Skip to main content

Brief intro to `strace` : Finding all files a process is opening in GNU/Linux

Many times while debugging, we need to find all the files (e.g. shared libraries, configuration files, caches, logs, dumps, state files, journals, and so on) a process is opening for reading data from to get hints about the program's design and workflow.

Otherwise we want to follow the lengthy route of reading the source code of the program, we could leverage the powerful system call tracing tool strace to get the job done fairly easily.


strace binary comes with the strace package; so we need to install it first (if not done already):

% dpkg -S "$(command -v strace)"
strace: /usr/bin/strace

The above snippet is from my dpkg packaging based system, although the same should be true for rpm packaging based systems.

strace binary is mostly used for tracing system calls and signals. As we're planning to get the files opened by a process, we're looking for the open(2) call specifically.

Trace open(2):

Let's assume the program we want to check is named foobar and we need to pass --name spam argument to it i.e. from the shell we would run it as:

foobar --name spam

Now to trace the syscalls made by the program we need to run it as an argument to strace, with necessary arguments e.g.:

strace foobar --name spam

As the above would trace all system calls foobar is making, not just open(); let's narrow down the traced calls to open() only:

strace -e trace=open foobar --name spam

-e option lets us to apply filtering, by using -e trace=open we're trace-ing only the open calls. -e open is a shorthand for -e trace=open, so we can also write:

strace -e open foobar --name spam

Now we'll get all the files opened by foobar i.e. any issues of open() call.

If we want to track all the child processes of foobar as well, we need to issue the -f option:

strace -f -e open foobar --name spam

or as strace allows us to express multiple command line options combinedly:

strace -fe open foobar --name spam

We can also trace multiple calls by comma separating them e.g.:

strace -fe open,write foobar --name spam

We can even trace a process that has already been started by passing the PID (Process ID) of the running process we want to trace with the -p option:

strace -fe open,write -p <PID>

So for example, if the PID is 1234:

strace -fe open,write -p 1234

Saving output:

By default, strace dumps output to STDERR (Standard error, file descriptor 2), we can tell it to save the output to a file instead by providing the file path with the -o option e.g.:

strace -fe open foobar --name spam -o /tmp/foobar.straced
strace -fe open,write -p 1234 -o ~/spamegg.straced

This is essentially same as doing:

strace -fe open foobar --name spam 2>/tmp/foobar.straced
strace -fe open,write -p 1234 2>~/spamegg.straced

with the exception that in the later case the file opening and STDERR redirection is done by the shell itself whereas strace does the writing itself internally in the former case.

strace is a powerful tool when comes to debugging, the above is just the tip of the iceberg.

As always, check out the man page (man strace) to get more ideas.

Happy debugging!


Comments powered by Disqus