Umożliwia podgląd poleceń systemowych w czasie wykonania uruchamianego programu, lub też podłączenie się do działającego procesu i obserwacje jego działań.
Przykład – za pomocą strace podglądamy wykonanie whoami:
strace whoami
efekt:
wiks@dellwiks:~$ strace whoami
execve("/usr/bin/whoami", ["whoami"], 0x7ffef9233370 /* 63 vars */) = 0
brk(NULL) = 0x563e3cfd5000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff9938b510) = -1 EINVAL (Zły argument)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=105675, ...}) = 0
mmap(NULL, 105675, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6c260d3000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libgtk3-nocsd.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|S_ISUID|0644, st_size=26616, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6c260d1000
mmap(NULL, 2122800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c25eca000
mprotect(0x7f6c25ed0000, 2093056, PROT_NONE) = 0
mmap(0x7f6c260cf000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f6c260cf000
close(3) = 0
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (Nie ma takiego pliku ani katalogu)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360q\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\363\377?\332\200\270\27\304d\245n\355Y\377\t\334"..., 68, 880) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=2029224, ...}) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\363\377?\332\200\270\27\304d\245n\355Y\377\t\334"..., 68, 880) = 68
mmap(NULL, 2036952, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c25cd8000
mprotect(0x7f6c25cfd000, 1847296, PROT_NONE) = 0
mmap(0x7f6c25cfd000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7f6c25cfd000
mmap(0x7f6c25e75000, 303104, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19d000) = 0x7f6c25e75000
mmap(0x7f6c25ec0000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7f6c25ec0000
mmap(0x7f6c25ec6000, 13528, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6c25ec6000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \22\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18816, ...}) = 0
mmap(NULL, 20752, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c25cd2000
mmap(0x7f6c25cd3000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f6c25cd3000
mmap(0x7f6c25cd5000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6c25cd5000
mmap(0x7f6c25cd6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6c25cd6000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\201\0\0\0\0\0\0"..., 832) = 832
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0O\305\3743\364B\2216\244\224\306@\261\23\327o"..., 68, 824) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=157224, ...}) = 0
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0O\305\3743\364B\2216\244\224\306@\261\23\327o"..., 68, 824) = 68
mmap(NULL, 140408, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c25caf000
mmap(0x7f6c25cb6000, 69632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f6c25cb6000
mmap(0x7f6c25cc7000, 20480, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7f6c25cc7000
mmap(0x7f6c25ccc000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c000) = 0x7f6c25ccc000
mmap(0x7f6c25cce000, 13432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6c25cce000
close(3) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6c25cad000
arch_prctl(ARCH_SET_FS, 0x7f6c25cadb80) = 0
mprotect(0x7f6c25ec0000, 12288, PROT_READ) = 0
mprotect(0x7f6c25ccc000, 4096, PROT_READ) = 0
mprotect(0x7f6c25cd6000, 4096, PROT_READ) = 0
mprotect(0x7f6c260cf000, 4096, PROT_READ) = 0
mprotect(0x563e3b55b000, 4096, PROT_READ) = 0
mprotect(0x7f6c2611a000, 4096, PROT_READ) = 0
munmap(0x7f6c260d3000, 105675) = 0
set_tid_address(0x7f6c25cade50) = 244707
set_robust_list(0x7f6c25cade60, 24) = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7f6c25cb6bf0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f6c25cc43c0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f6c25cb6c90, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f6c25cc43c0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
brk(NULL) = 0x563e3cfd5000
brk(0x563e3cff6000) = 0x563e3cff6000
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=8290544, ...}) = 0
mmap(NULL, 8290544, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6c254c4000
close(3) = 0
geteuid() = 1000
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (Nie ma takiego pliku ani katalogu)
close(3) = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (Nie ma takiego pliku ani katalogu)
close(3) = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=545, ...}) = 0
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 545
read(3, "", 4096) = 0
close(3) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=105675, ...}) = 0
mmap(NULL, 105675, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6c260d3000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0$\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=43968, ...}) = 0
mmap(NULL, 47264, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c254b8000
mmap(0x7f6c254ba000, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f6c254ba000
mmap(0x7f6c254c1000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f6c254c1000
mmap(0x7f6c254c2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f6c254c2000
close(3) = 0
mprotect(0x7f6c254c2000, 4096, PROT_READ) = 0
munmap(0x7f6c260d3000, 105675) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=105675, ...}) = 0
mmap(NULL, 105675, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6c260d3000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=55928, ...}) = 0
mmap(NULL, 58760, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c254a9000
mmap(0x7f6c254ac000, 32768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6c254ac000
mmap(0x7f6c254b4000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f6c254b4000
mmap(0x7f6c254b6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f6c254b6000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 ]\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=105528, ...}) = 0
mmap(NULL, 117336, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c2548c000
mmap(0x7f6c25491000, 65536, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f6c25491000
mmap(0x7f6c254a1000, 16384, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f6c254a1000
mmap(0x7f6c254a5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7f6c254a5000
mmap(0x7f6c254a7000, 6744, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6c254a7000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3005\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=51832, ...}) = 0
mmap(NULL, 79672, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c25478000
mmap(0x7f6c2547b000, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6c2547b000
mmap(0x7f6c25482000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f6c25482000
mmap(0x7f6c25484000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f6c25484000
mmap(0x7f6c25486000, 22328, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6c25486000
close(3) = 0
mprotect(0x7f6c25484000, 4096, PROT_READ) = 0
mprotect(0x7f6c254a5000, 4096, PROT_READ) = 0
mprotect(0x7f6c254b6000, 4096, PROT_READ) = 0
munmap(0x7f6c260d3000, 105675) = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=3346, ...}) = 0
mmap(NULL, 3346, PROT_READ, MAP_SHARED, 3, 0) = 0x7f6c26119000
lseek(3, 3346, SEEK_SET) = 3346
munmap(0x7f6c26119000, 3346) = 0
close(3) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x3), ...}) = 0
write(1, "wiks\n", 5wiks
) = 5
close(1) = 0
close(2) = 0
exit_group(0) = ?
+++ exited with 0 +++
jeśli chciałbym zobaczyć wywołanie konkretnego polecenia (np write):
wiks@dellwiks:~$ strace -e write whoami
write(1, "wiks\n", 5wiks
) = 5
+++ exited with 0 +++
lub
wiks@dellwiks:~$ strace -e read whoami
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\r\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360q\2\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \22\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\201\0\0\0\0\0\0"..., 832) = 832
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 545
read(3, "", 4096) = 0
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0$\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 ]\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3005\0\0\0\0\0\0"..., 832) = 832
wiks
+++ exited with 0 +++
lub nawet dla kilku poleceń:
wiks@dellwiks:~$ strace -e read,write whoami
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\r\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360q\2\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \22\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\201\0\0\0\0\0\0"..., 832) = 832
