Trace what a program asks the kernel to do and find bugs, permission problems or surprises. 16.11.2025 | reading time: 3 min System calls are the language between a program and the kernel; strace listens in. Learn by doing: attach, record, and inspect the exact requests a process makes to the operating system and find the root cause fast. Trace a running sleep Reproduce a minimal, focused trace to see strace in action; start a short background sleeper and attach to it to capture only the sleep syscall. ```bash $ sleep 3 & [1] 12345 $ strace -p 12345 -e trace=nanosleep -o sleep_trace.txt $ cat sleep_trace.txt nanosleep({3, 0}, NULL) = 0 +++ exited with 0 +++ ``` This shows the exact syscall and return value; short, precise, and immediately useful for debugging timers and waits. Run-and-record an ls walk Want a fuller example that records file opens and errors? Run strace on a command and dump the output to a file for later analysis. ```bash $ strace -f -e trace=openat -o trace.txt ls /nonexistent $ cat trace.txt openat(AT_FDCWD, "/nonexistent", O_RDONLY|O_NONBLOCK|O_CLOEXEC) = -1 ENOENT (No such file or directory) +++ exited with 2 +++ ``` You now have concrete evidence: the kernel returned ENOENT for the path, proving the file was missing rather than a higher-level bug. Flags you will actually use Use `-p` to attach to a PID, `-f` to follow forks, `-o` to write to a file, `-e` to filter by syscall class or expression, `-s` to set string-print limit and `-c` to get syscall counts and timings; combine them to narrow noise and highlight the problem quickly. When and why to reach for strace Reach for strace when a program fails without clear error messages, when permissions look correct but behavior differs, or when you need to confirm what files, sockets or ioctls a process actually uses; it is indispensable for low-level troubleshooting and for verifying container or sandbox interactions. Complementary tools to know strace answers "what the process asked the kernel"; use `ltrace` for library calls, `perf` for performance hotspots, and `auditd` for system-wide security auditing to complete the picture. Clear finish, next step Start using strace on trivial commands, build patterns of typical syscall failures, and then apply the technique to larger services; the more traces you read, the faster you locate the problem. Keep learning about Linux internals and consider formal certification like CompTIA Linux+ or LPIC-1 with intensive exam preparation at bitsandbytes.academy to turn practical skill into recognized expertise. Join Bits & Bytes Academy First class LINUX exam preparation. utilities processes troubleshooting security
