strace

Attach to a running process

$ sudo strace -p 1234

$ sudo strace -p 1234 -e read,write

$ sudo strace -p 1234 -c

$ sudo strace -p 1234 -T -s 32

$ strace ./program

$ strace -e trace=file ./program

$ strace -f -e trace=network -o trace.txt ./program

strace [-e expr] [-o file] [-p pid] [-f] [-c] [command [args]]

strace intercepts and records system calls made by a process and the signals received by it. It is invaluable for debugging, diagnostics, and understanding system behavior without requiring source code access.

-p, --attach pid

Attach to running process with given PID

Trace child processes created by fork/vfork/clone

Trace only specified system calls (file, network, process, etc.)

Trace only specified signals

Write trace output to file

Display summary statistics at exit

Display summary along with normal output

Add timestamps (relative, absolute, absolute with usec)

Show time spent in each system call

Maximum string size to print (default 32)

Display unabbreviated output

Print file paths associated with file descriptors

Show only successful system calls

Show only failed system calls

Run command as specified user

%file: File operations (open, stat, chmod, etc.)
%network: Network operations (socket, connect, etc.)
%process: Process operations (fork, exec, etc.)
%memory: Memory mapping operations
%signal: Signal-related calls

Tracing significantly slows down the traced process. Do not use on production systems without care. Use -f to trace forked children or some calls may be missed.

strace was originally written for SunOS by Paul Kranenburg in 1991. It has become an essential debugging tool on Linux systems.

ltrace(1), ptrace(2), perf(1)