strace

Umożliwia podgląd poleceń systemowych w czasie wykonania uruchamianego programu, lub też podłączenie się do działającego procesu i obserwacje jego działań.

Przykład – za pomocą strace podglądamy wykonanie whoami:

strace whoami

efekt:

wiks@dellwiks:~$ strace whoami
execve("/usr/bin/whoami", ["whoami"], 0x7ffef9233370 /* 63 vars */) = 0
brk(NULL)                               = 0x563e3cfd5000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff9938b510) = -1 EINVAL (Zły argument)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=105675, ...}) = 0
mmap(NULL, 105675, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6c260d3000
close(3)                                = 0
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libgtk3-nocsd.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\r\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|S_ISUID|0644, st_size=26616, ...}) = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6c260d1000
mmap(NULL, 2122800, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c25eca000
mprotect(0x7f6c25ed0000, 2093056, PROT_NONE) = 0
mmap(0x7f6c260cf000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f6c260cf000
close(3)                                = 0
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (Nie ma takiego pliku ani katalogu)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360q\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\363\377?\332\200\270\27\304d\245n\355Y\377\t\334"..., 68, 880) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=2029224, ...}) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0\20\0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0", 32, 848) = 32
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\363\377?\332\200\270\27\304d\245n\355Y\377\t\334"..., 68, 880) = 68
mmap(NULL, 2036952, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c25cd8000
mprotect(0x7f6c25cfd000, 1847296, PROT_NONE) = 0
mmap(0x7f6c25cfd000, 1540096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x25000) = 0x7f6c25cfd000
mmap(0x7f6c25e75000, 303104, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19d000) = 0x7f6c25e75000
mmap(0x7f6c25ec0000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1e7000) = 0x7f6c25ec0000
mmap(0x7f6c25ec6000, 13528, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6c25ec6000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \22\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=18816, ...}) = 0
mmap(NULL, 20752, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c25cd2000
mmap(0x7f6c25cd3000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f6c25cd3000
mmap(0x7f6c25cd5000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6c25cd5000
mmap(0x7f6c25cd6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6c25cd6000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\201\0\0\0\0\0\0"..., 832) = 832
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0O\305\3743\364B\2216\244\224\306@\261\23\327o"..., 68, 824) = 68
fstat(3, {st_mode=S_IFREG|0755, st_size=157224, ...}) = 0
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0O\305\3743\364B\2216\244\224\306@\261\23\327o"..., 68, 824) = 68
mmap(NULL, 140408, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c25caf000
mmap(0x7f6c25cb6000, 69632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7000) = 0x7f6c25cb6000
mmap(0x7f6c25cc7000, 20480, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7f6c25cc7000
mmap(0x7f6c25ccc000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c000) = 0x7f6c25ccc000
mmap(0x7f6c25cce000, 13432, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6c25cce000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f6c25cad000
arch_prctl(ARCH_SET_FS, 0x7f6c25cadb80) = 0
mprotect(0x7f6c25ec0000, 12288, PROT_READ) = 0
mprotect(0x7f6c25ccc000, 4096, PROT_READ) = 0
mprotect(0x7f6c25cd6000, 4096, PROT_READ) = 0
mprotect(0x7f6c260cf000, 4096, PROT_READ) = 0
mprotect(0x563e3b55b000, 4096, PROT_READ) = 0
mprotect(0x7f6c2611a000, 4096, PROT_READ) = 0
munmap(0x7f6c260d3000, 105675)          = 0
set_tid_address(0x7f6c25cade50)         = 244707
set_robust_list(0x7f6c25cade60, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7f6c25cb6bf0, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f6c25cc43c0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f6c25cb6c90, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f6c25cc43c0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
brk(NULL)                               = 0x563e3cfd5000
brk(0x563e3cff6000)                     = 0x563e3cff6000
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=8290544, ...}) = 0
mmap(NULL, 8290544, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6c254c4000
close(3)                                = 0
geteuid()                               = 1000
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (Nie ma takiego pliku ani katalogu)
close(3)                                = 0
socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (Nie ma takiego pliku ani katalogu)
close(3)                                = 0
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=545, ...}) = 0
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 545
read(3, "", 4096)                       = 0
close(3)                                = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=105675, ...}) = 0
mmap(NULL, 105675, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6c260d3000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0$\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=43968, ...}) = 0
mmap(NULL, 47264, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c254b8000
mmap(0x7f6c254ba000, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f6c254ba000
mmap(0x7f6c254c1000, 4096, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f6c254c1000
mmap(0x7f6c254c2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f6c254c2000
close(3)                                = 0
mprotect(0x7f6c254c2000, 4096, PROT_READ) = 0
munmap(0x7f6c260d3000, 105675)          = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=105675, ...}) = 0
mmap(NULL, 105675, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f6c260d3000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=55928, ...}) = 0
mmap(NULL, 58760, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c254a9000
mmap(0x7f6c254ac000, 32768, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6c254ac000
mmap(0x7f6c254b4000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f6c254b4000
mmap(0x7f6c254b6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x7f6c254b6000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 ]\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=105528, ...}) = 0
mmap(NULL, 117336, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c2548c000
mmap(0x7f6c25491000, 65536, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0x7f6c25491000
mmap(0x7f6c254a1000, 16384, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7f6c254a1000
mmap(0x7f6c254a5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7f6c254a5000
mmap(0x7f6c254a7000, 6744, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6c254a7000
close(3)                                = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3005\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=51832, ...}) = 0
mmap(NULL, 79672, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f6c25478000
mmap(0x7f6c2547b000, 28672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x7f6c2547b000
mmap(0x7f6c25482000, 8192, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xa000) = 0x7f6c25482000
mmap(0x7f6c25484000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x7f6c25484000
mmap(0x7f6c25486000, 22328, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f6c25486000
close(3)                                = 0
mprotect(0x7f6c25484000, 4096, PROT_READ) = 0
mprotect(0x7f6c254a5000, 4096, PROT_READ) = 0
mprotect(0x7f6c254b6000, 4096, PROT_READ) = 0
munmap(0x7f6c260d3000, 105675)          = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR)                   = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=3346, ...}) = 0
mmap(NULL, 3346, PROT_READ, MAP_SHARED, 3, 0) = 0x7f6c26119000
lseek(3, 3346, SEEK_SET)                = 3346
munmap(0x7f6c26119000, 3346)            = 0
close(3)                                = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x3), ...}) = 0
write(1, "wiks\n", 5wiks
)                   = 5
close(1)                                = 0
close(2)                                = 0
exit_group(0)                           = ?
+++ exited with 0 +++

jeśli chciałbym zobaczyć wywołanie konkretnego polecenia (np write):

wiks@dellwiks:~$ strace -e write whoami
write(1, "wiks\n", 5wiks
)                   = 5
+++ exited with 0 +++

lub

wiks@dellwiks:~$ strace -e read whoami
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\r\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360q\2\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \22\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\201\0\0\0\0\0\0"..., 832) = 832
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 545
read(3, "", 4096)                       = 0
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0$\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 ]\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3005\0\0\0\0\0\0"..., 832) = 832
wiks
+++ exited with 0 +++

lub nawet dla kilku poleceń:

wiks@dellwiks:~$ strace -e read,write whoami
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\r\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360q\2\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \22\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\201\0\0\0\0\0\0"..., 832) = 832
read(3, "# /etc/nsswitch.conf\n#\n# Example"..., 4096) = 545
read(3, "", 4096)                       = 0
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0$\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\2005\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 ]\0\0\0\0\0\0"..., 832) = 832
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3005\0\0\0\0\0\0"..., 832) = 832
write(1, "wiks\n", 5wiks
)                   = 5
+++ exited with 0 +++

jeśli chcemy zapisać do pliku, to czai się podstęp 🙂 zwykłe strace whoami > plik.txt sprawi, że w pliku będzie tylko wiks – czyli wynik działania podglądanego programu. Zapis do pliku należy wykonać w opcję -o plik.txt:

wiks@dellwiks:~$ strace -e read,write -o plik2.txt whoami
wiks

aby podłączyć się do procesu:

