How to Use Linux Strace Command

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"

In this article we will learn How to Use Linux Strace Command. Strace is a powerful command line tool for debugging and trouble shooting programs in Linux OS. It captures and records all system calls made by a process and the signals received by the process.

It displays the name of each system call together with its arguments enclosed in a parenthesis and its return value to standard error; you can optionally redirect it to a file as well.

Normally strace is available by default if its not present in your system install strace by using the following command:

dnf install strace

You can either run a command with strace or pass a PID to it using the -p option as in the following examples:

Trace Linux Command System Calls:

In this example we will simply run a command “df -h” followed by strace to track system calls for df -h command.

strace df -h

Output will look like this:

From the output above, you can see various types of system calls made by df -h command, for example “open(“/etc/”, O_RDONLY|O_CLOEXEC) = 3″


  • open – is the type of system call
  • (“/etc/”, O_RDONLY|O_CLOEXEC) – system call argument
  • 3 – system call return value

Trace Linux Process PID:

If a process is already running, you can trace it by simply passing its PID to strace; this will fill your screen with continues output that shows system calls being made by the process, to end it, press CTRL + C.

strace -p 7302

To get a summary of total time, calls and error of a system call use flag -c as shown below;

strace -pc 7583

Print Instruction Pointer During System Call:

The -i flag displays the instruction pointer at the time of each system call made by the program.

strace -i df -h

Show Time Each Trace Output Line:

You can also print current time for each line in the trace output, by passing the -t flag.

strace -t df -h

Print Command Time Spent in System Calls:

To shows the time difference between the starting and the end of each system call made by a program, use the -T option.

strace -T df -h

Trace Only Specific System Calls:

In the command below, trace=write is known as a qualifying expression, where “trace” is a qualifier (others include signal, abbrev, verbose, raw, read, or write) and “write” is the value of the qualifier.

The following command actually shows the system calls to print df -h output on standard output.

strace -e trace=write df -h

Some additional commands about trace qualifier are as follows:

strace -e trace=open,close df -h
strace -e trace=open,close,read,write df -h
strace -e trace=all df -h

Trace System Calls Based on a Certain Condition:

We will see how to trace system calls relating to a given class of events. The following command can be used to trace all system calls involving process management.

strace -q -e trace=process df -h

Next, to trace all system calls that take a filename as an argument, use the following command:

strace -q  -e trace=file df -h

Similarly, You can trace all network, memory and signals related system calls using the following commands:

strace -q -e trace=memory df -h
strace -e trace=network df -h
strace -e trace=signal df -h

Redirect Trace Output to File:

To write the trace messages sent to standard error to a file, use the -o option. This means that only the command output is printed on the screen as shown below.

strace -o strace_message.txt df -h

All the system calls were written in file strace_message.txt. Use cat command to see the system calls.

cat strace_message.txt

Show Debugging Output of Strace:

To show debugging information for strace tool, use the -d flag.

strace -d df -h

In conclusion, strace is a tool for diagnosing cause of program failure. it is a powerful tool for debugging and troubleshooting. It is practically useful to experienced system administrators, programmers and hackers.

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
"The best Linux newsletter on the web"
Unix/Linux Guru and FOSS supporter


Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook