strace-ltrace
strace / ltrace
Purpose
Guide agents through tracing system calls with strace and library calls with ltrace — the most effective tools for diagnosing incorrect binary behaviour without a crash or debugger.
Triggers
- "My program behaves incorrectly — how do I trace what it's doing?"
- "How do I find what files a binary is opening?"
- "strace shows ENOENT — how do I interpret it?"
- "How do I trace network calls with strace?"
- "What is ltrace and how does it differ from strace?"
- "How do I trace a running process?"
Workflow
1. Basic strace usage
# Trace all syscalls of a command
strace ./myapp arg1 arg2
# Attach to running process
strace -p 12345
# Trace child processes too (-f = follow fork)
strace -f ./myapp
# Save to file (raw output — not stdout)
strace ./myapp 2> trace.txt
# Most useful: timestamps + summary
strace -t -f ./myapp 2>&1 | head -100
2. Filter by syscall category
# Trace file operations only
strace -e trace=file ./myapp
# Trace network syscalls
strace -e trace=network ./myapp
# Trace specific syscalls
strace -e trace=open,openat,read,write ./myapp
# Trace process management
strace -e trace=process ./myapp
# Trace memory operations
strace -e trace=memory ./myapp
# Trace signals
strace -e trace=signal ./myapp
# Multiple categories
strace -e trace=file,network ./myapp
| Category | Syscalls included |
|---|---|
file |
open, openat, stat, access, unlink, rename, ... |
network |
socket, connect, bind, accept, send, recv, ... |
process |
fork, exec, wait, clone, exit, ... |
memory |
mmap, munmap, mprotect, brk, ... |
signal |
kill, sigaction, sigprocmask, ... |
ipc |
pipe, socket pair, shmget, ... |
desc |
close, dup, poll, select, epoll, ... |
3. Interpreting common errors
# See return values and errors
strace -e trace=file ./myapp 2>&1 | grep -E "ENOENT|EPERM|EACCES|ENOTSUP"
| Error | Meaning | Common cause |
|---|---|---|
ENOENT |
No such file or directory | Config file missing, wrong path |
EACCES |
Permission denied | File permissions, SELinux |
EPERM |
Operation not permitted | Missing capability, suid needed |
EADDRINUSE |
Address already in use | Port already bound |
ETIMEDOUT |
Connection timed out | Network unreachable, firewall |
ECONNREFUSED |
Connection refused | Server not listening |
EAGAIN |
Resource temporarily unavailable | Non-blocking I/O, try again |
ENOMEM |
Out of memory | Allocation failed |
EBADF |
Bad file descriptor | Using closed/invalid fd |
ENOEXEC |
Exec format error | Wrong binary format for arch |
# Find what file is not found
strace ./myapp 2>&1 | grep 'ENOENT'
# Example output:
# openat(AT_FDCWD, "/etc/myapp.conf", O_RDONLY) = -1 ENOENT (No such file or directory)
# → Config file expected at /etc/myapp.conf
4. Useful strace flags
# Show strings fully (default truncates at 32 chars)
strace -s 256 ./myapp
# Timestamps
strace -t ./myapp # wall clock time
strace -T ./myapp # time spent in each syscall
strace -r ./myapp # relative timestamps
# System call count summary
strace -c ./myapp
# Shows count, time, errors per syscall — great for profiling
# Trace with PIDs in output (for -f)
strace -f -p ./myapp
# Output: [pid 12346] open("/etc/passwd", O_RDONLY) = 3
# Decode numerical arguments
strace -e verbose=all ./myapp
# Print instruction pointer at each syscall
strace -i ./myapp
5. ltrace — library call tracing
# Trace all library calls
ltrace ./myapp
# Trace specific library function
ltrace -e malloc,free,fopen ./myapp
# Trace nested calls (lib → lib)
ltrace -n 2 ./myapp # indent nested calls
# Trace with syscalls too
ltrace -S ./myapp
# Attach to running process
ltrace -p 12345
# Summary statistics
ltrace -c ./myapp
Typical ltrace output:
malloc(1024) = 0x55a1b2c3d000
fopen("/etc/myapp.conf", "r") = 0
free(0x55a1b2c3d000) = <void>
strace vs ltrace:
| strace | ltrace | |
|---|---|---|
| Traces | Kernel syscalls | User-space library calls |
| Overhead | Lower | Higher (PLT hooking) |
| Shows | open(), read(), write() |
fopen(), malloc(), printf() |
