linux strace examples

strace is a systemcall tracer. It tells you what kernel functions are
called as a result of your program. It monitors systemcalls and signals.

strace -p


(trace a systemcall)
strace -e open

(trace multiple systemcalls)
strace -e trace=open,read ls /home

(save the output)
strace -o output.txt

(count the number of calls)
strace -c ls /home

(trace all action on a particular file)
strace -P /etc/cups -p 2261

common calls:
close (close file handle)
fchmod (change file permissions)
fchown (change file ownership)
fstat (retrieve details)
lseek (move through file)
open (open file for reading/writing)
read (read a piece of data)
statfs (retrieve file system related details)

strace -e trace=network
bind – link the process to a network port
listen – allow to receive incoming connections
socket – open a local or network socket
setsockopt – define options for an active socket

strace -e trace=memory

check which files are opened when a user connects with ssh.

#ps -ef |grep /usr/sbin/sshd
root 7448 1 0 09:36 ? 00:00:00 /usr/sbin/sshd

#strace -e open -f -p 7448 -o sshout
-e trace the open systemcall
-f follow children
-p attach to pid
-o save output in file

This entry was posted in Uncategorized. Bookmark the permalink.

Comments are closed.