Menu
I do know that strace uses ptrace to do the job,
but it needs to run the target process with TRACE_ME on,
which don't apply for the case of an already running process.
how does it work on an already running process?
445
strace -p <PID> ----> To attach a process to strace. "-p" option is for PID of the process. strace -e trace=read,write -p <PID> --> By this you can also trace a process/program for an event, like read and write (in this example).
strace works by using the ptrace system call which causes the kernel to halt the program being traced each time it enters or exits the kernel via a system call. The tracing program (in this case strace ) can then inspect the state of the program by using ptrace .
According to a performance test conducted by Arnaldo Carvalho de Melo, a senior software engineer at Red Hat, the process traced using strace ran 173 times slower, which is disastrous for a production environment.
strace -p <PID> ----> To attach a process to strace. "-p" option is for PID of the process.
strace -e trace=read,write -p <PID> --> By this you can also trace a process/program for an event, like read and write (in this example). So here it will print all such events that include read and write system calls by the process.
Other such examples
-e trace= network (Trace all the network related system calls.) -e trace=signal (Trace all signal related system calls.) -e trace=ipc (Trace all IPC related system calls.) -e trace=desc (Trace all file descriptor related system calls.) -e trace=memory (Trace all memory mapping related system calls.) and many more..
trace is one of the many options you can use with -e option.
Press Ctrl-C to abbort the tracing by strace.
Check HELP section for brief summary on strace by typing strace -h and man page for detailed info.
NOTE: A traced process runs slowly.
198
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With