wiks@dellwiks:~$ sudo strace -p 1817
[sudo] hasło użytkownika wiks: 
strace: Process 1817 attached
ppoll([{fd=4, events=POLLIN}, {fd=85, events=POLLIN}, {fd=89, events=POLLIN}, {fd=78, events=POLLIN}, {fd=83, events=POLLIN}, {fd=65, events=POLLIN}, {fd=80, events=POLLIN}, {fd=56, events=POLLIN}, {fd=72, events=POLLIN}, {fd=68, events=POLLIN}, {fd=74, events=POLLIN}, {fd=60, events=POLLIN}, {fd=69, events=POLLIN}, {fd=28, events=POLLIN}, {fd=57, events=POLLIN}, {fd=71, events=POLLIN}, {fd=75, events=POLLIN}, {fd=62, events=POLLIN}, {fd=66, events=POLLIN}, {fd=59, events=POLLIN}, {fd=63, events=POLLIN}, {fd=27, events=POLLIN}, {fd=50, events=POLLIN}, {fd=22, events=POLLIN}, {fd=53, events=POLLIN}, {fd=43, events=POLLIN}, {fd=51, events=POLLIN}, {fd=49, events=POLLIN}, {fd=46, events=POLLIN}, {fd=42, events=POLLIN}, {fd=39, events=POLLIN}, {fd=47, events=POLLIN}, ...], 52, NULL, NULL, 8) = 1 ([{fd=80, revents=POLLIN}])
read(80, "\1\0\0\0\0\0\0\0", 8)         = 8
write(24, "\1\0\0\0\0\0\0\0", 8)        = 8
write(5, "W", 1)                        = 1
write(81, "\1\0\0\0\0\0\0\0", 8)        = 8
read(4, "W", 10)                        = 1
read(4, 0x7ffd53ebfe2e, 10)             = -1 EAGAIN (Zasoby chwilowo niedostępne)
ppoll([{fd=4, events=POLLIN}, {fd=85, events=POLLIN}, {fd=89, events=POLLIN}, {fd=78, events=POLLIN}, {fd=83, events=POLLIN}, {fd=65, events=POLLIN}, {fd=80, events=POLLIN}, {fd=56, events=POLLIN}, {fd=72, events=POLLIN}, {fd=68, events=POLLIN}, {fd=74, events=POLLIN}, {fd=60, events=POLLIN}, {fd=69, events=POLLIN}, {fd=28, events=POLLIN}, {fd=57, events=POLLIN}, {fd=71, events=POLLIN}, {fd=75, events=POLLIN}, {fd=62, events=POLLIN}, {fd=66, events=POLLIN}, {fd=59, events=POLLIN}, {fd=63, events=POLLIN}, {fd=27, events=POLLIN}, {fd=50, events=POLLIN}, {fd=22, events=POLLIN}, {fd=53, events=POLLIN}, {fd=43, events=POLLIN}, {fd=51, events=POLLIN}, {fd=49, events=POLLIN}, {fd=46, events=POLLIN}, {fd=42, events=POLLIN}, {fd=39, events=POLLIN}, {fd=47, events=POLLIN}, ...], 52, NULL, NULL, 8) = 1 ([{fd=72, revents=POLLIN}])
read(72, "\1\0\0\0\0\0\0\0", 8)         = 8

inne opcje strace można oczywiście podglądnąć poprzez -h :

wiks@dellwiks:~$ strace -h
Usage: strace [-ACdffhikqqrtttTvVwxxyyzZ] [-I N] [-b execve] [-e EXPR]...
              [-a COLUMN] [-o FILE] [-s STRSIZE] [-X FORMAT] [-P PATH]...
              [-p PID]... [--seccomp-bpf]
              { -p PID | [-DDD] [-E VAR=VAL]... [-u USERNAME] PROG [ARGS] }
   or: strace -c[dfwzZ] [-I N] [-b execve] [-e EXPR]... [-O OVERHEAD]
              [-S SORTBY] [-P PATH]... [-p PID]... [--seccomp-bpf]
              { -p PID | [-DDD] [-E VAR=VAL]... [-u USERNAME] PROG [ARGS] }

General:
  -e EXPR        a qualifying expression: OPTION=[!]all or OPTION=[!]VAL1[,VAL2]...
     options:    trace, abbrev, verbose, raw, signal, read, write, fault,
                 inject, status, kvm

Startup:
  -E VAR=VAL, --env=VAR=VAL
                 put VAR=VAL in the environment for command
  -E VAR, --env=VAR
                 remove VAR from the environment for command
  -p PID, --attach=PID
                 trace process with process id PID, may be repeated
  -u USERNAME, --user=USERNAME
                 run command as USERNAME handling setuid and/or setgid

Tracing:
  -b execve, --detach-on=execve
                 detach on execve syscall
  -D             run tracer process as a grandchild, not as a parent
  -DD            run tracer process in a separate process group
  -DDD           run tracer process in a separate session
  -f             follow forks
  -ff            follow forks with output into separate files
  -I INTERRUPTIBLE
     1:          no signals are blocked
     2:          fatal signals are blocked while decoding syscall (default)
     3:          fatal signals are always blocked (default if '-o FILE PROG')
     4:          fatal signals and SIGTSTP (^Z) are always blocked
                 (useful to make 'strace -o FILE PROG' not stop on ^Z)

Filtering:
  -e trace=[!]{[?]SYSCALL[@64|@32|@x32]|[?]/REGEX|GROUP|all|none},
  --trace=[!]{[?]SYSCALL[@64|@32|@x32]|[?]/REGEX|GROUP|all|none}
                 trace only specified syscalls.
     groups:     %creds, %desc, %file, %fstat, %fstatfs %ipc, %lstat,
                 %memory, %net, %process, %pure, %signal, %stat, %%stat,
                 %statfs, %%statfs
  -e signal=SET, --signal=SET
                 trace only the specified set of signals
                 print only the signals from SET
  -e status=SET, --status=SET
                 print only system calls with the return statuses in SET
     statuses:   successful, failed, unfinished, unavailable, detached
  -P PATH, --trace-path=PATH
                 trace accesses to PATH
  -z             print only syscalls that returned without an error code
  -Z             print only syscalls that returned with an error code

