In addition to personality, one of the greatest losses, than lose the confidence.
Foreword
strace can be said that there is a general artifact, the code calls for research, kernel-level calls, system-level calls have a very important role. Intended for a week, and only the original, has not been combed, guilty of procrastination, work overtime today the official translation of this artifact comb.
The official document links linux man 7 as follows: http://man7.org/linux/man-pages/index.html , originally thought it was linux built-in tools, the results look a long time, no, ha ha. That it is the need for additional installation.
Install strace
installation
yum -y install strace
verification
[root@node01 ~]# strace strace: must have PROG [ARGS] or -p PID Try 'strace -h' for more information.
Successful installation, you can use man command to view the documents.
strace Features Overview
In short, it is a tool for tracing system calls and signals.
Remarks
man it described the document as follows:
The In The Simplest Case the strace the runs The specified Command an until IT exits. It intercepts and Records The System Calls Which are Called by A Process and The Signals Which are Received by A Process. Of The name of each System Call, ITS arguments and ITS return value are printed on standard error or to the file specified with the -o option. in the simplest case, strace runs the specified command until it exits. It intercepts and records the system calls and signals received by the process invoked by the process. The name of each system call, parameters and return values are printed on the standard error, or use the -o option to print the specified file. strace is a useful diagnostic, instructional, and debugging tool. System administrators, diagnosticians and trouble-shooters will find it invaluable for solving problems with programs for which the source is not readily available since they do not need to be recompiled in order to trace them. Students, hackers and the overly-curious will find that a Great Deal CAN BE Learned About A System and ITS System Calls by Tracing the even Ordinary Programs. And Programmers Will Find that Operating since System Calls and Signals are Events that happen AT The User / Kernel interface, A Close Examination of the this boundary IS Very Useful for bugs Isolation, Sanity Checking Attempting to Capture and Race Conditions. strace is a useful diagnostic, guidance and debugging tools. System administrators, diagnostics and troubleshooting personnel who will find it very valuable for problem-solving process, which the source code is not readily available, because they do not need to be recompiled to track. call name, followed by its arguments in parentheses and its return value An example from stracing the command "cat / dev / null" is:. Each line in the trace contains the system call name, followed by brackets parameters and return values. For example, the command "cat / dev / null" is: Open ( "/ dev / null", of O_RDONLY). 3 = Students, hackers and overly curious people will find that a tracking system called through their system, even an ordinary program, you can learn a lot of things. Programmers will find that, due to system calls and signals are events that occur on user / kernel interface, so you should check it carefully. Each line in the trace contains the system In other words, open system call name, "/ dev / null", O_RDONLY is the incoming parameters, the return value is 3, see the open man pages (http://man7.org/linux/man-pages/man2 /open.2.html), the rETURN VALUES description, returns a file descriptor and said error code or -1 the errors (typically a return value of -1) have have errno the symbol String error and the Appended. a file does not exist a chestnut: Open ( "/ foo / bar", of O_RDONLY) = -1 ENOENT (No SUCH File or Directory) the Signals are Printed and Decoded Symbol Signal AS An excerpt from the siginfo Structure and interrupting stracing The Command "SLEEP 666" IS.: signal is output in the form of signal symbols and decodes siginfo structure. The following is an excerpt "sleep 666" command: sigsuspend ([] < Unfinished ... > --- si_signo = {SIGINT SIGINT, si_code = SI_USER, ...} = si_pid --- +++ killed by SIGINT + ++ IF A System Call IS being Executed and meanwhile Another One IS being Called from A Different Thread / Process the then the strace Will the try to the preserve The Order of Those Events and Mark The Ongoing Call AS being Unfinished. The When The Call Returns IT Will BE Marked AS RESUMED . If you are performing a system call, while another call system call from another thread / process, then the strace will attempt to retain the sequence of events and the ongoing call is marked as incomplete. When the call returns, it will be marked as restored. [PID 28772] SELECT (. 4, [. 