syscall tracer

Prev		Next

Unix:truss

truss -f -o log -t open,stat,access  <program>

Linux:strace

Usage

1<<, >>

strace -f -o /tmp/strace.out info zoog >/dev/null

grep -E 'open|fstat' /tmp/strace.out
!! | grep -v ENO

grep '^[0-9]* open(.* = [^-]' /tmp/strace.out

2<<, >>

strace -f -eopen -o /tmp/mplayer mplayer -vo xvidix test.mpg

Help

-e expr     A qualifying expression which modifies  which  events  to
            trace or how to trace them.  The format of the expression
            is:

[qualifier=][!]value1[,value2]...

where qualifier is one of trace, abbrev, verbose, raw,
signal, read, or write and value is a qualifier-dependent
symbol or number.  The default qualifier is trace.  Using
an exclamation mark negates the set of values.  For
example, -eopen means literally -e trace=open which in
turn means trace only the open system call.  By contrast,
-etrace=!open means to trace every system call except
open.  In addition, the special values all and none have
the obvious meanings.

Note that some shells use the exclamation point for
history expansion even inside quoted arguments.  If so,
you must escape the exclamation point with a backslash.

-e trace=set
            Trace only the specified set of  system  calls.   The  -c
            option is useful for determining which system calls might
            be     useful      to      trace.       For      example,
            trace=open,close,read,write  means  to  only  trace those
            four system calls.  Be  careful  when  making  inferences
            about the user/kernel boundary if only a subset of system
            calls are being monitored.  The default is trace=all.

-e trace=process
            Trace all system calls which involve process  management.
            This  is  useful  for  watching  the fork, wait, and exec
            steps of a process.

-e trace=network
            Trace all the network related system calls.

-e trace=signal
            Trace all signal related system calls.

-e trace=ipc
            Trace all IPC related system calls.

strace log clean up for the comparison

If you want to compare between different strace logs, filter them with the following first.

awk '{$1=""; gsub(/0x[0-9a-f][0-9a-f][0-9a-f]+/,"0x..."); print}'


awk '{$1=""; gsub(/0x[0-9a-f]/,"0x..."); print}' would hide too much info. Eg., 'iopl(0x3)'*. Best way is to use the following, but it failed to work: awk '{$1=""; gsub(/0x[0-9a-f]{6,}/,"0x..."); print}' $ awk --version GNU Awk 3.1.5

awk '{$1=""; gsub(/0x[0-9a-f]*/,"0x..."); print}'

would hide too much info. Eg., 'iopl(0x3)'.

Best way is to use the following, but it failed to work:

awk '{$1=""; gsub(/0x[0-9a-f]{6,}/,"0x..."); print}'

$ awk --version
GNU Awk 3.1.5

documented on: 2006.10.08