How to see system call that executed in current time by process?

Question

Linux utility "strace" show the list of syscall that started after run of strace. How I can see syscall that run in current moment by process? before start of strace.

You open a console window and start typing /usr/sbin.... dang the current time is over, it's already the next moment! Missed it! Next time start a couple of moments earlier than the current time! — n. m. could be an AI, Mar 08 '17 at 17:20
I agree. I will reformulate my question: how to see the system calls that are currently being executed by the process? — Dmity P., Mar 08 '17 at 18:11

score 5 · Accepted Answer · answered Aug 18 '17 at 09:03

proc offers some information about what the kernel is currently doing "for" a process
/proc/${pid}/syscall /proc/${pid}/stack

More information:

score 5 · Answer 2 · answered Oct 02 '18 at 23:31

5

Assuming that you know the PID of the of process, you can simply use strace to track all the syscalls being made in realtime.

strace -p PID

answered Oct 02 '18 at 23:31

Mayank Sharma

160
3
9

hek2mgl · Answer 3 · 2020-10-16T07:26:40.083

You find that out using ps:

ps -p PID_OF_PROC -ocmd,stat,wchan

The wchan is the key here. From man ps:

wchan WCHAN name of the kernel function in which the process is sleeping, a "-" if the process is running, or a "*" if the process is multi-threaded and ps is not displaying threads.

PROCESS STATE CODES Here are the different values that the s, stat and state output specifiers (header "STAT" or "S") will display to describe the state of a process:

           D    uninterruptible sleep (usually IO)
           R    running or runnable (on run queue)
           S    interruptible sleep (waiting for an event to complete)
           T    stopped by job control signal
           t    stopped by debugger during the tracing
           W    paging (not valid since the 2.6.xx kernel)
           X    dead (should never be seen)
           Z    defunct ("zombie") process, terminated but not reaped by its parent

  For BSD formats and when the stat keyword is used, additional characters may be displayed:

          <    high-priority (not nice to other users)
          N    low-priority (nice to other users)
          L    has pages locked into memory (for real-time and custom IO)
          s    is a session leader
          l    is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)
          +    is in the foreground process group

Useful, but kernel function and syscall are not necessarily the same. — GL2014, Oct 15 '20 at 19:47
PS: Just saw the accepted answer in this thread, looks like that's the way to go — hek2mgl, Oct 16 '20 at 07:29
wchan is the top frame of what is shown in /proc/pid/stack (when the process is not in TASK_RUNNING state) — GL2014, Oct 25 '20 at 20:56

How to see system call that executed in current time by process?

3 Answers3