3], NULL, NULL, NULL < Unfinished ... > [PID 28779] clock_gettime (the CLOCK_REALTIME, {1130322148, 939 977 000}) = 0 [28772 PID] < ... SELECT RESUMED > ) = 1 (in [3] ) Interruption of A (the restartable) System Call by A Signal Delivery IS Processed Differently AS Kernel Terminates The System Call and Also arranges ITS immediate reexecution After The Signal Handler completes is. When the core terminates the system call and arranged in the signal handler completes its immediately re when executed, the interrupt signal transmission processed in different ways (restartable) system call. the Read (0, 0x7ffff72cf5cf, 1) =? ERESTARTSYS (the To BE RESTARTED) --- --- SIGALRM ... rt_sigreturn (0xe) = 0 the Read (0, "", 1) = 0 the Arguments are Printed in symbolic form with a passion This example shows the shell performing ">> xyzzy" output redirection:. parameter is the symbolic form of a print-out. This example shows the shell to execute ">> xyzzy" output redirection: Open ( "xyzzy", O_WRONLY | O_APPEND | O_CREAT, 0666) = 3 Here Wallpaper The THIRD argument of Open IS Decoded by Breaking Down The In Flag argument INTO ITS Three the bitwise-OR Constituents and Printing The MODE value in Octal by Tradition. The Where Traditional or Native Usage differs from the ANSI or the POSIX, The Latter Forms are Preferred. The In some . cases, strace output has proven to be more readable than the source here, open the third parameter by the parameter flag broken down into its three bit - or composition of a conventional printing press part of a mode value in octal decoding. Or when the conventional usage of the local ANSI or POSIX different, the latter is preferably used. In some cases, strace output proved more readable than the source code. The Pointers are dereferenced and Structure Members AS Appropriate displayed are the In Cases All arguments are formatted in C-like Fashion The MOST Possible the For Example, The.. Essence of The Command "LS -l / dev / null" AS IS Captured: structure pointer dereferenced, members are properly displayed. In all cases, the format of the parameters are as similar as possible c. For example, "ls -l / dev / null " command is captured as: Notice How The 'struct STAT' argument IS dereferenced and How each Member IS displayed symbolically. The In Particular, the observe How The The st_mode Member IS Carefully Decoded INTO A the bitwise-OR of symbolic and numeric values. Also Notice in the this Example that The First argument to to the INPUT IS AN at The lstat System Call and argument at The SECOND, IS AN the Output. Since the Output arguments The Modified IF are not at The Call fails Total System, arguments The May not Always BE dereferenced. the For Example, Retrying at The "LS the -l" Example A NON-with File existent Produces at the following Line: Please note that "struct stat" parameter is how dereference, and how each member is displayed symbolically. In particular, note that, st_mode members how to be carefully decoded into digital bits or symbols and values. For example, a file does not exist retry example "ls -l" with the following results: Because if the system call fails, the output parameters are not modified, so the argument might not always be dereferenced. the lstat ( "/ foo / bar", 0xb004) = -1 ENOENT (No SUCH File or Directory) the In the this Case The Porch Light IS ON IS Home But the nobody. In this case, porch light is bright, but not people at home. (Ha ha, the document said very subtle) Character Pointers are dereferenced and Printed AS C strings Non-Printing characters in strings are Normally Represented by Ordinary C Escape Codes Only at The First strsize.. (32 by default) bytes of strings are Printed; longer strings have an ellipsis appended following the closing quote. character pointer is dereferenced and printed as a C string. Nonprinting characters in the string represented by a generally conventional C escape codes. Only the strsize first (default 32) to print a string of bytes; long string of ellipsis after the additional reference. Line A from IS here Wallpaper "LS -l" The getpwuid Library The routine WHERE IS Reading File The password: Read (. 3, "the root :: 0: 0: the System Administrator: /" ..., 1024) = 422 While structures are annotated using curly braces, simple pointers and arrays are printed using square brackets with commas separating elements. Structure annotated using curly braces, and simple pointers and arrays use square brackets and comma-separated elements for printing. Here Wallpaper IS AN Example from The Command "ID" ON A System with supplementaryplanes Group IDS: by getgroups (32, [100, 0]) = 2 the On The OTHER Hand, 'bit-sets are Also Shown the using Square brackets But SET Elements are Separated only by a space. On the other hand, the use of bits set is also shown in square brackets, but only set elements separated by spaces. Here IS The the shell Preparing to Execute AN External Command: the sigprocmask (SIG_BLOCK, [CHLD TTOU], []) = 0 Here The SECOND argument IS A 'bit-SET of TWO Signals, the SIGCHLD and the SIGTTOU the In some Cases The' bit-SET IS. so full that printing out the unset elements is more valuable. In that case, the bit-set is prefixed by a tilde like this: Here is the second parameter set of two bit signals, SIGCHLD and SIGTTOU. In some cases, the bit set is so full that printing out the unset elements is more valuable. In this case, plus a bit set in front tilde, such as the sigprocmask (SIG_UNBLOCK, ~ [], NULL) = 0 Here Represents by The argument The Full SECOND SET Signals of All. Here, the second parameter signal represents all the complete collection.
