.tar.gz
) = 67
write(1, "npm-debug.log prince-10r7-ubunt"..., 45npm-debug.log prince-10r7-ubuntu16.04-amd64
) = 45
close(1) = 0
close(2) = 0
exit_group(0) = ?
+++ exited with 0 +++
Shows every request/response on a port for example.
Example:
sudo ngrep -W byline port 80
interface: eth0 (100.107.146.0/255.255.254.0)
filter: (ip or ip6) and ( port 80 )
####
T 109.49.147.232:50379 -> 100.107.146.182:80 [AP]
GET / HTTP/1.1.
Host: pdfnode.cloudapp.net.
Connection: keep-alive.
Cache-Control: max-age=0.
Upgrade-Insecure-Requests: 1.
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8.
Accept-Encoding: gzip, deflate, sdch.
Accept-Language: en-US,en;q=0.8.
If-None-Match: W/"3e-JchkS395oLtjiIHpLjU1HA".
.
##
T 100.107.146.182:80 -> 109.49.147.232:50379 [AP]
HTTP/1.1 304 Not Modified.
Server: nginx/1.10.0 (Ubuntu).
Date: Wed, 21 Sep 2016 08:58:52 GMT.
Connection: keep-alive.
X-Powered-By: Express.
ETag: W/"3e-JchkS395oLtjiIHpLjU1HA".
.
#
``