strace-ltrace

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

strace / ltrace

Purpose

用途

Guide agents through tracing system calls with

strace

and library calls with

ltrace

— the most effective tools for diagnosing incorrect binary behaviour without a crash or debugger.

指导用户使用

strace

跟踪系统调用，使用

ltrace

跟踪库调用——这两款是在程序未崩溃且无需调试器的情况下，诊断二进制程序异常行为的最有效工具。

Triggers

触发场景

"My program behaves incorrectly — how do I trace what it's doing?"
"How do I find what files a binary is opening?"
"strace shows ENOENT — how do I interpret it?"
"How do I trace network calls with strace?"
"What is ltrace and how does it differ from strace?"
"How do I trace a running process?"

"我的程序运行异常，如何跟踪它的执行过程？"
"如何查看二进制程序正在打开哪些文件？"
"strace输出ENOENT，该如何解读？"
"如何用strace跟踪网络调用？"
"什么是ltrace，它和strace有什么区别？"
"如何跟踪正在运行的进程？"

Workflow

操作流程

1. Basic strace usage

1. strace基础用法

bash

undefined

bash

undefined

Trace all syscalls of a command

跟踪某个命令的所有系统调用

strace ./myapp arg1 arg2

Attach to running process

附加到正在运行的进程

strace -p 12345

Trace child processes too (-f = follow fork)

同时跟踪子进程（-f = 跟随fork操作）

strace -f ./myapp

Save to file (raw output — not stdout)

将输出保存到文件（原始输出，不输出到标准输出）

strace ./myapp 2> trace.txt

Most useful: timestamps + summary

最实用的组合：时间戳 + 摘要

strace -t -f ./myapp 2>&1 | head -100

undefined

strace -t -f ./myapp 2>&1 | head -100

undefined

2. Filter by syscall category

2. 按系统调用类别过滤

bash

undefined

bash

undefined

Trace file operations only

仅跟踪文件操作相关调用

strace -e trace=file ./myapp

Trace network syscalls

跟踪网络相关系统调用

strace -e trace=network ./myapp

Trace specific syscalls

跟踪特定系统调用

strace -e trace=open,openat,read,write ./myapp

Trace process management

跟踪进程管理相关调用

strace -e trace=process ./myapp

Trace memory operations

跟踪内存操作相关调用

strace -e trace=memory ./myapp

Trace signals

跟踪信号相关调用

strace -e trace=signal ./myapp

Multiple categories

同时跟踪多类别调用

strace -e trace=file,network ./myapp


| Category | Syscalls included |
|----------|------------------|
| `file` | open, openat, stat, access, unlink, rename, ... |
| `network` | socket, connect, bind, accept, send, recv, ... |
| `process` | fork, exec, wait, clone, exit, ... |
| `memory` | mmap, munmap, mprotect, brk, ... |
| `signal` | kill, sigaction, sigprocmask, ... |
| `ipc` | pipe, socket pair, shmget, ... |
| `desc` | close, dup, poll, select, epoll, ... |

strace -e trace=file,network ./myapp


| 类别 | 包含的系统调用 |
|----------|------------------|
| `file` | open, openat, stat, access, unlink, rename, ... |
| `network` | socket, connect, bind, accept, send, recv, ... |
| `process` | fork, exec, wait, clone, exit, ... |
| `memory` | mmap, munmap, mprotect, brk, ... |
| `signal` | kill, sigaction, sigprocmask, ... |
| `ipc` | pipe, socket pair, shmget, ... |
| `desc` | close, dup, poll, select, epoll, ... |

3. Interpreting common errors

3. 解读常见错误

bash

undefined

bash

undefined

See return values and errors

查看返回值和错误信息

strace -e trace=file ./myapp 2>&1 | grep -E "ENOENT|EPERM|EACCES|ENOTSUP"


| Error | Meaning | Common cause |
|-------|---------|-------------|
| `ENOENT` | No such file or directory | Config file missing, wrong path |
| `EACCES` | Permission denied | File permissions, SELinux |
| `EPERM` | Operation not permitted | Missing capability, suid needed |
| `EADDRINUSE` | Address already in use | Port already bound |
| `ETIMEDOUT` | Connection timed out | Network unreachable, firewall |
| `ECONNREFUSED` | Connection refused | Server not listening |
| `EAGAIN` | Resource temporarily unavailable | Non-blocking I/O, try again |
| `ENOMEM` | Out of memory | Allocation failed |
| `EBADF` | Bad file descriptor | Using closed/invalid fd |
| `ENOEXEC` | Exec format error | Wrong binary format for arch |

```bash

strace -e trace=file ./myapp 2>&1 | grep -E "ENOENT|EPERM|EACCES|ENOTSUP"


| 错误码 | 含义 | 常见原因 |
|-------|---------|-------------|
| `ENOENT` | 无此文件或目录 | 配置文件缺失、路径错误 |
| `EACCES` | 权限被拒绝 | 文件权限问题、SELinux限制 |
| `EPERM` | 操作不被允许 | 缺少必要权限、需要SUID权限 |
| `EADDRINUSE` | 地址已被占用 | 端口已被绑定 |
| `ETIMEDOUT` | 连接超时 | 网络不可达、防火墙拦截 |
| `ECONNREFUSED` | 连接被拒绝 | 服务端未监听端口 |
| `EAGAIN` | 资源暂时不可用 | 非阻塞I/O操作，可重试 |
| `ENOMEM` | 内存不足 | 内存分配失败 |
| `EBADF` | 文件描述符无效 | 使用已关闭或非法的文件描述符 |
| `ENOEXEC` | 执行格式错误 | 二进制程序与架构不兼容 |

