-e

overwhelmed by all the system calls. you don’t understand? Try

strace -e open

and it’ll just show you opens. much simpler!

-f is for follow

Does your program start subprocesses! lots do!

Use -f to see what those are doing too. Or just always use -f! That’s what I do.

-p is for PID

“OH NO I STARTED THE PROGRAM 6 HOURS AGO AND NOW I WANT TO STRACE IT”

Do not worry! Just find your process’s PID (like 747) and
strace -p 747

(tip: if the process runs as root you’ll need to be root, too because SECURITY)

-s is for strings!!

Sometimes I’m looking at the output of a recvfrom and it’s like:

recvfrom (6, “And then the monster…”)
and OH NO THE SUSPENSE.

strace -s 800 will show you the first 800 characters of each string. I use it all the time!

-o is for output!

Let’s get real. No matter what, strace prints too much damn output. Use strace -o too_much_stuff.txt and sort through it later.

-y

Have no idea which file the file descriptor “3” refers to? -y is a flag in newer versions of strace, and it’ll show you filenames instead of just numbers!

Putting it all together:

Want to spy on an ssh session?

strace -f -o ssh.txt ssh juliabox.com

Want to see what files a Dropbox sync process is opening? (with PID: 230)

strace -f -p230 -e open