I want to monitor and log all traffic that a specific process produces. I know about tcpdump, but it seems it doesn’t support filtering by process (pid/path, or at least user). It there any other way to log all traffic from a process? Ideally I should be able to filter ports as well. Thanks! Answer You should use strace command:
Tag: strace
Why does strace ignore some syscalls (randomly) depending on environment/kernel?
If I compile the following program: and then run it under strace in “standard” Kubuntu, I get this: As you can see, there is no clock_gettime (full strace output is here). On the other hand, if I run the same app in my custom built linux kernel under qemu, I get the following output: Which is more expected – there
Why am I not able to view the clone() system call in strace output when typing ‘strace ls’ in terminal?
My understanding is that when we type ls in the terminal: It invokes fork() library function which invokes system call clone() to create a child process. Then system call execve() is invoked to replace address space of the new process created with new content. In that case I was expecting to see system calls clone() and execve() in the strace
How to find what folder process can’t open
I have an application that is not functioning, because it can’t find or open the folder. But it does not print the folder path. How i can find out what folders it tries to open or locate? Probably folder does not exist, or has wrong permission. But to fix this i need to know what folder application is opening… Answer
Raw clone system call not working correctly
I’m trying to use the raw clone system call to avoid having to refactor the pid 0 code into a function. Linux requires stacks to by 16 bytes, additionally, libc reserves 16 bits presumably to store ptid and ctid. The code below creates an aligned stack then exits from the child. After waiting for the child cloned by libc’s wrapper
How to see system call that executed in current time by process?
Linux utility “strace” show the list of syscall that started after run of strace. How I can see syscall that run in current moment by process? before start of strace. Answer proc offers some information about what the kernel is currently doing “for” a process /proc/${pid}/syscall /proc/${pid}/stack More information: http://man7.org/linux/man-pages/man5/proc.5.html http://blog.tanelpoder.com/2013/02/21/peeking-into-linux-kernel-land-using-proc-filesystem-for-quickndirty-troubleshooting/
strace -c does not show correct seconds
I have got results for strace -c on RHEL 7 and RHEL 6 for this command: and I don’t understand why the seconds column for nanosleep is equal to 0. I had expected it to be 20. Here is a full strace report: And there is a call to nanosleep in a detailed report: So seconds must be 20, not
strace -e trace=network only showing SIGCHLD?
I am using the command: strace -tt -o ${filename} -e trace=network gdb –args ${EXECUTABLE} to track which system calls occur whilst connecting to and sending messages to a peer. However, I am only receiving the following entries: Should I not see the socket calls to read() close() etc? Answer Using strace with gdb –args ${EXECUTABLE} prints syscall of gdb, instead
Interpreting STRACE output – pipes and forks
I have the following code written in C, taken from https://beej.us/guide/bgipc/html/multi/pipes.html: When compiling and running this code in the terminal using strace I get the following output: Can anybody explain, line by line, what is going on in the strace output? I’ve attempted to research how to interpret strace outputs but haven’t had any luck. Thanks in advance. Answer The
Why do C++ and strace disagree on how long the open() system call is taking?
I have a program which opens a large number of files. I am timing the execution of a C++ loop which literally just opens and closes the files using both a C++ timer and strace. Strangely the system time and the time logged by C++ (which agree with each other) are orders of magnitude larger than the time the time