```bash

Find what file is not found

查找缺失的文件

strace ./myapp 2>&1 | grep 'ENOENT'

Example output:

示例输出:

openat(AT_FDCWD, "/etc/myapp.conf", O_RDONLY) = -1 ENOENT (No such file or directory)

→ Config file expected at /etc/myapp.conf

→ 程序期望在/etc/myapp.conf路径找到配置文件

undefined

undefined

4. Useful strace flags

4. strace实用参数

bash

undefined

bash

undefined

Show strings fully (default truncates at 32 chars)

完整显示字符串（默认截断为32字符）

strace -s 256 ./myapp

Timestamps

时间戳相关参数

strace -t ./myapp # wall clock time strace -T ./myapp # time spent in each syscall strace -r ./myapp # relative timestamps

strace -t ./myapp # 显示墙上时钟时间 strace -T ./myapp # 显示每个系统调用的耗时 strace -r ./myapp # 显示相对时间戳

System call count summary

系统调用统计摘要

strace -c ./myapp

Shows count, time, errors per syscall — great for profiling

显示每个系统调用的调用次数、耗时、错误数——非常适合性能分析

Trace with PIDs in output (for -f)

跟踪时显示进程ID（配合-f参数使用）

strace -f -p ./myapp

Output: [pid 12346] open("/etc/passwd", O_RDONLY) = 3

输出示例: [pid 12346] open("/etc/passwd", O_RDONLY) = 3

Decode numerical arguments

解析数值型参数

strace -e verbose=all ./myapp

Print instruction pointer at each syscall

在每个系统调用时显示指令指针

strace -i ./myapp

undefined

strace -i ./myapp

undefined

5. ltrace — library call tracing

5. ltrace — 库调用跟踪

bash

undefined

bash

undefined

Trace all library calls

跟踪所有库调用

ltrace ./myapp

Trace specific library function

跟踪特定库函数

ltrace -e malloc,free,fopen ./myapp

Trace nested calls (lib → lib)

跟踪嵌套调用（库→库）

ltrace -n 2 ./myapp # indent nested calls

ltrace -n 2 ./myapp # 对嵌套调用进行缩进显示

Trace with syscalls too

同时跟踪系统调用

ltrace -S ./myapp

Attach to running process

附加到正在运行的进程

ltrace -p 12345

Summary statistics

统计摘要信息

ltrace -c ./myapp


Typical ltrace output:

```text
malloc(1024) = 0x55a1b2c3d000
fopen("/etc/myapp.conf", "r") = 0
free(0x55a1b2c3d000) = <void>

strace vs ltrace:

	strace	ltrace
Traces	Kernel syscalls	User-space library calls
Overhead	Lower	Higher (PLT hooking)
Shows	`open()` , `read()` , `write()`	`fopen()` , `malloc()` , `printf()`
Use when	Binary interacts with OS/files/network	Binary calls library functions you can't see

ltrace -c ./myapp


典型ltrace输出:

```text
malloc(1024) = 0x55a1b2c3d000
fopen("/etc/myapp.conf", "r") = 0
free(0x55a1b2c3d000) = <void>

strace与ltrace对比:

	strace	ltrace
跟踪对象	内核系统调用	用户态库函数调用
性能开销	较低	较高（基于PLT钩子实现）
可查看调用	`open()` , `read()` , `write()`	`fopen()` , `malloc()` , `printf()`
使用场景	二进制程序与系统/文件/网络交互时	需查看二进制程序调用的不可见库函数时

6. Practical diagnosis workflows

6. 实用诊断流程

bash

undefined

bash

undefined

Find missing config file

查找缺失的配置文件

strace -e trace=openat,open ./myapp 2>&1 | grep ENOENT

Find what network connections are made

查看程序建立的网络连接

strace -e trace=network -f ./myapp 2>&1 | grep connect

Debug dynamic library loading failures

调试动态库加载失败问题

strace -e trace=openat ./myapp 2>&1 | grep ".so"

Find permission issues

查找权限问题

strace -e trace=file ./myapp 2>&1 | grep -E "EACCES|EPERM"

Debug slow startup (find where time is spent)

调试启动缓慢问题（定位耗时环节）

strace -c ./myapp 2>&1

Look for high % time in unexpected syscalls

关注占比较高的异常系统调用

Watch IPC/shared memory

跟踪IPC/共享内存操作

strace -e trace=ipc,shm ./myapp

Find what the binary exec's

查看程序执行的外部命令

strace -e trace=execve -f ./myapp

undefined

strace -e trace=execve -f ./myapp

undefined

7. seccomp filter debugging

7. seccomp过滤器调试

If a program is killed by a seccomp policy, strace reveals which syscall triggered it:

bash

strace -e trace=all ./myapp 2>&1 | tail -5

如果程序被seccomp策略终止，strace可显示触发终止的系统调用:

bash

strace -e trace=all ./myapp 2>&1 | tail -5

Often shows the last syscall before SIGSYS

通常会显示收到SIGSYS信号前的最后一个系统调用


For strace output patterns and ltrace filtering examples, see [references/strace-patterns.md](references/strace-patterns.md).


关于strace输出模式和ltrace过滤示例，可参考[references/strace-patterns.md](references/strace-patterns.md)。