Output format:
  -a COLUMN, --columns=COLUMN
                 alignment COLUMN for printing syscall results (default 40)
  -e abbrev=SET, --abbrev=SET
                 abbreviate output for the syscalls in SET
  -e verbose=SET, --verbose=SET
                 dereference structures for the syscall in SET
  -e raw=SET, --raw=SET
                 print undecoded arguments for the syscalls in SET
  -e read=SET, --read=SET
                 dump the data read from the file descriptors in SET
  -e write=SET, --write=SET
                 dump the data written to the file descriptors in SET
  -e kvm=vcpu, --kvm=vcpu
                 print exit reason of kvm vcpu
  -i, --instruction-pointer
                 print instruction pointer at time of syscall
  -k, --stack-traces
                 obtain stack trace between each syscall
  -o FILE, --output=FILE
                 send trace output to FILE instead of stderr
  -A, --output-append-mode
                 open the file provided in the -o option in append mode
  -q             suppress messages about attaching, detaching, etc.
  -qq            suppress messages about process exit status as well.
  -r             print relative timestamp
  -s STRSIZE, --string-limit=STRSIZE
                 limit length of print strings to STRSIZE chars (default 32)
  -t             print absolute timestamp
  -tt            print absolute timestamp with usecs
  -ttt           print absolute UNIX time with usecs
  -T             print time spent in each syscall
  -v, --no-abbrev
                 verbose mode: print entities unabbreviated
  -x             print non-ascii strings in hex
  -xx            print all strings in hex
  -X FORMAT      set the FORMAT for printing of named constants and flags
     formats:    raw, abbrev, verbose
  -y             print paths associated with file descriptor arguments
  -yy            print protocol specific information associated with socket
                 file descriptors

Statistics:
  -c, --summary-only
                 count time, calls, and errors for each syscall and report
                 summary
  -C, --summary  like -c, but also print the regular output
  -O OVERHEAD    set overhead for tracing syscalls to OVERHEAD usecs
  -S SORTBY, --summary-sort-by=SORTBY
                 sort syscall counts by: time, calls, errors, name, nothing
                 (default time)
  -w             summarise syscall latency (default is system time)

Tampering:
  -e inject=SET[:error=ERRNO|:retval=VALUE][:signal=SIG][:syscall=SYSCALL]
            [:delay_enter=DELAY][:delay_exit=DELAY][:when=WHEN],
  --inject=SET[:error=ERRNO|:retval=VALUE][:signal=SIG][:syscall=SYSCALL]
           [:delay_enter=DELAY][:delay_exit=DELAY][:when=WHEN]
                 perform syscall tampering for the syscalls in SET
     delay:      milliseconds or NUMBER{s|ms|us|ns}
     when:       FIRST, FIRST+, or FIRST+STEP
  -e fault=SET[:error=ERRNO][:when=WHEN], --fault=SET[:error=ERRNO][:when=WHEN]
                 synonym for -e inject with default ERRNO set to ENOSYS.
Miscellaneous:
  -d, --debug    enable debug output to stderr
  -h, --help     print help message
  --seccomp-bpf  enable seccomp-bpf filtering
  -V, --version  print version

Podgląd wszystkich wywoływanychh funkcji, wraz z ich zleczeniem i określeniem czasu spędzanego wewnątrz to:

wiks@dellwiks:~$ strace -c whoami
wiks
% time     seconds  usecs/call     calls    errors syscall
------ ----------- ----------- --------- --------- ----------------
  0,00    0,000000           0        10           read
  0,00    0,000000           0         1           write
  0,00    0,000000           0        18           close
  0,00    0,000000           0        15           fstat
  0,00    0,000000           0         2           lseek
  0,00    0,000000           0        41           mmap
  0,00    0,000000           0        12           mprotect
  0,00    0,000000           0         4           munmap
  0,00    0,000000           0         3           brk
  0,00    0,000000           0         2           rt_sigaction
  0,00    0,000000           0         1           rt_sigprocmask
  0,00    0,000000           0         8           pread64
  0,00    0,000000           0         1         1 access
  0,00    0,000000           0         2           socket
  0,00    0,000000           0         2         2 connect
  0,00    0,000000           0         1           execve
  0,00    0,000000           0         1           geteuid
  0,00    0,000000           0         2         1 arch_prctl
  0,00    0,000000           0         1           set_tid_address
  0,00    0,000000           0        14           openat
  0,00    0,000000           0         1           set_robust_list
  0,00    0,000000           0         1           prlimit64
------ ----------- ----------- --------- --------- ----------------
100.00    0,000000                   143         4 total

ss https://sapientisat.pl/artykul-469-top-przydatnych-wywolan-polecenia-strace-linux-ubuntu.html

Dodaj komentarz

Translate »