strace command
linux의 strace 명령어(CLI)는 시스템 콜과 시그널에 대해 추적할 수 있는 명령어 입니다.
기본 사용법
#!/usr/bin/python3
print("hello world")
# 다양한 옵션을 가지고 실행한 python 프로그램
$> strace -tt -T -o hello.log ./hello.py
hello world
# 출력한 hello.log 파일을 보면 실제 수행된 system call을 확인 할 수 있습니다.
$> cat hello.log
16:15:23.942523 execve("./hello.py", ["./hello.py"], 0x7ffd453cab30 /* 119 vars */) = 0 <0.000605>
16:15:23.943465 brk(NULL) = 0x5609554ff000 <0.000021>
16:15:23.943543 arch_prctl(0x3001 /* ARCH_??? */, 0x7fffeaff96a0) = -1 EINVAL (Invalid argument) <0.000020>
16:15:23.943723 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) <0.000025>
16:15:23.943831 openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 <0.000029>
...
16:15:23.990166 read(3, "\nprint(\"hello world\")\n", 4096) = 22 <0.000023>
...
16:15:23.992196 write(1, "hello world\n", 12) = 12 <0.000032>
...
16:15:23.996285 munmap(0x7f20e205a000, 16384) = 0 <0.000033>
16:15:23.996388 exit_group(0) = ?
16:15:23.997530 +++ exited with 0 +++
strace help
$> strace --help
Usage: strace [-ACdffhikqqrtttTvVwxxyyzZ] [-I N] [-b execve] [-e EXPR]...
[-a COLUMN] [-o FILE] [-s STRSIZE] [-X FORMAT] [-O OVERHEAD]
[-S SORTBY] [-P PATH]... [-p PID]... [-U COLUMNS] [--seccomp-bpf]
{ -p PID | [-DDD] [-E VAR=VAL]... [-u USERNAME] PROG [ARGS] }
or: strace -c[dfwzZ] [-I N] [-b execve] [-e EXPR]... [-O OVERHEAD]
[-S SORTBY] [-P PATH]... [-p PID]... [-U COLUMNS] [--seccomp-bpf]
{ -p PID | [-DDD] [-E VAR=VAL]... [-u USERNAME] PROG [ARGS] }
General:
-e EXPR a qualifying expression: OPTION=[!]all or OPTION=[!]VAL1[,VAL2]...
options: trace, abbrev, verbose, raw, signal, read, write, fault,
inject, status, quiet, kvm, decode-fds
Startup:
-E VAR=VAL, --env=VAR=VAL
put VAR=VAL in the environment for command
-E VAR, --env=VAR
remove VAR from the environment for command
-p PID, --attach=PID
trace process with process id PID, may be repeated
-u USERNAME, --user=USERNAME
run command as USERNAME handling setuid and/or setgid
--argv0=NAME set PROG argv[0] to NAME
Tracing:
-b execve, --detach-on=execve
detach on execve syscall
-D, --daemonize[=grandchild]
run tracer process as a grandchild, not as a parent
-DD, --daemonize=pgroup
run tracer process in a separate process group
-DDD, --daemonize=session
run tracer process in a separate session
-f, --follow-forks
follow forks
-ff, --follow-forks --output-separately
follow forks with output into separate files
-I INTERRUPTIBLE, --interruptible=INTERRUPTIBLE
1, anywhere: no signals are blocked
2, waiting: fatal signals are blocked while decoding syscall (default)
3, never: fatal signals are always blocked (default if '-o FILE PROG')
4, never_tstp: fatal signals and SIGTSTP (^Z) are always blocked
(useful to make 'strace -o FILE PROG' not stop on ^Z)
Filtering:
-e trace=[!][?]{{SYSCALL|GROUP|all|/REGEX}[@64|@32|@x32]|none},
--trace=[!][?]{{SYSCALL|GROUP|all|/REGEX}[@64|@32|@x32]|none}
trace only specified syscalls.
groups: %clock, %creds, %desc, %file, %fstat, %fstatfs %ipc, %lstat,
%memory, %net, %process, %pure, %signal, %stat, %%stat,
%statfs, %%statfs
-e signal=SET, --signal=SET
trace only the specified set of signals
print only the signals from SET
-e status=SET, --status=SET
print only system calls with the return statuses in SET
statuses: successful, failed, unfinished, unavailable, detached
-e trace-fds=SET, --trace-fds=SET
trace operations on file descriptors from SET
-P PATH, --trace-path=PATH
trace accesses to PATH
-z, --successful-only
print only syscalls that returned without an error code
-Z, --failed-only
print only syscalls that returned with an error code
Output format:
-a COLUMN, --columns=COLUMN
alignment COLUMN for printing syscall results (default 40)
-e abbrev=SET, --abbrev=SET
abbreviate output for the syscalls in SET
-e verbose=SET, --verbose=SET
dereference structures for the syscall in SET
-e raw=SET, --raw=SET
print undecoded arguments for the syscalls in SET
-e read=SET, --read=SET
dump the data read from the file descriptors in SET
-e write=SET, --write=SET
dump the data written to the file descriptors in SET
-e quiet=SET, --quiet=SET
suppress various informational messages
messages: attach, exit, path-resolution, personality, thread-execve
-e kvm=vcpu, --kvm=vcpu
print exit reason of kvm vcpu
-e decode-fds=SET, --decode-fds=SET
what kinds of file descriptor information details to decode
details: dev (device major/minor for block/char device files)
path (file path),
pidfd (associated PID for pidfds),
socket (protocol-specific information for socket descriptors),
signalfd (signal masks for signalfds)
-i, --instruction-pointer
print instruction pointer at time of syscall
-k, --stack-traces
obtain stack trace between each syscall
-n, --syscall-number
print syscall number
-o FILE, --output=FILE
send trace output to FILE instead of stderr
-A, --output-append-mode
open the file provided in the -o option in append mode
--output-separately
output into separate files (by appending pid to file names)
-q, --quiet=attach,personality
suppress messages about attaching, detaching, etc.
