Skip to content

Instantly share code, notes, and snippets.

@graste

graste/strace.md

Last active October 30, 2024 04:48
Show Gist options
  • Save graste/929bb122c353bdd90c20 to your computer and use it in GitHub Desktop.
Save graste/929bb122c353bdd90c20 to your computer and use it in GitHub Desktop.
Download ZIP
strace process for network and memory and other syscalls
Raw
strace.md

File activity

strace -e trace=file -fp PID (file) or strace -e trace=desc -fp PID (file descriptors)

Common calls:

  • access
  • close – close file handle
  • fchmod – change file permissions
  • fchown – change file ownership
  • fstat – retrieve details
  • lseek – move through file
  • open – open file for reading/writing
  • read – read a piece of data
  • statfs – retrieve file system related details

Network activity

strace -o /tmp/strace.out -s 10000 -e trace=network -fp PID

Common syscalls:

  • bind – link the process to a network port
  • listen – allow to receive incoming connections
  • socket – open a local or network socket
  • setsockopt – define options for an active socket

Reads and writes to the sockets can be traced via trace=desc.

Memory activity

strace -e trace=memory -fp PID

Common syscalls:

  • mmap
  • munmap

strace cli options

  • -c – current statistics about what time is spend where (combine with -S for sorting)
  • -f – track process including forked child processes
  • -o somefile.out – write output to a file
  • -p PID – track a process by PID
  • -P /tmp – track interaction with a path
  • -s 10000 – maximum string size to output (32 by default)
  • -T – include syscall duration in output

Tracking via specific system call group:

  • -e trace=ipc – communication between processes (IPC)
  • -e trace=memory – memory syscalls
  • -e trace=network – network syscalls
  • -e trace=process – process calls (like fork, exec)
  • -e trace=signal – process signal handling (like HUP, exit)
  • -e trace=file – file related syscalls
  • -e trace=desc – all file descriptor related system calls

Tracing multiple syscalls

Monitor opening/closing of files via strace -e open,close

@saveshodhan
Copy link

saveshodhan commented Jan 19, 2018
edited
Loading

I think the -e trace=network should mention "network syscalls" instead of "memory syscalls"..
Also you may mention -e trace=desc in the "strace cli options" section under "Tracking via specific system call group" as well.. Although you have mentioned it on the top, it will be good to add here as this consolidates options for the -e switch..?

From man strace -

-e trace=desc
                   Trace all file descriptor related system calls.```

@graste
Copy link
Author

graste commented Nov 28, 2019

Thanks. Changed it. 👍

@SOF3
Copy link

SOF3 commented Feb 7, 2023

while socket connections are traced by trace=network, reads/writes to the sockets shall be traced by trace=desc.

@tacerus
Copy link

tacerus commented Jul 30, 2024

network is deprecated in favor of %network.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment