The ultimate strace cheat sheet

Strace cheat sheet

The strace utility is very powerful to learn what a new or running process is doing. Due to its diversity of monitoring options, the tool is less accessible at first. This strace cheat sheet helps with getting the best out of this tool.

Normally cheat sheets come in a single 1 page PDF. In this case, we combined it all within a blog post. First section shows an explanation per area, the bottom of the post contains all useful commands for quick reference.

Troubleshooting with strace

One of options of the strace utility is to help as a troubleshooting utility. If you want to know what a process is doing, or why it hangs, strace will definitely help. By running strace without any parameters, it will already show why a process is doing. You can trace a running process, or instruct strace to start it for you.

screenshot of strace utility with -c parameter

All syscalls listed by amount of time

Monitoring file activity

Strace can monitor file related activity. There are two useful parts. The first is file, which shows file interactions. The other one allows tracing file descriptors. Both can be used to monitor for actions like opening files, reading/writing and closing. Usually using “trace=file” provides enough insights. If you really need more insights in the way a program deals with file descriptors, then use the second one.

  • Monitor opening of files: strace -e open
  • See all file activity: strace -e trace=file -p 1234 or strace -e trace=desc -p 1234

If you want to track specific paths, use 1 or more times the -P parameter, following by the path.

# sudo strace -P /etc/cups -p 2261
Process 2261 attached
— SIGHUP {si_signo=SIGHUP, si_code=SI_USER, si_pid=6149, si_uid=0} —
lstat(“/etc/cups”, {st_mode=S_IFDIR|0755, st_size=4096, …}) = 0
openat(AT_FDCWD, “/etc/cups”, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 7
getdents(7, /* 11 entries */, 32768) = 336
getdents(7, /* 0 entries */, 32768) = 0
close(7) = 0
openat(AT_FDCWD, “/etc/cups”, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 7
getdents(7, /* 11 entries */, 32768) = 336
getdents(7, /* 0 entries */, 32768) = 0
close(7) = 0

Common calls:

  • access
  • close (close file handle)
  • fchmod (change file permissions)
  • fchown (change file ownership)
  • fstat (retrieve details)
  • lseek (move through file)
  • open (open file for reading/writing)
  • read (read a piece of data)
  • statfs (retrieve file system related details)

A related example screen output:

screenshot of strace monitoring file access and activity

Monitoring file access and activity with strace

Monitoring the network

Strace definitely can be useful for revealing more details about network traffic. Very useful to determine what network related connections are used, like when building your Docker image.

strace -e trace=network

Common syscalls:

  • bind – link the process to a network port
  • listen – allow to receive incoming connections
  • socket – open a local or network socket
  • setsockopt – define options for an active socket

Monitoring memory calls

To get better insights on the memory usage and system calls, strace can monitor for these as well. They are nicely grouped in the memory group.

strace -e trace=memory

Common syscalls:

  • mmap
  • munmap

Strace Cheat Sheet – Overview

Useful options and examples

  • -c – See what time is spend and where (combine with -S for sorting)
  • -f – Track process including forked child processes
  • -o my-process-trace.txt – Log strace output to a file
  • -p 1234 – Track a process by PID
  • -P /tmp – Track a process when interacting with a path
  • -T – Display syscall duration in the output

Track by specific system call group

  • -e trace=ipc – Track communication between processes (IPC)
  • -e trace=memory – Track memory syscalls
  • -e trace=network – Track memory syscalls
  • -e trace=process – Track process calls (like fork, exec)
  • -e trace=signal – Track process signal handling (like HUP, exit)
  • -e trace=file – Track file related syscalls

Trace multiple syscalls

  • strace -e open,close

Got other clever stracing tips? Use the comments for inclusion!

One more thing...

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

See training package




Lynis Enterprise screenshot to help with system hardeningSecurity scanning with Lynis and Lynis Enterprise

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.


Download

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.