Friday, 6 September 2013

Strace : Moniter system calls

Article By sparutwar Friday, September 06, 2013 , Leave a Comment

Introduction

Strace is a small useful debugging tool which traces all the system calls and signals used by  the program. Internally Strace uses ptrace system call to trace the system calls executed by the program. This list of system calls is useful to get clear idea, how program is interacting with the kernel.

Installation:

In Ubuntu you can install Strace using 
sudo apt-get install strace
In CentOS you can install by
yum install strace

OR 
Download the Strace-4.8.tar.xz
tar xvJf strace-4.8.tar.xz
cd strace-4.8/
./configure
make
make install        (as root or sudoer user)

Use: 

  1. strace who        (Default it will print all the system call and signals)
    execve("/usr/bin/who", ["who"], [/* 42 vars */]) = 0
    brk(0)                                 = 0x1568000
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
    mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f2e366b1000
    access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
    open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
    ..
    ..
  2. strace -o output.txt who (-o is used to write the result of strace utility in the file)
    strace who > output.txt
    This will write the result of executing command here it is who, in the output.txt file not the system calls that are traced by the strace command.
  3. strace -c who (-c is used to calculate total number of times the system call is appeared without giving the details of each system call)
  4. strace -C who (-C is used to calculate total number of times the system call is appeared with giving the details of each system call)
  5. strace -e write who (-e option is used to detect specific system calls provided out of all)
    write(1, "krishna  tty7         2013-09-06"..., 44krishna  tty7         2013-09-06 09:36 (:0)
    ) = 44
    write(1, "krishna  pts/0        2013-09-06"..., 46krishna  pts/0        2013-09-06 12:47 (:0.0)
    ) = 46
    write(1, "krishna  pts/1        2013-09-06"..., 46krishna  pts/1        2013-09-06 11:54 (:0.0)
    ) = 46
    +++ exited with 0 +++

    strace -e trace=read,write who (We can use this command to detect multiple system calls as we have perform above example for only one)
  6. We can also get the traces of currently running (executing) process
    strace -p 2700 (here 2700 is the process id of the currently running job)

0 comments:

Post a Comment