How should strace be used on Linux?

strace is a powerful Linux utility that traces system calls and signals made by a process. It provides detailed insights into how programs interact with the kernel, making it essential for debugging, performance analysis, and understanding program behavior.

The strace command intercepts and records all system calls made by a process, including file operations, memory allocation, network communication, and signal handling. This makes it invaluable for diagnosing issues, monitoring system activity, and learning how programs work internally.

Installation

Before using strace, install it on your system using the appropriate package manager −

Ubuntu/Debian −

sudo apt install strace

CentOS/RedHat −

yum install strace

macOS −

brew install strace

Basic Usage

Tracing a Command

To trace all system calls made by a command, prefix it with strace −

strace df -h

execve("/bin/df", ["df", "-h"], 0x7fff5fbff870 /* 31 vars */) = 0
brk(NULL)                               = 0x888000
access("/etc/ld.so.nohwcap", F_OK)     = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=103200, ...}) = 0
mmap(NULL, 103200, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f8b8c6d8000
close(3)                               = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
...

Attaching to Running Process

To trace an existing process, use the -p option with the process ID −

strace -p 1924

strace: Process 1924 attached
select(11, [9 10], NULL, NULL, {tv_sec=0, tv_usec=9427}) = 0 (Timeout)
select(11, [9 10], NULL, NULL, {tv_sec=0, tv_usec=10000}) = 0 (Timeout)
read(9, 0x7fff8a5c4bf0, 4096)         = -1 EAGAIN (Resource temporarily unavailable)
...

Common Options

Practical Examples

Filtering File Operations

To trace only file-related system calls −

strace -e trace=file ls /tmp

Monitoring Network Calls

To trace network-related system calls −

strace -e trace=network curl https://example.com

Performance Analysis

To get a summary of system call usage −

strace -c -S time find /usr -name "*.so" 2>/dev/null

Key Use Cases

• Debugging − Identify failed system calls and error conditions

• Performance Analysis − Find bottlenecks in file I/O or system call patterns

• Security Auditing − Monitor file access and network connections

• Learning − Understand how programs interact with the operating system

• Troubleshooting − Diagnose permission issues, missing files, or configuration problems

Conclusion

strace is an essential diagnostic tool for Linux system administrators and developers. It provides deep visibility into program behavior by tracing system calls, making it invaluable for debugging, performance analysis, and understanding how applications interact with the kernel.