___________ __________ _____ ________ ________ .____ ___________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

strace Cheatsheet

← Back to cheatsheets

← Home

strace traces system calls and signals. Monitors interactions between a process and the Linux kernel, essential for debugging, performance analysis, and security auditing.

Basic Usage

  • strace command - Trace command execution
  • strace -p PID - Attach to running process
  • strace -e trace=open command - Trace specific calls
  • strace -c command - Summary statistics
  • strace -f command - Follow child processes

Common Options

  • -p PID - Attach to process
  • -f - Follow child processes
  • -ff - Separate output per thread
  • -c - Count calls and time
  • -e trace=set - Trace specific calls
  • -e trace=file - Trace file operations
  • -e trace=network - Trace network calls
  • -e trace=process - Trace process calls
  • -e trace=signal - Trace signals
  • -e trace=desc - Trace file descriptor operations
  • -e trace=ipc - Trace IPC calls
  • -o file - Output to file
  • -s size - String length limit
  • -v - Verbose
  • -t - Print timestamp
  • -tt - Print timestamp with microseconds
  • -T - Show time spent in calls
  • -r - Relative timestamp
  • -x - Print non-ASCII in hex
  • -xx - Print all strings in hex
  • -y - Print paths associated with file descriptors
  • -P path - Trace only this path
  • -b execve - Detach on exec
  • -D - Run as separate process
  • -q - Suppress attach/detach messages
  • -qq - Suppress all messages

Trace Sets

  • file - File operations
  • network - Network operations
  • process - Process operations
  • signal - Signal operations
  • desc - File descriptor operations
  • ipc - IPC operations
  • memory - Memory operations
  • all - All system calls

Common Examples

Trace Command

strace ls

Trace all system calls.

Attach to Process

strace -p 1234

Attach to running process.

Summary Statistics

strace -c command

Show call counts and timing.

Trace File Operations

strace -e trace=file command

Only file-related calls.

Trace Network

strace -e trace=network command

Only network calls.

Follow Children

strace -f command

Include child processes.

With Timestamps

strace -tt command

Show timestamps with microseconds.

Show Time Spent

strace -T command

Show time spent in each call.

Output to File

strace -o trace.log command

Save trace to file.

Trace Specific Call

strace -e trace=open,openat command

Trace specific system calls.

Tips

  • Use -c for quick performance overview
  • Use -e trace=file for file debugging
  • Use -e trace=network for network debugging
  • Use -f to trace multi-process applications
  • Use -T to see slow system calls
  • Use -o to save traces for analysis
  • Essential for debugging system issues
  • Great for security auditing