Usage Overview
In the validation phase of the installation is successful, print out the log information has told us how to view, and are as follows:
[root@node01 ~]# strace -h usage: strace [-CdffhiqrtttTvVwxxy] [-I n] [-e expr]... [-a column] [-o file] [-s strsize] [-P path]... -p pid... / [-D] [-E var=val]... [-u username] PROG [ARGS] or: strace -c[dfw] [-I n] [-e expr]... [-O overhead] [-S sortby] -p pid... / [-D] [-E var=val]... [-u username] PROG [ARGS] Output format: -a column alignment COLUMN for printing syscall results (default 40) -i print instruction pointer at time of syscall -o file send trace output to FILE instead of stderr -q suppress messages about attaching, detaching, etc. -r print relative timestamp -s strsize limit length of print strings to STRSIZE chars (default 32) -t print absolute timestamp -tt print absolute timestamp with usecs -T print time spent in each syscall -x print non-ascii strings in hex -xx print all strings in hex -y print paths associated with file descriptor arguments -yy print protocol specific information associated with socket file descriptors Statistics: -c count time, calls, and errors for each syscall and report summary -C like -c but also print regular output -O overhead set overhead for tracing syscalls to OVERHEAD usecs -S sortby sort syscall counts by: time, calls, name, nothing (default time) -w summarise syscall latency (default is system time) Filtering: -e expr a qualifying expression: option=[!]all or option=[!]val1[,val2]... options: trace, abbrev, verbose, raw, signal, read, write -P path trace accesses to path Tracing: -b execve detach on execve syscall -D run tracer process as a detached grandchild, not as parent -f follow forks -ff follow forks with output into separate files -I interruptible 1: no signals are blocked 2: fatal signals are blocked while decoding syscall (default) 3: fatal signals are always blocked (default if '-o FILE PROG') 4: fatal signals and SIGTSTP (^Z) are always blocked (useful to make 'strace -o FILE PROG' not stop on ^Z) Startup: -E var remove var from the environment for command -E var=val put var=val in the environment for command -p pid trace process with process id PID, may be repeated -u username run command as username handling setuid and/or setgid Miscellaneous: -d enable debug output to stderr -v verbose mode: print unabbreviated argv, stat, termios, etc. args -h print help message -V print version
It can be divided into five parts, namely: the output format, the type of statistical data, how to define the track, set startup items, and other parameters. Below, respectively, to introduce.
Detailed description
Strace will help to print the output file. as follows:
[root@hadoop ~]# man strace | col -b >> aa.txt
A more detailed explanation man strace excerpt out.
OPTIONS -c Count time, calls, and errors for each system call and report a summary on program exit. On Linux, this attempts to show system time (CPU time spent running in the kernel) independent of wall clock time. If -c is used with -f or -F (below), only aggregate totals for all traced processes are kept. -C Like -c but also print regular output while processes are running. -D Run tracer process as a detached grandchild, not as parent of the tracee. This reduces the visible effect of strace by keeping the tracee a direct child of the calling process. -d Show some debugging output of strace itself on the standard error. -f Trace child processes as they are created by currently traced processes as a result of the fork(2), vfork(2) and clone(2) system calls. Note that -p PID -f will attach all threads of process PID if it is multi-threaded, not only thread with thread_id = PID. -ff If the -o filename option is in effect, each processes trace is written to filename.pid where pid is the numeric process id of each process. This is incom‐ patible with -c, since no per-process counts are kept. -F This option is now obsolete and it has the same functionality as -f. -h Print the help summary. -i Print the instruction pointer at the time of the system call. -k Print the execution stack trace of the traced processes after each system call (experimental). This option is available only if strace is built with libun‐ wind. -q Suppress messages about attaching, detaching etc. This happens automatically when output is redirected to a file and the command is run directly instead of attaching. -qq If given twice, suppress messages about process exit status. -r Print a relative timestamp upon entry to each system call. This records the time difference between the beginning of successive system calls. -t Prefix each line of the trace with the time of day. -tt If given twice, the time printed will include the microseconds. -ttt If given thrice, the time printed will include the microseconds and the leading portion will be printed as the number of seconds since the epoch. -T Show the time spent in system calls. This records the time difference between the beginning and the end of each system call. -w Summarise the time difference between the beginning and end of each system call. The default is to summarise the system time. -v Print unabbreviated versions of environment, stat, termios, etc. calls. These structures are very common in calls and so the default behavior displays a reasonable subset of structure members. Use this option to get all of the gory details. -V Print the version number of strace. -x Print all non-ASCII strings in hexadecimal string format. -xx Print all strings in hexadecimal string format. -y Print paths associated with file descriptor arguments. -yy Print protocol specific information associated with socket file descriptors. -a column Align return values in a specific column (default column 40). -b syscall If specified syscall is reached, detach from traced process. Currently, only execve syscall is supported. This option is useful if you want to trace multi- threaded process and therefore require -f, but don't want to trace its (potentially very complex) children. -e expr A qualifying expression which modifies which