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 545
read(3, "", 4096) = 0
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0$\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 ]\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3005\0\0\0\0\0\0"..., 832) = 832
write(1, "wiks\n", 5wiks
) = 5
+++ exited with 0 +++
jeśli chcemy zapisać do pliku, to czai się podstęp 🙂 zwykłe strace whoami > plik.txt sprawi, że w pliku będzie tylko wiks – czyli wynik działania podglądanego programu. Zapis do pliku należy wykonać w opcję -o plik.txt:
wiks@dellwiks:~$ strace -e read,write -o plik2.txt whoami
wiks
aby podłączyć się do procesu:
wiks@dellwiks:~$ sudo strace -p 1817
[sudo] hasło użytkownika wiks:
strace: Process 1817 attached
ppoll([{fd=4, events=POLLIN}, {fd=85, events=POLLIN}, {fd=89, events=POLLIN}, {fd=78, events=POLLIN}, {fd=83, events=POLLIN}, {fd=65, events=POLLIN}, {fd=80, events=POLLIN}, {fd=56, events=POLLIN}, {fd=72, events=POLLIN}, {fd=68, events=POLLIN}, {fd=74, events=POLLIN}, {fd=60, events=POLLIN}, {fd=69, events=POLLIN}, {fd=28, events=POLLIN}, {fd=57, events=POLLIN}, {fd=71, events=POLLIN}, {fd=75, events=POLLIN}, {fd=62, events=POLLIN}, {fd=66, events=POLLIN}, {fd=59, events=POLLIN}, {fd=63, events=POLLIN}, {fd=27, events=POLLIN}, {fd=50, events=POLLIN}, {fd=22, events=POLLIN}, {fd=53, events=POLLIN}, {fd=43, events=POLLIN}, {fd=51, events=POLLIN}, {fd=49, events=POLLIN}, {fd=46, events=POLLIN}, {fd=42, events=POLLIN}, {fd=39, events=POLLIN}, {fd=47, events=POLLIN}, ...], 52, NULL, NULL, 8) = 1 ([{fd=80, revents=POLLIN}])
read(80, "\1\0\0\0\0\0\0\0", 8) = 8
write(24, "\1\0\0\0\0\0\0\0", 8) = 8
write(5, "W", 1) = 1
write(81, "\1\0\0\0\0\0\0\0", 8) = 8
read(4, "W", 10) = 1
read(4, 0x7ffd53ebfe2e, 10) = -1 EAGAIN (Zasoby chwilowo niedostępne)
ppoll([{fd=4, events=POLLIN}, {fd=85, events=POLLIN}, {fd=89, events=POLLIN}, {fd=78, events=POLLIN}, {fd=83, events=POLLIN}, {fd=65, events=POLLIN}, {fd=80, events=POLLIN}, {fd=56, events=POLLIN}, {fd=72, events=POLLIN}, {fd=68, events=POLLIN}, {fd=74, events=POLLIN}, {fd=60, events=POLLIN}, {fd=69, events=POLLIN}, {fd=28, events=POLLIN}, {fd=57, events=POLLIN}, {fd=71, events=POLLIN}, {fd=75, events=POLLIN}, {fd=62, events=POLLIN}, {fd=66, events=POLLIN}, {fd=59, events=POLLIN}, {fd=63, events=POLLIN}, {fd=27, events=POLLIN}, {fd=50, events=POLLIN}, {fd=22, events=POLLIN}, {fd=53, events=POLLIN}, {fd=43, events=POLLIN}, {fd=51, events=POLLIN}, {fd=49, events=POLLIN}, {fd=46, events=POLLIN}, {fd=42, events=POLLIN}, {fd=39, events=POLLIN}, {fd=47, events=POLLIN}, ...], 52, NULL, NULL, 8) = 1 ([{fd=72, revents=POLLIN}])
read(72, "\1\0\0\0\0\0\0\0", 8) = 8
inne opcje strace można oczywiście podglądnąć poprzez -h :
wiks@dellwiks:~$ strace -h
Usage: strace [-ACdffhikqqrtttTvVwxxyyzZ] [-I N] [-b execve] [-e EXPR]...
[-a COLUMN] [-o FILE] [-s STRSIZE] [-X FORMAT] [-P PATH]...
[-p PID]... [--seccomp-bpf]
{ -p PID | [-DDD] [-E VAR=VAL]... [-u USERNAME] PROG [ARGS] }
or: strace -c[dfwzZ] [-I N] [-b execve] [-e EXPR]... [-O OVERHEAD]
[-S SORTBY] [-P PATH]... [-p PID]... [--seccomp-bpf]
{ -p PID | [-DDD] [-E VAR=VAL]... [-u USERNAME] PROG [ARGS] }
General:
-e EXPR a qualifying expression: OPTION=[!]all or OPTION=[!]VAL1[,VAL2]...
options: trace, abbrev, verbose, raw, signal, read, write, fault,
inject, status, kvm
Startup:
-E VAR=VAL, --env=VAR=VAL
put VAR=VAL in the environment for command
-E VAR, --env=VAR
remove VAR from the environment for command
-p PID, --attach=PID
trace process with process id PID, may be repeated
-u USERNAME, --user=USERNAME
run command as USERNAME handling setuid and/or setgid
Tracing:
-b execve, --detach-on=execve
detach on execve syscall
-D run tracer process as a grandchild, not as a parent
-DD run tracer process in a separate process group
-DDD run tracer process in a separate session
-f follow forks
-ff follow forks with output into separate files
-I INTERRUPTIBLE
1: no signals are blocked
2: fatal signals are blocked while decoding syscall (default)
3: fatal signals are always blocked (default if '-o FILE PROG')
4: fatal signals and SIGTSTP (^Z) are always blocked
(useful to make 'strace -o FILE PROG' not stop on ^Z)
Filtering:
-e trace=[!]{[?]SYSCALL[@64|@32|@x32]|[?]/REGEX|GROUP|all|none},
--trace=[!]{[?]SYSCALL[@64|@32|@x32]|[?]/REGEX|GROUP|all|none}
trace only specified syscalls.
