strace is a tool that traces the system calls made by a process: every open, read, write, mmap, execve, stat, and so on. It is the indispensable first-step debugging tool when a program is behaving mysteriously: strace tells you exactly what the kernel sees it doing.
strace ls / # trace a new process
strace -p 1234 # attach to a running process
strace -f cmd # follow forks
strace -e openat ls # filter by syscall
strace -c cmd # summary at the end
strace -y -e trace=network cmd # show fd filenames; network calls only
strace -o trace.log cmd # write to file instead of stderr
strace is wonderful for answering questions like "why does this program fail to start?" (almost always an openat of a missing file or a permission error), "why is it slow?" (time per syscall reveals the answer), and "what file does it read for its config?" (grep the trace for open*).
The price is overhead: strace uses ptrace, which can slow the target process by 10-100x. For production use, kernel tracing tools like perf, bpftrace, or sysdig are much lighter. ltrace does the same thing for library calls rather than syscalls, though it is less widely used.
Related terms: ltrace, perf, bpftrace, System Call
Discussed in:
- Chapter 19: Performance and Observability — Tracing: strace and ltrace
Also defined in: Textbook of Linux