Difference between revisions of "Strace: what a process does"

From Linuxintro
imported>ThorstenStaerk
imported>ThorstenStaerk
Line 22: Line 22:
 
  mmap(NULL, 2265264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f5d5ced6000  
 
  mmap(NULL, 2265264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f5d5ced6000  
 
The above line performs the syscall mmap. See [http://man-wiki.net/index.php/2:mmap man 2 mmap] about the parameters - if you do you will find out that the file with descriptor number 6 is mapped to memory at address 0x7f5d5ced6000.
 
The above line performs the syscall mmap. See [http://man-wiki.net/index.php/2:mmap man 2 mmap] about the parameters - if you do you will find out that the file with descriptor number 6 is mapped to memory at address 0x7f5d5ced6000.
 +
 +
= Search for a syscall =
 +
With strace, you can search for a special syscall. For example,
 +
strace -e open ''command''
 +
will show you all files that have been touched (opened) by ''command''.
  
 
= See also =
 
= See also =
 
* [http://man-wiki.net/index.php/1:strace man strace]
 
* [http://man-wiki.net/index.php/1:strace man strace]

Revision as of 08:20, 6 August 2010

strace is a command to show what a command or process is doing.

Analyzing strace's output

Analyzing strace's output is tedious if you do not know how it goes. You must know that the first keyword in a line of output from strace is always a syscall like open or read. Then, in parantheses, the arguments follow, then the result. The meaning of the syscall and its parameters and results can be found with the command

man 2 syscall

output

Here is an example output from strace that we are going to analyze:

open("/lib64/libexpat.so.1", O_RDONLY)  = 6                                     
read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@>\0\0\0\0\0\0"..., 832) = 832                                                                           
fstat(6, {st_mode=S_IFREG|0755, st_size=170240, ...}) = 0                       
mmap(NULL, 2265264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f5d5ced6000 

analysis

The above example consists of 4 lines that can be analyzed like this:

open("/lib64/libexpat.so.1", O_RDONLY)  = 6                                                  

This first line performs the syscall open on the file /lib64/libexpat.so.1. The file shall be opened read-only (O_RDONLY). This call returns the file descriptor 6. /lib64/libexpat.so.1 is now file number 6. You can get this information from man 2 open.

read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@>\0\0\0\0\0\0"..., 832) = 832                                                                           

The above line reads from the file number 6. The file content is character 177, then the string ELF, then character 2, 1, 1, 0 and so on.

fstat(6, {st_mode=S_IFREG|0755, st_size=170240, ...}) = 0    

Here, fstat tells that file number 6 (/lib64/libexpat.so.1) is a regular file.

mmap(NULL, 2265264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f5d5ced6000 

The above line performs the syscall mmap. See man 2 mmap about the parameters - if you do you will find out that the file with descriptor number 6 is mapped to memory at address 0x7f5d5ced6000.

Search for a syscall

With strace, you can search for a special syscall. For example,

strace -e open command

will show you all files that have been touched (opened) by command.

See also