Here's a preview from my zine, Spying on your programs with strace! If you want to see more comics like this, sign up for my saturday comics newsletter or browse more comics!
read the transcript!
-e
overwhelmed by all the system calls. you don’t understand? Try
strace -e open
and it’ll just show you opens. much simpler!
-f is for follow
Does your program start subprocesses! lots do!
Use -f to see what those are doing too. Or just always use -f! That’s what I do.
-p is for PID
“OH NO I STARTED THE PROGRAM 6 HOURS AGO AND NOW I WANT TO STRACE IT”
Do not worry! Just find your process’s PID (like 747) and
strace -p 747
(tip: if the process runs as root you’ll need to be root, too because SECURITY)
-s is for strings!!
Sometimes I’m looking at the output of a recvfrom and it’s like:
recvfrom (6, “And then the monster…”)
and OH NO THE SUSPENSE.
strace -s 800 will show you the first 800 characters of each string. I use it all the time!
-o is for output!
Let’s get real. No matter what, strace prints too much damn output. Use
strace -o too_much_stuff.txt and sort through it later.
-y
Have no idea which file the file descriptor “3” refers to? -y is a flag in newer versions of strace, and it’ll show you filenames instead of just numbers!
Putting it all together:
Want to spy on an ssh session?
strace -f -o ssh.txt ssh juliabox.com
Want to see what files a Dropbox sync process is opening? (with PID: 230)
strace -f -p230 -e open
Saturday Morning Comics!
Want another comic like this in your email every Saturday? Sign up here!
