68

I do know that strace uses ptrace to do the job,

but it needs to run the target process with TRACE_ME on,

which don't apply for the case of an already running process.

how does it work on an already running process?

new_perl
  • 7,345
  • 11
  • 42
  • 72

2 Answers2

54

strace -p <PID> ----> To attach a process to strace. "-p" option is for PID of the process.

strace -e trace=read,write -p <PID> --> By this you can also trace a process/program for an event, like read and write (in this example). So here it will print all such events that include read and write system calls by the process.

Other such examples

-e trace= network  (Trace all the network related system calls.)

-e trace=signal    (Trace all signal related system calls.)

-e trace=ipc       (Trace all IPC related system calls.)

-e trace=desc      (Trace all file descriptor related system calls.)

-e trace=memory    (Trace all memory mapping related system calls.)

and many more..

trace is one of the many options you can use with -e option.

Press Ctrl-C to abbort the tracing by strace.

Check HELP section for brief summary on strace by typing strace -h and man page for detailed info.

NOTE: A traced process runs slowly.

Noam M
  • 3,156
  • 5
  • 26
  • 41
Prabhat Kumar Singh
  • 1,711
  • 15
  • 20
  • 29
    Surely the question is asking "how does the magic of 'attach' work?" not "what are the command switches to invoke the magic?" – Tom Goodfellow Mar 26 '18 at 22:15
  • @TomGoodfellow well there is no magic as such, only the commands with some other options which i have mentioned. Please read question and answer again. I don't know which part of it you didn't understand. – Prabhat Kumar Singh Mar 27 '18 at 07:13
  • 4
    Here's that question: "I do know that strace uses ptrace to do the job, but it needs to run the target process with TRACE_ME on..." - it's a question about the implementation of ptrace() (and how strace uses it), not a question about using the strace command. – Tom Goodfellow Mar 27 '18 at 08:13
  • Title was "How does strace connect..." and I have answered based on that, about ptrace, and ptrace uses TRACE_ME i have no idea, even wiki, man page, or any other source didn't say anything related to those. So can't comment about the authenticity of what ptrace does internally. – Prabhat Kumar Singh Mar 27 '18 at 10:23
  • 3
    This doesn't answer the question. The question is concerned about how strace uses ptrace to connect to already running processes; the asker is not concerned about how to use strace to connect to already running processes, but rather they want to know how does strace connect. Matthew's answer correctly answers this question. – NotAPro Jun 04 '20 at 03:26
35

The details of ptrace() are OS-specific.

On Linux, a child may request to be traced by its parent with ptrace(PTRACE_TRACEME, ...); but, alternatively, a process may attach itself to another process with ptrace(PTRACE_ATTACH, ...).

See the Linux ptrace(2) man page (and, if you really want the fine details, the strace source, and kernel source starting at kernel/ptrace.c).

Matthew Slattery
  • 45,290
  • 8
  • 103
  • 119
  • while the other answer is detailed and helpful for some searchers, it does not actually answer the original question, this one should be the accepted answer – Arkadiy Kukarkin Jul 12 '23 at 19:21