events to trace or how to trace them. The format of the expression is: [qualifier=][!]value1[,value2]... where qualifier is one of trace, abbrev, verbose, raw, signal, read, or write and value is a qualifier-dependent symbol or number. The default qualifier is trace. Using an exclamation mark negates the set of values. For example, -e open means literally -e trace=open which in turn means trace only the open sys‐ tem call. By contrast, -e trace=!open means to trace every system call except open. In addition, the special values all and none have the obvious meanings. Note that some shells use the exclamation point for history expansion even inside quoted arguments. If so, you must escape the exclamation point with a back‐ slash. -e trace=set Trace only the specified set of system calls. The -c option is useful for determining which system calls might be useful to trace. For example, trace=open,close,read,write means to only trace those four system calls. Be careful when making inferences about the user/kernel boundary if only a subset of system calls are being monitored. The default is trace=all. -e trace=file Trace all system calls which take a file name as an argument. You can think of this as an abbreviation for -e trace=open,stat,chmod,unlink,... which is use‐ ful to seeing what files the process is referencing. Furthermore, using the abbreviation will ensure that you don't accidentally forget to include a call like lstat in the list. Betchya woulda forgot that one. -e trace=process Trace all system calls which involve process management. This is useful for watching the fork, wait, and exec steps of a process. -e trace=network Trace all the network related system calls. -e trace=signal Trace all signal related system calls. -e trace=ipc Trace all IPC related system calls. -e trace=desc Trace all file descriptor related system calls. -e trace=memory Trace all memory mapping related system calls. -e abbrev=set Abbreviate the output from printing each member of large structures. The default is abbrev=all. The -v option has the effect of abbrev=none. -e verbose=set Dereference structures for the specified set of system calls. The default is verbose=all. -e raw=set Print raw, undecoded arguments for the specified set of system calls. This option has the effect of causing all arguments to be printed in hexadecimal. This is mostly useful if you don't trust the decoding or you need to know the actual numeric value of an argument. -e signal=set Trace only the specified subset of signals. The default is signal=all. For example, signal =! SIGIO (or signal=!io) causes SIGIO signals not to be traced. -e read=set Perform a full hexadecimal and ASCII dump of all the data read from file descriptors listed in the specified set. For example, to see all input activity on file descriptors 3 and 5 use -e read=3,5. Note that this is independent from the normal tracing of the read(2) system call which is controlled by the option -e trace=read. -e write=set Perform a full hexadecimal and ASCII dump of all the data written to file descriptors listed in the specified set. For example, to see all output activity on file descriptors 3 and 5 use -e write=3,5. Note that this is independent from the normal tracing of the write(2) system call which is controlled by the option -e trace=write. -I interruptible When strace can be interrupted by signals (such as pressing ^C). 1: no signals are blocked; 2: fatal signals are blocked while decoding syscall (default); 3: fatal signals are always blocked (default if '-o FILE PROG'); 4: fatal signals and SIGTSTP (^Z) are always blocked (useful to make strace -o FILE PROG not stop on ^Z). -o filename Write the trace output to the file filename rather than to stderr. Use filename.pid if -ff is used. If the argument begins with '|' or with '!' then the rest of the argument is treated as a command and all output is piped to it. This is convenient for piping the debugging output to a program without affecting the redirections of executed programs. -O overhead Set the overhead for tracing system calls to overhead microseconds. This is useful for overriding the default heuristic for guessing how much time is spent in mere measuring when timing system calls using the -c option. The accuracy of the heuristic can be gauged by timing a given program run without tracing (using time(1)) and comparing the accumulated system call time to the total produced using -c. -p pid Attach to the process with the process ID pid and begin tracing. The trace may be terminated at any time by a keyboard interrupt signal (CTRL-C). strace will respond by detaching itself from the traced process(es) leaving it (them) to continue running. Multiple -p options can be used to attach to many pro‐ cesses in addition to command (which is optional if at least one -p option is given). -p "`pidof PROG`" syntax is supported. -P path Trace only system calls accessing path. Multiple -P options can be used to specify several paths. -s strsize Specify the maximum string size to print (the default is 32). Note that filenames are not considered strings and are always printed in full. -S sortby Sort the output of the histogram printed by the -c option by the specified criterion. Legal values are time, calls, name, and nothing (default is time). -u username Run command with the user ID, group ID, and supplementary groups of username. This option is only useful when running as root and enables the correct execu‐ tion of setuid and/or setgid binaries. Unless this option is used setuid and setgid programs are executed without effective privileges. -E var=val Run command with var=val in its list of environment variables. -E var Remove var from the inherited list of environment variables before passing it on to the command.
Case
Follow-up
to sum up
strace is the development of location tracking operation and maintenance problems artifact that needs to be practice to master. strace is like a window, it gave me the opportunity to call from the upper layer application development system kernel and understand the system.