Frequently Asked Question

What do strace and ltrace show, and when should I reach for them?

strace attaches to a process and prints every system call it makes, every open(), read(), write(), connect(), mmap(), along with arguments and return values. It is the right tool when a program is failing and you cannot tell why from its own output: "permission denied opening which file?", "stuck calling what?", "talking to which socket?". Run it as strace -f -e trace=openat,read ./prog to follow forks and filter to specific calls, or strace -p 12345 to attach to a running process.

ltrace is the same idea one layer up: it intercepts calls into shared libraries (malloc, printf, gethostbyname, …) rather than into the kernel. It is less universally useful, much of what's interesting on Linux is a syscall, but invaluable when a bug lives in libc or a third-party library. Both tools impose a slowdown on the traced program, so they're a diagnostic measure, not a monitoring one. For deeper performance work the modern alternative is eBPF tools (bpftrace, perf trace).