groups: %creds, %desc, %file, %fstat, %fstatfs %ipc, %lstat,
%memory, %net, %process, %pure, %signal, %stat, %%stat,
%statfs, %%statfs
-e signal=SET, --signal=SET
trace only the specified set of signals
print only the signals from SET
-e status=SET, --status=SET
print only system calls with the return statuses in SET
statuses: successful, failed, unfinished, unavailable, detached
-P PATH, --trace-path=PATH
trace accesses to PATH
-z print only syscalls that returned without an error code
-Z print only syscalls that returned with an error code
Output format:
-a COLUMN, --columns=COLUMN
alignment COLUMN for printing syscall results (default 40)
-e abbrev=SET, --abbrev=SET
abbreviate output for the syscalls in SET
-e verbose=SET, --verbose=SET
dereference structures for the syscall in SET
-e raw=SET, --raw=SET
print undecoded arguments for the syscalls in SET
-e read=SET, --read=SET
dump the data read from the file descriptors in SET
-e write=SET, --write=SET
dump the data written to the file descriptors in SET
-e kvm=vcpu, --kvm=vcpu
print exit reason of kvm vcpu
-i, --instruction-pointer
print instruction pointer at time of syscall
-k, --stack-traces
obtain stack trace between each syscall
-o FILE, --output=FILE
send trace output to FILE instead of stderr
-A, --output-append-mode
open the file provided in the -o option in append mode
-q suppress messages about attaching, detaching, etc.
-qq suppress messages about process exit status as well.
-r print relative timestamp
-s STRSIZE, --string-limit=STRSIZE
limit length of print strings to STRSIZE chars (default 32)
-t print absolute timestamp
-tt print absolute timestamp with usecs
-ttt print absolute UNIX time with usecs
-T print time spent in each syscall
-v, --no-abbrev
verbose mode: print entities unabbreviated
-x print non-ascii strings in hex
-xx print all strings in hex
-X FORMAT set the FORMAT for printing of named constants and flags
formats: raw, abbrev, verbose
-y print paths associated with file descriptor arguments
-yy print protocol specific information associated with socket
file descriptors
Statistics:
-c, --summary-only
count time, calls, and errors for each syscall and report
summary
-C, --summary like -c, but also print the regular output
-O OVERHEAD set overhead for tracing syscalls to OVERHEAD usecs
-S SORTBY, --summary-sort-by=SORTBY
sort syscall counts by: time, calls, errors, name, nothing
(default time)
-w summarise syscall latency (default is system time)
Tampering:
-e inject=SET[:error=ERRNO|:retval=VALUE][:signal=SIG][:syscall=SYSCALL]
[:delay_enter=DELAY][:delay_exit=DELAY][:when=WHEN],
--inject=SET[:error=ERRNO|:retval=VALUE][:signal=SIG][:syscall=SYSCALL]
[:delay_enter=DELAY][:delay_exit=DELAY][:when=WHEN]
perform syscall tampering for the syscalls in SET
delay: milliseconds or NUMBER{s|ms|us|ns}
when: FIRST, FIRST+, or FIRST+STEP
-e fault=SET[:error=ERRNO][:when=WHEN], --fault=SET[:error=ERRNO][:when=WHEN]
synonym for -e inject with default ERRNO set to ENOSYS.
Miscellaneous:
-d, --debug enable debug output to stderr
-h, --help print help message
--seccomp-bpf enable seccomp-bpf filtering
-V, --version print version
Podgląd wszystkich wywoływanychh funkcji, wraz z ich zleczeniem i określeniem czasu spędzanego wewnątrz to:
wiks@dellwiks:~$ strace -c whoami
wiks
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
0,00 0,000000 0 10 read
0,00 0,000000 0 1 write
0,00 0,000000 0 18 close
0,00 0,000000 0 15 fstat
0,00 0,000000 0 2 lseek
0,00 0,000000 0 41 mmap
0,00 0,000000 0 12 mprotect
0,00 0,000000 0 4 munmap
0,00 0,000000 0 3 brk
0,00 0,000000 0 2 rt_sigaction
0,00 0,000000 0 1 rt_sigprocmask
0,00 0,000000 0 8 pread64
0,00 0,000000 0 1 1 access
0,00 0,000000 0 2 socket
0,00 0,000000 0 2 2 connect
0,00 0,000000 0 1 execve
0,00 0,000000 0 1 geteuid
0,00 0,000000 0 2 1 arch_prctl
0,00 0,000000 0 1 set_tid_address
0,00 0,000000 0 14 openat
0,00 0,000000 0 1 set_robust_list
0,00 0,000000 0 1 prlimit64
------ ----------- ----------- --------- --------- ----------------
100.00 0,000000 143 4 total
ss https://sapientisat.pl/artykul-469-top-przydatnych-wywolan-polecenia-strace-linux-ubuntu.html