Using strace to see what a program is doing

strace is a command line debug tool used to see what a program is doing. With it you can see the tasks a program is doing, what files a program is opening, remote connections, and even it’s memory.


Here some basics.

Start a program and watch it.

strace /path/to/command

Watch what a program is doing. For example you can monitor what a daemon like nginx or dovecot is doing, or if you have a jammed program you can see what it’s doing.

strace -p <pid>

Understanding the Output

If you are familiar with programming, most of the output will be easily recognizable.

When a program starts, it will open up it’s libraries:

access("/etc/", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/", O_RDONLY|O_CLOEXEC) = 3
open("/lib/", O_RDONLY|O_CLOEXEC) = 3

Reading and writing files

open("/file", O_RDONLY)      = 7
read(7, "data"..., 1024) = 154

write(1, "data...

If it opens sockets:

connect(4, {sa_family=AF_INET6, sin6_port=...
getsockname(4, {sa_family=AF_INET6, sin6_port=ht...

You will also see the exit status:

+++ exited with 0 +++

PHP Example

You can use it to debug PHP programs:

strace php -f index.php