How to Use strace to Monitor Linux System Calls


A system call is a programmatic method of asking the kernel for a service, and strace is an effective tool for tracing the communication between user processes and the Linux kernel.
It would help if you first comprehended system calls to understand how an operating system functions. An operating system’s primary purpose is to give user programs abstractions.
Generally speaking, an operating system has two modes:
Kernel mode: a privileged, strong mode that the operating system kernel employs
User mode: most user programs are run

Users mostly employ command-line tools and graphical user interfaces (GUI) to do daily chores. System calls communicate with the kernel to complete tasks while operating invisibly in the background.
System calls accept and process inputs and return values in a manner that is quite similar to that of function calls. The only distinction is that function calls do not enter a kernel, while system calls do. User space is shifted to kernel space through a novel trap mechanism.Most of this is shielded from the user by system libraries (aka Glibc on Linux systems). Although system calls are inherently generic, the actual mechanics of making one depend greatly on the machine.
This is not the same as using a tool like gdb to debug an application. While running a program, you can look into its internal workings using a debugging application. It enables you to examine memory and variable values and move through the logic of your program. In contrast, the function of the strace is to record system call information while the program runs. Strace displays a list of the system calls in the terminal window after the tracked application has finished.

Strace installation

Run the following command in Ubuntu:

sudo apt install strace


yum install strace

In Fedora, run this command:

sudo dnf install strace

First steps with strace

To illustrate strace, we’ll run a little program. Not too long ago, you could open a file, add a line of text, and check it without seeing any errors. Simply a fast hack to give us something to work with Strace.

include <stdio.h>

int main(int argc, char argv[]) {

// file handle FILE *fileGeek;

// open a file called "strace_demo.txt", or create it fileGeek = fopen("strace_demo.txt", "w");

// write some text to the file fprintf(fileGeek, "Write this to the file" );

// close the file fclose(fileGeek);

// exit from program return (0);

} // end of main

This is saved in a file called “file-io.c,” which is then compiled with gcc and assigned to “S trace exbroad” by the executable name stex.

gcc -o stex file-io.c

The name of our new executable is passed to strace as the procedure we wish to trace when it is called from the command line. Any Linux command or other binary executable could be easily traced. Our small program serves two purposes.

The first justification is the verbiage of strace. Numerous outcomes are possible. That is fantastic when using strace furious, but it can be confusing initially. For our small software, there are not many strace departures. The second reason is that our program’s functionality is constrained, and its source code is brief and uncomplicated. This makes it simpler to determine which portions of the output refer to certain aspects of the program’s internal workings.

strace ./stex

We can see the exit group system call and the writing system called giving the command “Write this to the file” to our open archive. The application’s threads are terminated, and the shell receives a return value as a result.

Refine the result

There is enough exit even with our straightforward demo software. Utilize the -e Option (expression). The name of the system call that we want to see will be passed.

strace -e write ./stex

Multiple system calls can be reported by adding them to a comma-separated list. No blank spaces should be present in the list of system calls.

strace -e close,write ./stex

Send the output to a file

Filtering the output has advantages, but it also has disadvantages. You only see what you want to see; nothing else is shown. Additionally, some of those additional findings might be of greater use to you than the information you requested.

It can be more practical to search, review the results, and collect everything. You won’t unintentionally leave out anything significant in this way. The -o You can output from a strace session to a text file by using the (Exit) option.

strace -o trace-output.txt ./stex

Next, you can search the list using the less command to search for system calls or any other item by name.

less trace-output.txt

You can now look into the exit using all of the fewer search features.

Add timestamps

The output might include a variety of timestamps. The -r The (relative timestamps) option adds timestamps indicating the elapsed time between the beginning of each succeeding system call. Also included in these time values are any other activities the program performed before the next system call, so take note of that.

strace -r ./stex

At the start of each start line, timestamps are visible.
Use the el -T (syscall-times) option to view the duration of each system call. This displays how much time passed during each system call.

strace -T ./stex

Countdown times are shown after each system call appearance.
Use the -tt option to show the time when each system call was made (absolute timestamps). This displays the “wall clock’s” time with a resolution of a few microseconds.

strace -tt ./stex

Each line’s first character indicates the time.

Follow-up of a running procedure

You can still attach strace to a running procedure if you want to trace it. You must be aware of the procedure ID to complete it. To locate this, combine ps and grep. We are using Firefox. Utilizing ps and grep, we can determine the ID of the firefox process.

ps -e | grep Firefox

The procedure ID, as we can see, is 8483. To tell Strace which process to attach to, we will use the -p (Procedure ID) option. Please be aware that sudo will be required:

sudo strace -p 8483

Following a message that strace has been added to the method, the system trace calls will start to appear as normal in the terminal window.

Create a report

Strace generates a report using the -c (just summary) option. Creates a table with information on the system calls made by the program being observed that is being watched.

strace -c ./stex

Trace Linux Command System Calls

Run the following command to trace all system calls made by the df tool using strace.

strace df -h

Trace System Calls Based on a Certain Condition

Let’s examine how to track system calls associated with a specific category of occurrences. To trace all system calls involving process management, use this command.

sudo strace -q -e trace=process df -h

Redirect Trace Output to File

Use the -o option to save the trace messages written to a file to standard error. As illustrated below, only the command output is displayed on the screen.

sudo strace -o df_debug.txt df -h


As a result, strace is an exceptional debugging and troubleshooting tool for identifying program failure’s cause(s). It is beneficial for seasoned programmers, hackers, and system administrators. Use the comment form below to express your opinions about this article.

Leave a Reply

Your email address will not be published.