How to trace a command or particular system call in the command on Linux ?
In this post, we will check how to trace a command in Linux or a specific system call used by that command.
1. Tracing a command say “ls -l /etc/hosts”
[root@nglinux ~]# strace ls -l /etc/hosts execve("/bin/ls", ["ls", "-l", "/etc/hosts"], [/* 28 vars */]) = 0 brk(0) = 0x857e000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77b5000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=66865, ...}) = 0 mmap2(NULL, 66865, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb77a4000 close(3) = 0 open("/lib/libselinux.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\264\276\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=126540, ...}) = 0 mmap2(0xbe7000, 125988, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xbe7000 mmap2(0xc04000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d000) = 0xc04000 close(3) = 0 open("/lib/librt.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\310\247\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=42356, ...}) = 0 mmap2(0xa7b000, 33336, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xa7b000 mmap2(0xa82000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0xa82000 close(3) = 0 open("/lib/libcap.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\\\353F4\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=14328, ...}) = 0 mmap2(0x46eb5000, 15664, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x46eb5000 mmap2(0x46eb8000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x46eb8000 close(3) = 0 open("/lib/libacl.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\226\245\0044\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=31988, ...}) = 0 mmap2(0x4a58000, 33092, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4a58000 mmap2(0x4a5f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x4a5f000 close(3) = 0 open("/lib/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200N\215\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=1912920, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77a3000 mmap2(0x8be000, 1665484, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x8be000 mmap2(0xa4f000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x191000) = 0xa4f000 mmap2(0xa52000, 10700, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xa52000 close(3) = 0 open("/lib/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`J\247\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=20284, ...}) = 0 mmap2(0xa74000, 16500, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xa74000 mmap2(0xa77000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0xa77000 close(3) = 0 open("/lib/libpthread.so.0", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\276\245\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=133980, ...}) = 0 mmap2(0xa57000, 107044, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xa57000 mmap2(0xa6e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0xa6e000 mmap2(0xa70000, 4644, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xa70000 close(3) = 0 open("/lib/libattr.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P>\314\0044\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=19456, ...}) = 0 mmap2(0x4cc3000, 20660, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x4cc3000 mmap2(0x4cc7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0x4cc7000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77a2000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77a1000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb77a1720, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 access("/etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove", F_OK) = -1 ENOENT (No such file or directory) access("/etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove", F_OK) = -1 ENOENT (No such file or directory) access("/etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove", F_OK) = -1 ENOENT (No such file or directory) access("/etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove", F_OK) = -1 ENOENT (No such file or directory) access("/etc/sysconfig/32bit_ssse3_memcpy_via_32bit_ssse3_memmove", F_OK) = -1 ENOENT (No such file or directory) mprotect(0xc04000, 4096, PROT_READ) = 0 mprotect(0xa82000, 4096, PROT_READ) = 0 mprotect(0x4a5f000, 4096, PROT_READ) = 0 mprotect(0xa4f000, 8192, PROT_READ) = 0 mprotect(0xa77000, 4096, PROT_READ) = 0 mprotect(0x8b6000, 4096, PROT_READ) = 0 mprotect(0xa6e000, 4096, PROT_READ) = 0 mprotect(0x4cc7000, 4096, PROT_READ) = 0 munmap(0xb77a4000, 66865) = 0 set_tid_address(0xb77a1788) = 21765 set_robust_list(0xb77a1790, 12) = 0 futex(0xbfd53d64, FUTEX_WAKE_PRIVATE, 1) = 0 futex(0xbfd53d64, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, bfd53d74) = -1 EAGAIN (Resource temporarily unavailable) rt_sigaction(SIGRTMIN, {0xa5b7d0, [], SA_SIGINFO}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0xa5bcd0, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0 uname({sys="Linux", node="ngelinux-new", ...}) = 0 statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096, f_flags=4128}) = 0 statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096, f_flags=4128}) = 0 stat64("/selinux", {st_mode=S_IFDIR|0755, st_size=0, ...}) = 0 brk(0) = 0x857e000 brk(0x859f000) = 0x859f000 open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=99174416, ...}) = 0 mmap2(NULL, 2097152, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb75a1000 close(3) = 0 ioctl(1, SNDCTL_TMR_TIMEBASE or SNDRV_TIMER_IOCTL_NEXT_DEVICE or TCGETS, {B38400 opost isig icanon echo ...