0

I am looking into using strace for a project. The explanation of strace indictaes that for every system call (going to kernel and returning from kernel), strace is given control so it examine call being made or its return value. So this means process being traced will stop twice per system call.

I have a question related to options provided by strace.

For the filter option (e.g. strace -e trace=%file), does this option imply that process being traced will still stop twice per system call, but when strace is examining, it will only print information if system calls belongs to certain category (e.g. file I/O). If not, does it mean that process being traced will only stop for system calls from certain category ? I ask because there is also the seccomp-bpf option, which claims to stop the traced process only for specific system calls.

My guess from the description is that -e filter will still stop traced process for every system call, but strace won't do further examination to print info, while seccomp option has been added to further narrow down when the traced process stops. Just want to double check this. Thanks.

Jake
  • 16,329
  • 50
  • 126
  • 202

0 Answers0