Tools Practical By Samson Tanimawo, PhD Published Oct 16, 2025 4 min read

strace vs ltrace

Two tools; different layers.

strace: syscall-level

Traces system calls between process and kernel. open, read, write, connect, fork.

Useful for: IO debugging, file access issues, network connection problems, child process behaviour.

Output: line per syscall with arguments and return value.

ltrace: library-call-level

Traces library function calls. malloc, printf, strcpy.

Useful for: memory allocation patterns, library API usage, higher-level behaviour.

Output: line per library call. Less granular than strace; closer to application semantics.

When to use which

IO or network issue: strace. Syscalls are the right level.

Library bug or memory issue: ltrace. Library functions are the right level.

Both safer than gdb for diagnosis. Read-only inspection; less risk.

Operating in production

Both add overhead; not suitable for steady-state production.

Brief attaches during incidents. strace -p PID for short capture.

Save output to file: strace -o /tmp/trace.txt -p PID. Avoid terminal flooding.