What is a system call in Linux?
A system call (syscall) is the interface between a process and the Linux kernel. Processes use system calls to request services from the Linux kernel.
What kind of syscalls are there?
There are many different syscalls depending on the task the process is performing:
| Category | Examples |
|---|---|
| File management |
open(), close(), read(), write()
|
| Communications |
socket(), bind(), listen(), accept()
|
| Process control |
fork(), execve(), exit()
|
| Device management |
ioctl()
|
| Information maintenance |
getpid()
|
You can find the complete list of syscalls in their man page:
man 2 syscalls
How can I know which syscalls are invoked by a process?
You can use strace to see all syscalls invoked by a process.
strace in production as it can have a significant impact on performance and stability.
How do I use strace?
Write strace before the command you want to trace.
The -f option is useful to trace the command's child processes too:
strace -f COMMAND
strace usage
Description: strace shows system calls and signals made by a command.
Usage: strace [OPTIONS] COMMAND
Example: strace myapp
This example shows system calls and signals made by the command myapp.
Common options:
-
-e trace=EXPRESSION: to specify the type of system calls to trace. All expressions are documented in the man page and on the official website. -
-f: to trace the command's child processes too. -
-p PID: to trace the process with the givenPID. -
--failed-only: to show only the syscalls that returned an error. -
--signals=none: to ignore signals. -
-qqq: to suppress all information messages. -
-o FILENAME: to write the output to a file.
Can I use strace if the process is already running?
Yes, you can attach strace to a running process using the -p PID option.
Be aware that you will only see the syscalls invoked after you attach strace to the process, but not any of the previous ones already invoked.
Can I use strace on any process?
Unless you are the root user, you can only use strace on processes that you own or that you have permission to trace.
The output from the command is mixed with the output from strace. How can I separate them?
You can use the -o FILENAME option to write the output from strace to a file.
strace -f -o strace.log COMMAND
strace prints too much information. How can I filter it?
There are a few options you can use to filter the output:
-
-e trace=EXPRESSION: to specify the type of system calls to trace. All expressions are documented in the man page and on the official website. -
--signals=none: to ignore signals. -
-qqq: to suppress all information messages. -
--failed-only: to show only the syscalls that returned an error.
Where can I practice using strace in a real-world scenario?
You can apply what you've just learned in these free interactive scenarios:
Where can I find more info about syscalls and strace?
Man pages:
man 2 intro
man 2 syscalls
man strace
External links: