Using strace to see what a program is doing

strace is a command line debug tool used to see what a program is doing. With it you can see the tasks a program is doing, what files a program is opening, remote connections, and even it’s memory.

Basics

Here some basics.

Start a program and watch it.

strace /path/to/command

Watch what a program is doing. For example you can monitor what a daemon like nginx or dovecot is doing, or if you have a jammed program you can see what it’s doing.

strace -p <pid>

Understanding the Output

If you are familiar with programming, most of the output will be easily recognizable.

When a program starts, it will open up it’s libraries:

access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
...
open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3

Reading and writing files

open("/file", O_RDONLY)      = 7
read(7, "data"..., 1024) = 154
close(7)

open("/file...
write(1, "data...
close(2)

If it opens sockets:

socket(AF_INET6, SOCK_DGRAM, IPPROTO_IP) = 4
connect(4, {sa_family=AF_INET6, sin6_port=...
getsockname(4, {sa_family=AF_INET6, sin6_port=ht...

You will also see the exit status:

+++ exited with 0 +++

PHP Example

You can use it to debug PHP programs:

strace php -f index.php

Basics#

Understanding the Output#

PHP Example#

Basics

Understanding the Output

PHP Example