Article :: Debugging with strace

Date: 2019-01-13

Last Modified: 2026-02-01

Reading Time: 4 mins

Categories: articles

Introduction

By the end of this article, you’ll understand how to use strace to debug programs without access to source code, trace system calls, and troubleshoot execution issues in Linux.

Overview

Debugging without source code can feel like solving a puzzle in the dark. Strace shines a light by showing you exactly what system calls a program makes, from opening files to network connections. Whether you’re troubleshooting a crash, investigating suspicious behavior, or just curious about how a program works under the hood, strace is an essential tool in your Linux toolkit.

Strace monitors the system calls and signals of a specific program, providing the execution sequence from start to end. It’s particularly valuable when you don’t have source code access and need to understand what a program is actually doing at the system level.

Prerequisites

Before starting, you should have:

Basic familiarity with the Linux command line
Understanding of what a process is and how programs execute
A Linux system with strace installed (most distributions include it by default)

Check if strace is installed

Run which strace or strace --version to verify installation. If not installed, use your package manager: sudo apt install strace or sudo yum install strace.

What is strace?

Strace is a diagnostic and debugging tool that intercepts and records system calls made by a process. It’s particularly useful when:

You don’t have access to source code
A program crashes or behaves unexpectedly
You need to understand file access patterns
You’re investigating performance bottlenecks
You want to see what a program is doing “under the hood”

Tracing an Execution

The simplest way to use strace is to run it with a program:

1
strace Binary_File

This outputs every system call made by the program to stderr, which can be overwhelming for complex programs.

Useful options:

-o output.txt - Write output to a file instead of stderr
-t - Show timestamps for each system call
-r - Show relative timestamps (time elapsed between calls)

Managing Large Output

For complex programs, always use -o to write output to a file:

1
strace -o trace.log ./myprogram

This makes the output much easier to search and analyze later.

Filtering System Calls

Strace’s real power comes from filtering. Use the -e option to focus on specific system calls:

1
strace -e socket,send,recv nc google.com 80

This shows only network-related calls, filtering out hundreds of irrelevant system calls.

Filter Syntax

When specifying multiple system calls, don’t add spaces after commas:

Correct: -e open,read,write
Wrong: -e open, read, write (will fail)

Common filter categories:

-e trace=file - All file operations (open, read, write, close, stat)
-e trace=process - Process management (fork, exec, wait, exit)
-e trace=network - Network operations (socket, connect, send, recv)
-e trace=signal - Signal handling
-e trace=ipc - Inter-process communication

Attaching to Running Processes

You can attach strace to an already running process using its PID:

1
strace -p PID

This is invaluable for debugging live systems without restarting services.

Performance Impact

Attaching strace to a running process will slow it down significantly. The process must context-switch for every system call, and strace adds overhead. Use with caution in production environments.

Example: Debug a hanging web server:

1
2
3
4
5
# Find the PID
ps aux | grep nginx

# Attach strace (may require sudo)
sudo strace -p 1234

Analyzing Program Statistics

The -c flag provides a summary report instead of detailed output, showing:

Time spent in each system call
Number of times each call was made
Errors encountered

1
strace -c binary_file arguments

This is perfect for performance analysis and identifying bottlenecks.

Example output:

% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
 45.12    0.012345          23       537           read
 32.45    0.008876          45       197           write
 12.34    0.003376         112        30           open

Combine -c with filters

Use -c with -e to get statistics for specific call types:

1
strace -c -e trace=file ./myprogram

This shows you only file-related system call statistics.

Key Takeaways

strace reveals system calls made by programs, essential for debugging without source code
Use -e to filter system calls and reduce noise in the output
Use -p PID to attach to running processes (careful in production!)
Use -c for performance analysis and call statistics
Write output to files with -o for easier analysis
Understanding system calls helps you see what programs actually do at the OS level

Practice Exercises

Run strace ls /tmp and identify the system calls used to read the directory
Use strace -e open cat /etc/passwd to see which files cat opens before reading your target file
Create a simple Python script and use strace -c to analyze which system calls dominate
Attach strace to a long-running process (like a text editor) and observe its system calls during idle time