Dissecting Programs

Hendrik Weimer


Normal version

Getting a freshly installed program to work is not always an easy job. If you face trouble, you better know what the program is actually doing. The strace tool will help you with this task by printing out every system call the stubborn program performs.

A system call is the most common way programs communicate with the kernel of the operating system. System calls include reading and writing data, opening and closing files and all kinds of network communication. Under Linux, a system call is done by calling a special interrupt with the number of the system call and its parameters stored in the CPU's registers.

There are two ways to let strace monitor a program. One is to give strace the command line to the program and its arguments, the other is to attach strace to a running process. While the letter is very useful for daemons, it does not give any information on what is happening during startup. In contrast to a debugger, strace does not need a program's source code to produce human-readable output.

Tracing "Hello, World!"

Tracing "Hello, World!"
(click to enlarge)

At first, the output of strace looks very complicated, but this is only due to many system calls made when loading shared libraries. However, once you have found which system calls are the important ones (mainly open, read, write and the like), the results will look fairly intuitive to you.

Typical uses for strace are to find out which configuration files a program tries to read or which ports a network client tries to connect. This information is often extremely useful for solving problems with newly installed applications.

A handy feature of strace is its ability to dereference the arguments. Since the variable type of every system call argument is well-documented, strace can present not only the pointer to the data structure, but the contents of the data structure itself. This adds greatly to the usability of the tool.

As mentioned earlier, strace almost always prints out many system calls that are irrelevant to the problem you are investigating. It is possible to limit the output only to certain system calls or a class of system calls (e.g. all involving network communication). However, it not possible to define filters for the arguments. Sometimes it would be useful to see all system calls involving a certain file or having a certain string as an argument. In this respect, strace needs a feature similar to what ngrep is to tcpdump.

Altogether, strace is a great tool for quickly hunting down problems with all kinds of programs. It will not always help you, but is a good idea to use as a first shot.

Got a question on strace? Post it as a comment!

Distributions: [?]■ Debian stable■ Debian unstable
■ Fedora■ Mandriva
■ Suse■ Ubuntu


  • Easy to use
  • Ideal for troubleshooting
  • No content-based filter options

Copyright 2006–2008 OS Reviews. This document is available under the terms of the GNU Free Documentation License. See the licensing terms for further details.