}) = 0 ioctl(1, TIOCGWINSZ, {ws_row=31, ws_col=96, ws_xpixel=0, ws_ypixel=0}) = 0 open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2512, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77b4000 read(3, "# Locale name alias data base.\n#"..., 4096) = 2512 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb77b4000, 4096) = 0 open("/usr/share/locale/en_US.UTF-8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US.utf8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en_US/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.UTF-8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en.utf8/LC_TIME/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory) open("/usr/share/locale/en/LC_TIME/coreutils.mo", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=435, ...}) = 0 mmap2(NULL, 435, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb77b4000 close(3) = 0 open("/usr/lib/gconv/gconv-modules.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=26058, ...}) = 0 mmap2(NULL, 26058, PROT_READ, MAP_SHARED, 3, 0) = 0xb77ad000 close(3) = 0 futex(0xa51f10, FUTEX_WAKE_PRIVATE, 2147483647) = 0 lstat64("/etc/hosts", {st_mode=S_IFREG|0644, st_size=241, ...}) = 0 lgetxattr("/etc/hosts", "security.selinux", "system_u:object_r:net_conf_t:s0", 255) = 32 open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3 read(3, "1", 19) = 1 close(3) = 0 futex(0xc05c08, FUTEX_WAKE_PRIVATE, 2147483647) = 0 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/setrans/.setrans-unix"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 lstat64("/etc/hosts", {st_mode=S_IFREG|0644, st_size=241, ...}) = 0 lgetxattr("/etc/hosts", "system.posix_acl_access", 0x0, 0) = -1 EOPNOTSUPP (Operation not supported) socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=1688, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77ac000 read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1688 read(3, "", 4096) = 0 close(3) = 0 munmap(0xb77ac000, 4096) = 0 open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=66865, ...}) = 0 mmap2(NULL, 66865, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7590000 close(3) = 0 open("/lib/libnss_files.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240\32\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=59172, ...}) = 0 mmap2(NULL, 53964, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x1ec000 mmap2(0x1f8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xb000) = 0x1f8000 close(3) = 0 mprotect(0x1f8000, 4096, PROT_READ) = 0 munmap(0xb7590000, 66865) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 fcntl64(3, F_GETFD) = 0x1 (flags FD_CLOEXEC) fstat64(3, {st_mode=S_IFREG|0644, st_size=1920, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77ac000 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1920 close(3) = 0 munmap(0xb77ac000, 4096) = 0 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 socket(PF_LOCAL, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 3 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory) close(3) = 0 open("/etc/group", O_RDONLY|O_CLOEXEC) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=923, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77ac000 read(3, "root:x:0:nglinux\nbin:x:1:bin,dae"..., 4096) = 923 close(3) = 0 munmap(0xb77ac000, 4096) = 0 fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77ac000 open("/etc/localtime", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb77ab000 read(3, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0\0\0\0"..., 4096) = 2819 _llseek(3, -24, [2795], SEEK_CUR) = 0 read(3, "\nPST8PDT,M3.2.0,M11.1.0\n", 4096) = 24 close(3) = 0 munmap(0xb77ab000, 4096) = 0 clock_gettime(CLOCK_REALTIME, {1518155893, 243672407}) = 0 write(1, "-rw-r--r--. 1 root root 241 Jan "..., 52-rw-r--r--. 1 root root 241 Jan 8 01:12 /etc/hosts ) = 52 close(1) = 0 munmap(0xb77ac000, 4096) = 0 close(2) = 0 exit_group(0) = ? +++ exited with 0 +++ [root@nglinux ~]#
2. Tracing a particular system call i.e. fstat
ls command uses fstat or fstat64 syscall to get inode information.
So lets try to trace this particular system call fstat64.
[root@nglinux ~]# strace -e fstat64 ls -l /etc/hosts fstat64(3, {st_mode=S_IFREG|0644, st_size=66865, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0755, st_size=126540, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0755, st_size=42356, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0755, st_size=14328, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0755, st_size=31988, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0755, st_size=1912920, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0755, st_size=20284, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0755, st_size=133980, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0755, st_size=19456, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=99174416, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=2512, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=435, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=26058, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=1688, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=66865, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0755, st_size=59172, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=1920, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=923, ...}) = 0 fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0 fstat64(3, {st_mode=S_IFREG|0644, st_size=2819, ...}) = 0 -rw-r--r--. 1 root root 241 Jan 8 01:12 /etc/hosts +++ exited with 0 +++ [root@nglinux ~]#