ltrace

Print (trace) library calls of a program binary

$ ltrace [path/to/program]

$ ltrace -c [path/to/program]

$ ltrace -e malloc+free-@libc.so* [path/to/program]

$ ltrace [[-o|--output]] [file] [path/to/program]

ltrace [options] command [args...]
ltrace [options] -p PID [PID ...]

-a, --align=NUM
    Align columns to specified minimum width.

-b, --string-boundary=NUM
    Bytes before string boundary.

-c
    Count calls, time, and callsites; summarize.

-C, --demangle[=STYLE]
    Demangle C++ symbols (auto, full, or none).

-d, --debug
    Enable debug output.

-e EXPR, --trace=EXPR
    Trace specific functions or patterns.

-f
    Trace child processes from forks.

-F FILE, --filter-file=FILE
    Read trace exclusions from FILE.

-i
    Print instruction pointer with calls.

-L, --no-libc
    Omit tracing libc functions.

-o FILE, --output-file=FILE
    Write trace to FILE.

-p PID
    Attach to running process(es) by PID.

-s NUM, --string-limit=NUM
    Max string length to print (default 32).

-t, --timestamp
    Prefix lines with execution timestamp.

-T, --time
    Show time spent inside each call.

-u, --indirect
    Trace indirect function calls.

-V, --version
    Print version info.

-v, --verbose
    More verbose output.

-h, --help
    Show help.

ltrace is a powerful debugging and diagnostic tool for Linux that intercepts and displays calls to dynamically linked library functions made by a specified command or running process. Unlike strace, which focuses on system calls, ltrace targets library APIs, showing function names, arguments (in hexadecimal or string format), and return values. It leverages the ptrace system call to attach to processes and hook into library invocations via the dynamic linker's PLT (Procedure Linkage Table).

This makes it ideal for troubleshooting library-related issues, such as incorrect API usage, memory leaks from library functions, or unexpected interactions in multi-threaded applications. Users can filter traces, count calls, demangle C++ names, and output to files for analysis. It's commonly used in development, reverse engineering, and performance profiling to reveal hidden library dependencies and behaviors not visible in source code.

Output resembles: __libc_start_main(0x7ffff7de2740, 2, 0x7fffffffe2a8, 0x7ffff7dcd6e0, 0x7ffff7dcd5f0 <unfinished ...>>
[pid 12345] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=12346, si_status=0} ---
[pid 12345] <... __libc_start_main + 0x75> = 0. Performance overhead is high due to per-call interruptions.

High runtime overhead; may require root for setuid/protected processes. Incompatible with some anti-debugging techniques. Multi-threaded tracing can be noisy. Not all arches fully supported.

ltrace -e printf ls
Traces only printf calls during ls execution.

Use -e 'malloc*' -e 'free*' to trace memory functions; -L skips noisy libc routines.

Developed by Ulrich Drepper around 1998 as a companion to strace. Maintained as open-source project (GPLv2+); key enhancements in 2010s include better demangling, indirect call tracing, and multi-PID support. Integrated into major distros via util-linux or standalone packages.

strace(1), gdb(1), ldd(1)