Frequently Asked Question

What does strace do, and what is its overhead?

strace uses the ptrace system call to intercept every system call a process makes, printing the call name, arguments, and return value. It is the single best tool for answering "what is this program actually doing right now?", a program hung on a missing config file will show a final openat() returning -1 ENOENT; one stuck on a network call will show recvfrom() blocked. strace -e openat,read,write filters to specific calls; strace -p PID attaches to a running process; strace -c prints a summary at the end instead of a full trace; strace -f follows forks.

The cost is severe. Every syscall now involves two context switches (process to tracer, tracer back to kernel, kernel back to process), and a busy server can slow down by an order of magnitude or more under strace. Newer kernels offer strace --seccomp-bpf and a separate strace -k stack trace mode that reduce some overhead, but strace remains a heavyweight tool you reach for to diagnose, not one you leave running. For continuous monitoring, the bcc tools (syscount, opensnoop, execsnoop) do similar jobs at near-zero cost.