Your System Calls and You

A Brief Exploration of Using strace

Created by Alex Juarez / @mralexjuarez


Thank you!

(OK. Now on with the show)


  • Why this topic?
  • What is strace?
  • What are System Calls?
  • Some Demos
  • Continued Learning
  • Q/A

Why this topic?

It's about being able to solve problems

What is strace?

  • What does strace do?
  • How to use strace

What does strace do?

strace interrupts a process and intercepts system calls.

What are are system calls?

A system call is a function provided by the kernel. They are the basic interface between an application and the Linux kernel.

Using strace

strace can trace a process that is run with strace

# strace w

Using strace

Example Output

Using strace

We can be a bit more verbose and get all the details

# strace -v w

Using strace

Using strace

strace can trace a process via an existing pid

# strace -p <pid>


A traced process which tries to block SIGTRAP will be sent a SIGSTOP in an attempt to force continuation of tracing.

Using strace

Save the output to a file

# strace -o file

Using strace

strace can trace child processs

# strace -ff -o file -p <pid>

strace Output

The output is standardized and can go to stderr or to a file.

# strace -ff -o file -p <pid>

Using strace

Summary of the system calls

# strace -c w

Example Output

Process Exiting

At the end, we can even see how a process was terminated.

If the processes exited normally

+++ exited with 0 +++

If a process was killed by a signal

+++ killed by SIGINT +++

System Calls

What is a system call?

A system call is a function provided by the kernel. They are the basic interface between an application and the Linux kernel.

A note on system calls

read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\34\2\0\0\0\0\0"..., 832) = 832

  • The system call
  • Any arguments
  • Return value

man (2) syscalls

open - open and possibly create a file or device

int open(const char *pathname, int flags, mode_t mode);

Given a pathname for a file, open() returns a file descriptor

man (2) syscalls

read - read from a file descriptor

ssize_t read(int fd, void *buf, size_t count);

On success, the number of bytes read is returned

man (2) syscalls

fstat - get file status

int fstat(int fd, struct stat *buf);

These functions return information about a file.

man (2) syscalls

mmap, munmap - map or unmap files or devices into memory

void *mmap(void *addr, size_t length, int prot, int flags, int fd, off_t offset);

returns a pointer to the mapped area.

More About System Calls

There are about 441 system calls.

Some are synonyms for others.

(*Based of a quick search of man pages)

More About System Calls

Each system call has it's own man page. Keep in mind that some programs and system calls have the same name.

# man read

More About System Calls

Just using man read, returns the page on bash-builtins

The second section of the man page is what we need.

# man 2 read

strace Demos


# strace w


# strace -c w


# strace -o passwd.out passwd


We can trace families of system calls

# strace -e trace=file -o passwd-trace.out passwd



We get more info by using -v

# strace -e trace=file -v -o passwd-trace-v.out passwd

One more Demo

.htaccess and file access

# strace -ff -o file -p <pid>


Apache's document root is stored on an NFS mount and has been working for some time.

All of a sudden performance takes a hit and pages are loading much slower than before.

Continued Learning

Code Examples on GitHub

In Closing...

Contact Information

Alex Juarez
Principal Engineer Rackspace
twitter: @mralexjuarez

This hCard created with the hCard creator.

A short bio

Alex Juarez is a Principal Engineer at Rackspace, touting 8 years with the company. Alex enjoys all things Linux, especially training and mentoring others, and is incredibly qualified to do so as an RHCA/RHCI. When Alex isn't helping others he's crafting killer cocktails and finding the best spots to grub in San Antonio.

Thanks @jilljubs

Q & A

(Or we can talk about Whiskey)

Session Survey