video on demandstrace is a systemcall tracer. It tells you what kernel functions are
called as a result of your program. It monitors systemcalls and signals.
strace -p
strace
(trace a systemcall)
strace -e open
(trace multiple systemcalls)
strace -e trace=open,read ls /home
(save the output)
strace -o output.txt
(count the number of calls)
strace -c ls /home
(trace all action on a particular file)
strace -P /etc/cups -p 2261
common calls:
access
close (close file handle)
fchmod (change file permissions)
fchown (change file ownership)
fstat (retrieve details)
lseek (move through file)
open (open file for reading/writing)
read (read a piece of data)
statfs (retrieve file system related details)
===
strace -e trace=network
bind – link the process to a network port
listen – allow to receive incoming connections
socket – open a local or network socket
setsockopt – define options for an active socket
strace -e trace=memory
mmap
munmap
===
example:
check which files are opened when a user connects with ssh.
#ps -ef |grep /usr/sbin/sshd
root 7448 1 0 09:36 ? 00:00:00 /usr/sbin/sshd
#strace -e open -f -p 7448 -o sshout
-e trace the open systemcall
-f follow children
-p attach to pid
-o save output in file