See all GNU/Linux related FAQ
Solaris and FreeBSD provide the truss command to monitor and debug system calls. Unfortunately, I’m unable to find this command or package. How can I install a truss command under Linux?

The truss command traces the FreeBSD or Solaris Unix system calls called by the specified process or application. You can store the output of trace calls into the output file or screen. In other words, the truss is a debugging utility in Solaris and FreeBSD to monitor the system calls used. It is used to trace the call and helps debug many problems. Linux provides strace command instead of the truss CLI utility. This command is installed by default under Linux. So, strace is a useful diagnostic, instructional, and debugging tool. Linux sysadmin and developers will find it invaluable to solve problems with programs for which the source is not readily available since they do not need to be recompiled to trace them.
Tutorial details
Difficulty level Advanced
Root privileges Yes
Requirements Linux terminal
Category Processes Management
Prerequisites stress and ltrace commands
OS compatibility AlmaLinux Alpine Arch Debian Fedora Linux Mint openSUSE Pop!_OS RHEL Rocky Stream SUSE Ubuntu
Est. reading time 3 minutes
Advertisement

Truss like command under Linux to monitor and diagnostic the system calls

Use the type command or command command to find out strace command path on your Linux machine or cloud server. For example:
$ type -a strace
$ command -v strace

Here is the path:

/usr/bin/strace

strace command examples

Let us run strace against /bin/bash and capture its output to a text file called /tmp/output.txt. For example:
$ strace -o /tmp/output.txt /bin/bash
Let us view the file using a text editor such as vi/vim or more/less/bat/cat command:
$ more /tmp/output.txt
$ vi /tmp/output.txt

One can use the grep command or egerp command to filter out system calls too. For instance, get info about open():
$ grep '^open' /tmp/output.txt
Sample session:

open("/etc/ld.so.cache", O_RDONLY)      = 3
open("/lib/libncurses.so.5", O_RDONLY)  = 3
open("/lib/tls/i686/cmov/libdl.so.2", O_RDONLY) = 3
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
open("/dev/tty", O_RDWR|O_NONBLOCK|O_LARGEFILE) = 3
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
open("/usr/lib/locale/en_IN/LC_IDENTIFICATION", O_R
.....
....
.....
open("/etc/inputrc", O_RDONLY|O_LARGEFILE) = 3
open("/proc/sys/kernel/ngroups_max", O_RDONLY) = 3

Let us try another example:
$ grep '^connect' /tmp/output.txt
Outputs:

connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)

Tracing only given calls

To see only a trace of the open, close, read, and write system calls for the df command, enter:
$ strace -e trace=open,close,read,write df > df.output.txt
Now let us review our df.output.txt, run:
$ less output.txt

Following an already-running process

We can attach stress to the process with the process ID pid and begin tracing. First, find out Linux process PID. For instance find a PID for firefox process, type the pgrep command:
$ pgrep firefox
4015

Then run:
$ strace -p {PID_HERE}
$ strace -p 4015

Dealing with permission error

You may get the following warning or error:

strace: Could not attach to process. If your uid matches the uid of the target process, check the setting of /proc/sys/kernel/yama/ptrace_scope, or try again as the root user. For more details, see /etc/sysctl.d/10-ptrace.conf: Operation not permitted
strace: attach: ptrace(PTRACE_SEIZE, 78890): Operation not permitted

To fix run command as the root user. For example:
$ sudo strace -p 4015

Summing up

Another good option is ltrace command. It is very similar to strace command. The ltrace runs the specified Linux command until it exits. Then, it intercepts and records the dynamic library calls, which are called by the executed process and the signals received by that Linux process. It can also intercept and print the system calls executed by the program. For example:
$ ltrace command_name
$ ltrace [options] command_name

These are advanced commands requiring a good understanding of Linux sysadmin or developer skills to debug app issues, I recommend reading man pages using the man command. Hence, refer strace man pages for all options:
$ man strace
$ man ltrace

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

1 comment… add one
  • Tapas May 11, 2010 @ 6:50

    Can you give some more real world examples.The above article is short.
    As an example suppose you are running xen and xend fails
    then strace /etc/init.d/xend gives some output I see -1 ENONENT signal but how can I reach a conclusion.I mean what you wrote tell what strace does.But if an example can be there as how some one solved their problem using strace that will be even better.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.