I can run strace
on a command like sleep 1
and see what files it's accessing like this:
strace -e trace=file -o strace.log sleep 1
However, on my machine, many of the calls have a return value of -1
indicating that the file does not exist. For example:
$ grep '= -1 ENOENT' strace.log | head
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_IDENTIFICATION", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_MEASUREMENT", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_TELEPHONE", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_ADDRESS", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_NAME", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/locale/en_US.UTF-8/LC_PAPER", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
I'm not really interested in the files that don't exist,
I want to know what files the process actually found and read from.
Aside from grep -v '=-1 ENOENT'
,
how can I reliably filter out failed calls?
Addendum
I was surprised to learn
that strace
has had this feature in the works since 2002
in the form of the -z
flag, which is an alias for -e status=successful
,
fully functional since version 5.2
(2019-07-12),
also available as --successful-only
since version 5.6 (2020-04-07).
Also available since version 5.2 is the complement of -z
, the -Z
flag,
which is an alias for -e status=failed
,
available as --failed-only
since version 5.6.
The -z
flag was first added in a commit from 2002 and released in version 4.5.18 (2008-08-28),
bit it had never been documented because it was not working properly.
Relevant links:
-
only seeing successful system calls
Sat Nov 2 23:07:23 UTC 2002
When using strace I sometimes like to see the system calls
which work (instead of all the system calls).I've been porting this patch for years, it seems very useful.
With the -z option, you don't see opens on files which aren't there
(very useful tracking down what a program actually does, instead of
trying to do).https://lists.strace.io/pipermail/strace-devel/2002-November/000232.html
-
strace: -z option doesn't work properly
Date: Sun, 12 Jan 2003 09:33:01 UTC
-
tracing only failing syscalls
Created: 2004-03-19
-
[strace-4.15] Proposal: Output Staging for -z Option (print successful syscalls only) / Patch included
Tue Jan 17 09:35:54 UTC 2017
https://lists.strace.io/pipermail/strace-devel/2017-January/005941.html
-
[PATCH v1] Implemented output staging for failed/successful syscalls
Wed Jan 18 16:01:20 UTC 2017
https://lists.strace.io/pipermail/strace-devel/2017-January/005950.html
-
Fix -z option
Feb 28, 2018
-
[PATCH 0/3] Stage output for -z and new -Z options
Mon Apr 1 21:13:02 UTC 2019
https://lists.strace.io/pipermail/strace-devel/2019-April/008706.html
-
strace -z flag
Mon Jun 10 05:29:19 UTC 2019
https://lists.strace.io/pipermail/strace-devel/2019-June/008808.html
Best Answer
Apart from post-processing the
strace
output, there isn’t anything available to ignore failed system calls instrace
. It wouldn’t be too hard to add, look at thesyscall_exiting_trace
function insyscall.c
.If you’d rather pursue the post-processing angle, Ole Tange has already taken care of that for you in a more comprehensive way than you’re likely to get here: the
tracefile
tool will runstrace
and filter out the information you’re after in a nicely readable fashion. See List the files accessed by a program for details. Another answer to that question lists other possible approaches, including LoggedFS which I find very useful.Another option is to use SystemTap; for example
will show the name of any file successfully opened by any
cat
process.