Skip to content

Instantly share code, notes, and snippets.

@reveng007

reveng007/tracing.md

Last active November 23, 2022 15:07
Show Gist options
  • Save reveng007/3e1d7a692649d30a75e566684207880c to your computer and use it in GitHub Desktop.
Save reveng007/3e1d7a692649d30a75e566684207880c to your computer and use it in GitHub Desktop.
Download ZIP
strace vs. ltrace. vs. ptrace. ftrace
Raw
tracing.md

TL'DR:

  1. strace : sytemcall tracer : Traces system call summoned by a process from syscall table

System calls, Eg:

open syscall (__NR_open),
kill syscall (__NR_kill), 
getdents64 syscall (__NR_getdents64), 

etc.
  1. ltrace library call tracer : Traces library call summoned by a program from library functions (glibc)

Library calls, Eg:

open(),
fopen(),
open64(),

etc.

BTW, All those mentioned library calls use open syscall (__NR_open) under the hood, but in a slightly different way.

NOTE:

BTW, Both ltrace and strace can more or less do the same thing via ltrace -S vs. strace

Compare: ltrace -S vs. strace. Find out by doing it.(link: reddit)

Explanation:

1. strace and ptrace:

strace intercepts (i) system calls made by the glibc and (ii) other libraries into the Linux Kernel. It uses a tool called ptrace (system call) to inspect the system calls of a process.

strace
  |
 Used
 ptrace
  |
  V
ptrace (process trace)
  |
  |
which
inspects
  |
  V
system calls, summoned a process from syscall table.

ptrace:

The ptrace is basically a system call, which provides a means by which one process (the "tracer") may observe and control the execution of another process (the "tracee"), and examine and change the tracee's memory and registers.

It is primarily used to implement breakpoint debugging and system call tracing.

NOTE:

A tracee first needs to be attached to the tracer, just the debugger and debuggy relationship.

Go through these links:

a) https://blog.packagecloud.io/how-does-strace-work/ b) https://www.linkedin.com/pulse/tracing-technology-ltrace-strace-rosemary-francis/

2. ltrace:

ltrace intercepts (i)library calls and (ii)system calls made by your application to C libraries such as the glibc. It doesn’t use LD_PRELOAD, but the information that you get is very similar.

ltrace also relies on ptrace (system call), but tracing library functions works differently than tracing system calls and this is where the tools differ.

ltrace
  |
 Used
 ptrace
  |
  V
ptrace (process trace)
  |
  |
which
inspects
  |
  V
library calls, summoned by program from library functions (glibc).

Go through these links:

a) https://blog.packagecloud.io/how-does-ltrace-work/ b) https://www.linkedin.com/pulse/tracing-technology-ltrace-strace-rosemary-francis/

3. ftrace:

ftrace is a tool used during kernel development and allows the developer to see what functions are being called within the kernel.

Go through these links:

  1. https://www.saashub.com/compare-strace-vs-ftrace
  2. https://www.kernel.org/doc/Documentation/trace/ftrace.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment