قالب وردپرس درنا توس
Home / Tips and Tricks / How to use strace to track system calls and signals – CloudSavvy IT

How to use strace to track system calls and signals – CloudSavvy IT

Bash Shell

Tracking a computer program is not limited to those who have the source code, can read it, and know how to use a debugger. Any Linux user can trace an executable file with strace. Find Out How!

What’s strace?

strace is a Linux utility that can trace the system calls of a particular application. It also picks up signals and produces a detailed output of all the information it perceives.

Someone who is generally new to estimating and tracking may wonder why this is useful. A professional IT engineer might ask how much information can actually be picked up, especially if he knows how much can be viewed from a debugger like GDB.

If you are interested in debugging computer code and programs, check out our article Debugging with GDB: Getting Started.

In both cases there is good news! Tracing all system calls and signals provides a comprehensive picture of how a program works and is an excellent troubleshooting and even debugging tool. In addition, it runs at runtime (as a wrapper process), but can be easily traced in a log file and provides an easy-to-digest overview of a program̵

7;s actions.

If you compare this to GDB, which is also a wrapping process, things are fundamentally different. For example, in GDB one could trace a program step by step (for example, one line of code at a time or a logical block of code – or by using breakpoints in the code). However, such steps are being taken during runtime, while strace just runs the program in its entirety until an error occurs or until it completes.

The engineer or user can then analyze the entire (text-based) log, search for strings of interest, etc. In addition, GDB would also make it possible to see signals and system calls, although setting up and analyzing the same is much more. more complex than with strace.

With strace you can easily run the program under strace (i.e strace some_program), and although this is about the same as GDB, its operation differs significantly, as described above.

As for the amount of information that can be viewed from a track, it is good to step back and remember where most of the computer problems come from: disk full, memory exhausted, a file not found, incorrect input, etc. .

Especially in the area of ​​disk access, strace really shines. Since it records all system calls, any disk access is clearly visible in the log. Again, you can search for relevant text strings and file names, but keep in mind that text strings can sometimes be reduced in length so that only the partial output can be visible.

In summary, if we had to judge strace as a debugging and / or troubleshooting tool and assigning it a place to a newer or more proficient Linux user toolbox then in both cases the answer is roughly in the middle, although it leans a bit more towards troubleshooting than debugging. Let’s install strace The next.

RELATED: How logic gates work: OR, AND, XOR, NOR, NAND, XNOR and NOT

to install strace

to install strace On your Debian / Apt based Linux distribution (such as Ubuntu and Mint) run the following command in your terminal:

sudo apt install strace

to install strace on your RedHat / Yum-based Linux distribution (such as RHEL, Centos and Fedora), run the following command in your terminal:

sudo yum install strace

Using strace

After installation strace, it’s pretty easy to get started. For example, we can trace the Linux sleep command / utility:

strace sleep 1

strace of a one second sleep process

The output immediately proves the above statement. There is an abundance of information about all the actions taken by the (very) simple sleep 1 command, which, after all, only sleeps actions for a single second.

Let’s take a look at a few things that we can immediately see:

access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)

We can see that the program tried to access (on disk) the file quite shortly after starting /etc/ld.so.preload. We can also see that this has failed (-1 status) because the file was not found (ENOENT) with the descriptive error message No such file or directory.

This one line of output alone could lead to further investigation. For example, we can scan our favorite search engine for what the file is /etc/ld.so.preload is / does and what happens if a program cannot find it and how we can install it.

As you can see if you were running a more complicated software / program under strace, you may notice that it is trying to access a file, such as a shared file .so library – and cannot find it. It’s easy to analyze and probably easy to fix thanks to strace.

Next we see the conf.d binary cache successfully opened as read only (O_RDONLY), flagged close-on-exec (used in multi-threaded programs to avoid racing conditions) O_CLOEXEC flag set:

openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3

Even if one does not know what each item means, a simple online search will quickly return information about any specific term or word, helping one understand the information presented and what is happening.

Also of particular note is this line towards the end:

+++ exited with 0 +++

This indicates that the program has closed successfully with the exit code 0. An exit code of 0 generally indicates successful execution and termination in Linux programs.

As you can see from the examples above, it is easy to see what a program does by using strace. Every line and even every word in every line can be analyzed, and often a search engine is needed to shed some light. But even glancing at the output of a failing program can be enough to find the exact cause and fix it, especially when, for example, a required file is missing, etc.

RELATED: How Linux Run Levels Affect Active Services

Tracing underlying processes

When using strace, it will sometimes seem like that strace does not correctly track all system calls from the program, etc. This could be simply because the program being traced has started / started some child processes, for example splitting child processes.

It’s easy to include these underlying processes in the strace capture: just add the -f option to the command line (eg. strace -f your_program), and all system calls etc. from all child processes are also tracked.

Shut down

In this article, we have the strace tool, which can be used to make traces of any program or application running on a Linux computer.

After installing the tool, we can start the program easily and directly under strace and enjoy the high level of troubleshooting and debugging information that the strace wrapper will present to us.

Source link