Wednesday 20 May 2015


strace is a useful diagnostic, instructional, and debugging tool.

Strace monitors the system calls and signals of a specific program. It is helpful when you do not have the source code and would like to debug the execution of a program. strace provides you the execution sequence of a binary from start to end.

strace shows you how data is passed between the program and the kernel. With no options, strace prints a line for each system call. It shows the call name, given arguments, return value, and any generated error messages. A signal is printed with both its signal symbol and a descriptive string. As it shows the data transfer between user and kernel-space, strace is very useful as both a diagnostic utility for system administrators and a debugging tool for programmers. By default, the output is written to standard error.

Trace the Execution of an Executable
strace ls

Trace a Specific System Calls in an Executable Using Option -e
strace -e open ls

Save the Trace Execution to a File Using Option -o
strace -o output.txt ls

Execute Strace on a Running Linux Process Using Option -p
ps -C firefox-bin

Print Timestamp for Each Trace Output Line Using Option -t
strace -t -e open ls /home

Print Relative Time for System Calls Using Option -r
strace -r ls

Generate Statistics Report of System Calls Using Option -c
strace -c ls /home

eg :-
strace -p 3107
strace -d -p 3107

To print instruction pointer at the time of system call
strace -i -p 3111

To print time stamps of the system call
strace -t -p 3111


-a n
Align the return values in column n. The default is 40.

Count system calls, errors, signals, and time and provide a summary report when the program has ended.

Debug mode. Print debugging information for strace on stderr.

-e [keyword=] [!] values
Pass an expression to strace to limit the types of calls or signals that are traced or to change how they are displayed. If no keyword is given, trace is assumed. The values can be given as a comma-separated list. Preceding the list with an exclamation point (!) negates the list. The special values all and none are valid, as are the values listed with the following keywords.

abbrev=names Abbreviate output from large structures for system calls listed in names. read=descriptors Print all data read from the given file descriptors. signal=symbols Trace the listed signal symbols (for example, signal=SIGIO,SIGHUP).

sets may be a list of system call names or one of the following:

Calls that take a filename as an argument.

Interprocess communication.


Process management.


Print arguments for the given system calls in hexadecimal.

Unabbreviate structures for the given system calls. Default is none.

Print all data written to the given file descriptors.

Trace forked processes.

Write system calls for forked processes to separate files named when using the -o option.

Print help and exit.

Print the current instruction pointer with each system call.

-o filename
Write output to filename instead of stderr. If filename starts with the pipe symbol |, treat the rest of the name as a command to which output should be piped.

-O n
Override strace's built-in timing estimates, and just subtract n microseconds from the timing of each system call to adjust for the time it takes to measure the call.

-p pid
Attach to the given process ID and begin tracking. strace can track more than one process if more than one option -p is given.

Type Ctrl-C to end the trace.

Quiet mode. Suppress attach and detach messages from strace.

Relative timestamp. Print time in microseconds between system calls.

-s n
Print only the first n characters of a string. Default value is 32.

-S value
Sort output of -c option by the given value. value may be calls, name, time, or nothing. Default is time.

Print time spent in each system call.

Print time of day on each line of output.

Print time of day with microseconds on each line of output.

Print timestamp on each line as the number of seconds and microseconds since the Epoch.

-u username
Run command as username. Needed when tracing setuid and setgid programs.

Print version and exit.

Verbose. Do not abbreviate structure information.

Print all non-ASCII strings in hexadecimal.

Print all strings in hexadecimal.


Fields of an inode

Inode is a data structure used to represent a filesystem object, which can be one of various things including a file or a directory. Each inode stores the attributes and disk block location(s) of the filesystem object's data. Filesystem object attributes may include manipulation metadata (e.g. change, access, modify time), as well as owner and permission data (e.g. group-id, user-id, permissions).

ls -il
total 52
185033 -rw-------. 1 root root   979 Apr 25 23:23 anaconda-ks.cfg
393286 drwxr-xr-x. 2 root root  4096 Apr 29 09:09 Desktop
393290 drwxr-xr-x. 2 root root  4096 Apr 29 09:09 Documents
393287 drwxr-xr-x. 2 root root  4096 Apr 29 09:09 Downloads
393291 drwxr-xr-x. 2 root root  4096 Apr 29 09:09 Music
393292 drwxr-xr-x. 2 root root  4096 Apr 29 09:09 Pictures
185050 -rw-r--r--. 1 root root 11955 Apr 23  2013 post-install
185053 -rw-r--r--. 1 root root   552 Apr 23  2013 post-install.log
393289 drwxr-xr-x. 2 root root  4096 Apr 29 09:09 Public
393288 drwxr-xr-x. 2 root root  4096 Apr 29 09:09 Templates
393293 drwxr-xr-x. 2 root root  4096 Apr 29 09:09 Videos

File attributes in particular,

The size of the file in Kilo bytes

Device ID

User ID of the file

Group ID of the file

The file mode that determines the file type and how the owner, group, and others (world) can access the file
Additional system and user flags to further protect the file (note: this can be used limit the files use and modification)

Timestamps telling when the inode itself was last change (ctime, changing time), the file content was last modified (mtime or modification time), and when the file was last accessed (atime or access time)

A link counter that lists how many hard links point to the inode
Pointers to the disk blocks that store the file’s contents (more on that later)