-qq, --quiet=attach,personality,exit
suppress messages about process exit status as well.
-qqq, --quiet=all
suppress all suppressible messages.
-r, --relative-timestamps[=PRECISION]
print relative timestamp
precision: one of s, ms, us, ns; default is microseconds
-s STRSIZE, --string-limit=STRSIZE
limit length of print strings to STRSIZE chars (default 32)
--absolute-timestamps=[[format:]FORMAT[,[precision:]PRECISION]]
set the format of absolute timestamps
format: none, time, or unix; default is time
precision: one of s, ms, us, ns; default is seconds
-t, --absolute-timestamps[=time]
print absolute timestamp
-tt, --absolute-timestamps=[time,]us
print absolute timestamp with usecs
-ttt, --absolute-timestamps=unix,us
print absolute UNIX time with usecs
-T, --syscall-times[=PRECISION]
print time spent in each syscall
precision: one of s, ms, us, ns; default is microseconds
-v, --no-abbrev
verbose mode: print entities unabbreviated
--strings-in-hex=non-ascii-chars
use hex instead of octal in escape sequences
-x, --strings-in-hex=non-ascii
print non-ASCII strings in hex
-xx, --strings-in-hex[=all]
print all strings in hex
-X FORMAT, --const-print-style=FORMAT
set the FORMAT for printing of named constants and flags
formats: raw, abbrev, verbose
-y, --decode-fds[=path]
print paths associated with file descriptor arguments
-yy, --decode-fds=all
print all available information associated with file
descriptors in addition to paths
--decode-pids=pidns
print PIDs in strace's namespace, too
-Y, --decode-pids=comm
print command names associated with PIDs
Statistics:
-c, --summary-only
count time, calls, and errors for each syscall and report
summary
-C, --summary like -c, but also print the regular output
-O OVERHEAD[UNIT], --summary-syscall-overhead=OVERHEAD[UNIT]
set overhead for tracing syscalls to OVERHEAD UNITs
units: one of s, ms, us, ns; default is microseconds
-S SORTBY, --summary-sort-by=SORTBY
sort syscall counts by: time, min-time, max-time, avg-time,
calls, errors, name, nothing (default time)
-U COLUMNS, --summary-columns=COLUMNS
show specific columns in the summary report: comma-separated
list of time-percent, total-time, min-time, max-time,
avg-time, calls, errors, name
(default time-percent,total-time,avg-time,calls,errors,name)
-w, --summary-wall-clock
summarise syscall latency (default is system time)
Stop condition:
--syscall-limit=LIMIT
Detach all tracees after tracing LIMIT syscalls
Tampering:
-e inject=SET[:error=ERRNO|:retval=VALUE][:signal=SIG][:syscall=SYSCALL]
[:delay_enter=DELAY][:delay_exit=DELAY]
[:poke_enter=@argN=DATAN,@argM=DATAM...]
[:poke_exit=@argN=DATAN,@argM=DATAM...]
[:when=WHEN],
--inject=SET[:error=ERRNO|:retval=VALUE][:signal=SIG][:syscall=SYSCALL]
[:delay_enter=DELAY][:delay_exit=DELAY]
[:poke_enter=@argN=DATAN,@argM=DATAM...]
[:poke_exit=@argN=DATAN,@argM=DATAM...]
[:when=WHEN],
perform syscall tampering for the syscalls in SET
delay: microseconds or NUMBER{s|ms|us|ns}
when: FIRST[..LAST][+[STEP]]
-e fault=SET[:error=ERRNO][:when=WHEN], --fault=SET[:error=ERRNO][:when=WHEN]
synonym for -e inject with default ERRNO set to ENOSYS.
Miscellaneous:
-d, --debug enable debug output to stderr
-h, --help print help message
--seccomp-bpf enable seccomp-bpf filtering
--tips[=[[id:]ID][,[format:]FORMAT]]
show strace tips, tricks, and tweaks on exit
id: non-negative integer or random; default is random
format: none, compact, full; default is compact
-V, --version print version
TLDR
$> tldr strace
strace
Troubleshooting tool for tracing system calls.
More information: https://manned.org/strace.
- Start tracing a specific process by its PID:
strace -p pid
- Trace a process and filter output by system call:
strace -p pid -e system_call_name
- Count time, calls, and errors for each system call and report a summary on program exit:
strace -p pid -c
- Show the time spent in every system call:
strace -p pid -T
- Start tracing a program by executing it:
strace program
- Start tracing file operations of a program:
strace -e trace=file program