| Use when | Binary interacts with OS/files/network | Binary calls library functions you can't see |
6. Practical diagnosis workflows
# Find missing config file
strace -e trace=openat,open ./myapp 2>&1 | grep ENOENT
# Find what network connections are made
strace -e trace=network -f ./myapp 2>&1 | grep connect
# Debug dynamic library loading failures
strace -e trace=openat ./myapp 2>&1 | grep "\.so"
# Find permission issues
strace -e trace=file ./myapp 2>&1 | grep -E "EACCES|EPERM"
# Debug slow startup (find where time is spent)
strace -c ./myapp 2>&1
# Look for high % time in unexpected syscalls
# Watch IPC/shared memory
strace -e trace=ipc,shm ./myapp
# Find what the binary exec's
strace -e trace=execve -f ./myapp
7. seccomp filter debugging
If a program is killed by a seccomp policy, strace reveals which syscall triggered it:
strace -e trace=all ./myapp 2>&1 | tail -5
# Often shows the last syscall before SIGSYS
For strace output patterns and ltrace filtering examples, see references/strace-patterns.md.
Related skills
- Use
skills/debuggers/gdbwhen strace shows the failing location and you need to inspect internals - Use
skills/binaries/elf-inspectionto understand what libraries and symbols a binary uses - Use
skills/binaries/dynamic-linkingfor diagnosingLD_*and library loading issues - Use
skills/profilers/linux-perffor performance profiling (strace overhead is too high for perf)
More from mohitmishra786/low-level-dev-skills
cmake
CMake build system skill for C/C++ projects. Use when writing or refactoring CMakeLists.txt, configuring out-of-source builds, selecting generators (Ninja, Make, VS), managing targets and dependencies with target_link_libraries, integrating external packages via find_package or FetchContent, enabling sanitizers, setting up toolchain files for cross-compilation, or exporting CMake packages. Activates on queries about CMakeLists.txt, cmake configure errors, target properties, install rules, CPack, or CMake presets.
586static-analysis
Static analysis skill for C/C++ codebases. Use when hardening code quality, triaging noisy builds, running clang-tidy, cppcheck, or scan-build, interpreting check categories, suppressing false positives, or integrating static analysis into CI. Activates on queries about clang-tidy checks, cppcheck, scan-build, compile_commands.json, code hardening, or static analysis warnings.
409llvm
LLVM IR and pass pipeline skill. Use when working directly with LLVM Intermediate Representation (IR), running opt passes, generating IR with llc, inspecting or writing LLVM IR for custom passes, or understanding how the LLVM backend lowers IR to assembly. Activates on queries about LLVM IR, opt, llc, llvm-dis, LLVM passes, IR transformations, or building LLVM-based tools.
362gdb
GDB debugger skill for C/C++ programs. Use when starting a GDB session, setting breakpoints, stepping through code, inspecting variables, debugging crashes, using reverse debugging (record/replay), remote debugging with gdbserver, or loading core dumps. Activates on queries about GDB commands, segfaults, hangs, watchpoints, conditional breakpoints, pretty-printers, Python GDB scripting, or multi-threaded debugging.
156linux-perf
Linux perf profiler skill for CPU performance analysis. Use when collecting sampling profiles with perf record, generating perf report, measuring hardware counters (cache misses, branch mispredicts, IPC), identifying hot functions, or feeding perf data into flamegraph tools. Activates on queries about perf, Linux performance counters, PMU events, off-CPU profiling, perf stat, perf annotate, or sampling-based profiling on Linux.
144core-dumps
Core dump analysis skill for production crash triage. Use when loading core files in GDB or LLDB, enabling core dump generation on Linux/macOS, mapping symbols with debuginfo or debuginfod, or extracting backtraces from crashes without re-running the program. Activates on queries about core files, ulimit, coredumpctl, debuginfod, crash triage, or analyzing segfaults from production binaries.
132