strace Cheatsheet
Power user.
Overview
strace traces system calls and signals for any Linux process. When other tools say “the process is broken,” strace says exactly which syscall failed and why. Five primitive operations cover almost every investigative use case.
- Syscall trace. Every syscall the process makes. Ground-truth visibility into what the process is asking the kernel to do.
- Argument inspection. Decoded syscall arguments show exactly what the process requested. The decode is half the value.
- Filtering.
-e trace=networklimits to network calls. Narrows scope before the trace becomes unreadable. - Process attach plus summary.
-p PIDattaches to a running process;-csummarises syscall counts and time spent for performance investigation.
The approach
Three habits separate fluent strace from beginner strace: filter aggressively by syscall class, attach to running PIDs rather than starting new ones, and summarise with -c for performance work.
- strace -p PID. Attach to a running process. Most production debugging starts here.
- strace -e trace=network -p PID. Network syscalls only. Cuts the noise from file IO and other unrelated calls.
- strace -e trace=open,openat -p PID. File opens. Catches missing files, permission denials, and config-path bugs.
- strace -c plus -f.
-csummarises syscall counts and time;-ffollows forks to catch child processes.
Why this compounds
strace fluency compounds because the same toolkit serves every Linux process the team operates. The patterns transfer to ltrace, perf trace, and modern eBPF-based tools.
- Faster process debugging. Fluent strace produces fast root cause on the long tail of weird process behaviour.
- Linux syscall mental model. Each session teaches a little more about the kernel boundary. Investigations get faster as the model matures.
- Catches the unexpected. Other tools sometimes miss what strace surfaces directly. The deep-investigation niche is hard to replace.
- Year-one investment, year-two habit. The first year establishes fluency under pressure. Subsequent years extend it.