how to monitor system calls for a process?
Asked
Active
Viewed 3,066 times
5
-
Oops I chose "belongs on uservoice.com" by accident - meant to pick serverfault.com – John Rasch Jun 18 '09 at 03:03
-
4I monitor system calls all the time while diagnosing problems in my programs. I see no reason to relegate this question to Server Fault. It's a question about debugging techniques. – Rob Kennedy Jun 18 '09 at 03:15
1 Answers
12
Check strace
In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.
Each line in the trace contains the system call name, followed by its arguments in parentheses and its return value.
-
3Somehow I remember `strace` being relatively Linux-biased, though it appears to work on other platforms now. SunOS has a similar (and older) `truss` utility, inherited by Solaris; I believe that `truss` also runs on BSDs, which have their own `ktrace` utility. I've never used them, but I hear that Irix and Tru64 have `par` and `trace` respectively, all serving the same purpose. – ephemient Jun 18 '09 at 03:19
-
1For the most part, the programs all do the same thing. They have different output format, but mostly the same information. On HP-UX, the command is called tusc. – Rob Kennedy Jun 18 '09 at 03:21
-
[Is there a way for process to break such `strace` monitoring?](http://security.stackexchange.com/questions/8485/monitoring-system-calls-and-signals) – Grzegorz Wierzowiecki Oct 29 '11 at 11:06
-
A great mentor once told me "truss is your friend". And even though I haven't used UNIX in a long time, I understand better now why he emphasized that tool. Visibility into running processes is absolutely key in IT. The person who can do that has a great advantage, or so I've learned in my profession. – Gabe Halsmer Sep 25 '14 at 18:29