Summary while strace runs
strace
has the -c
switch which will give you a summary report of the various system calls that were made.
excerpt strace man page
-c Count time, calls, and errors for each system call and report a
summary on program exit. On Linux, this attempts to show system
time (CPU time spent running in the kernel) independent of wall
clock time. If -c is used with -f or -F (below), only aggregate
totals for all traced processes are kept.
Example
$ strace -c systemctl list-unit-files --type=service
...
...
% time seconds usecs/call calls errors syscall
------ ----------- ----------- --------- --------- ----------------
51.81 0.001831 1831 1 waitid
8.15 0.000288 7 39 mmap
7.89 0.000279 19 15 read
6.11 0.000216 8 26 mprotect
4.56 0.000161 11 15 open
2.91 0.000103 103 1 connect
2.24 0.000079 79 1 clone
2.15 0.000076 38 2 statfs
2.01 0.000071 4 19 close
1.95 0.000069 5 13 poll
1.90 0.000067 5 14 2 recvmsg
1.70 0.000060 4 16 fstat
0.88 0.000031 8 4 3 stat
0.82 0.000029 29 1 socket
0.65 0.000023 8 3 munmap
0.57 0.000020 5 4 sendto
0.42 0.000015 5 3 ioctl
0.40 0.000014 7 2 lstat
0.40 0.000014 7 2 sendmsg
0.34 0.000012 4 3 brk
0.23 0.000008 8 1 pipe
0.23 0.000008 4 2 fcntl
0.20 0.000007 4 2 rt_sigaction
0.20 0.000007 7 1 1 access
0.20 0.000007 4 2 geteuid
0.17 0.000006 6 1 execve
0.14 0.000005 5 1 getsockname
0.11 0.000004 4 1 dup2
0.11 0.000004 4 1 getresuid
0.11 0.000004 4 1 getresgid
0.11 0.000004 4 1 arch_prctl
0.08 0.000003 3 1 rt_sigprocmask
0.08 0.000003 3 1 getrlimit
0.08 0.000003 3 1 set_tid_address
0.08 0.000003 3 1 set_robust_list
0.00 0.000000 0 4 write
0.00 0.000000 0 1 kill
------ ----------- ----------- --------- --------- ----------------
100.00 0.003534 207 6 total
Analyzing strace logs postmortem
I found this Perl scripts called Strace_analyzer.pl
which sounds like what you're looking for.
Usage
$ ./strace_analyzer_ng_0.03.pl -help
Usage: strace-analyze [OPTION]… [FILE]
Analyzes strace output for IO functions. It creates statistics
on IO functions and performance of the read and write functions.
The strace file should have been run with ‘strace -tt [PROGRAM]
There's an example of the output on the page I linked to above. It's too long to post here. I've posted here on pastebin.com as well.
Alternative to strace, ioapps
I came across this app called ioapps
which can give you a more visual breakdown of what your app is doing when it's running. Perhaps this might be better for what you're trying to accomplish than processing strace
logs.
Usage
$ ioprofiler-trace thunderbird
Once it loads, we just close the thunderbird window and check we have
a trace log called "ioproftrace.log" because that's the default name
of the log (one can specify another name using -o command line
option):
$ ls -l ioproftrace.log
-rw-r--r-- 1 user user 74890554 Apr 4 22:04 ioproftrace.log
It seems OK, so we can run ioprofiler over it:
$ ioprofiler ioproftrace.log
Example GUI
Another alternative to strace, strace+
NOTE: The project, strace+, is no longer being maintained, and in fact many of its features have been merged into the default strace
via the -k
switch. So you might want to make sure your version of strace
is at least up to 4.9, which is when that switch was merged in.
excerpt strace man page
-k Print the execution stack trace of the traced processes after
each system call (experimental).
excerpt from strace+ project page
strace+ is an improved version of strace that collects stack traces
associated with each system call. Since system calls require an
expensive user-kernel context switch, they are often sources of
performance bottlenecks. strace+ allows programmers to do more
detailed system call profiling and determine, say, which call sites
led to costly syscalls and thus have potential for optimization.
I did a dig into the source code strace 4.9 and found this:
{ 3, TD|TF, sys_open, "open" }, /* 5 */
{ 2, TD|TF, sys_creat, "creat" }, /* 8 */
{ 2, TF, sys_link, "link" }, /* 9 */
{ 1, TF, sys_unlink, "unlink" }, /* 10 */
{ 3, TF|TP|SE|SI, sys_execve, "execve" }, /* 11 */
{ 1, TF, sys_chdir, "chdir" }, /* 12 */
{ 3, TF, sys_mknod, "mknod" }, /* 14 */
{ 2, TF, sys_chmod, "chmod" }, /* 15 */
{ 3, TF, sys_chown, "lchown" }, /* 16 */
{ 2, TF, sys_oldstat, "oldstat" }, /* 18 */
{ 5, TF, sys_mount, "mount" }, /* 21 */
{ 1, TF, sys_umount, "oldumount" }, /* 22 */
{ 2, TF, sys_utime, "utime" }, /* 30 */
{ 2, TF, sys_access, "access" }, /* 33 */
{ 2, TF, sys_rename, "rename" }, /* 38 */
{ 2, TF, sys_mkdir, "mkdir" }, /* 39 */
{ 1, TF, sys_rmdir, "rmdir" }, /* 40 */
{ 1, TF, sys_acct, "acct" }, /* 51 */
{ 2, TF, sys_umount2, "umount" }, /* 52 */
{ 1, TF, sys_chroot, "chroot" }, /* 61 */
{ 2, TF, sys_symlink, "symlink" }, /* 83 */
{ 2, TF, sys_oldlstat, "oldlstat" }, /* 84 */
{ 3, TF, sys_readlink, "readlink" }, /* 85 */
{ 1, TF, sys_uselib, "uselib" }, /* 86 */
{ 2, TF, sys_swapon, "swapon" }, /* 87 */
{ 2, TF, sys_truncate, "truncate" }, /* 92 */
{ 2, TF, sys_statfs, "statfs" }, /* 99 */
{ 2, TF, sys_stat, "stat" }, /* 106 */
{ 2, TF, sys_lstat, "lstat" }, /* 107 */
{ 1, TF, sys_swapoff, "swapoff" }, /* 115 */
{ 4, TF, sys_quotactl, "quotactl" }, /* 131 */
{ 3, TF, sys_chown, "chown" }, /* 182 */
{ 2, TF, sys_getcwd, "getcwd" }, /* 183 */
{ 3, TF, sys_truncate64, "truncate64" }, /* 193 */
{ 2, TF, sys_stat64, "stat64" }, /* 195 */
{ 2, TF, sys_lstat64, "lstat64" }, /* 196 */
{ 3, TF, sys_chown, "lchown32" }, /* 198 */
{ 3, TF, sys_chown, "chown32" }, /* 212 */
{ 2, TF, sys_pivotroot, "pivot_root" }, /* 217 */
{ 5, TF, sys_setxattr, "setxattr" }, /* 226 */
{ 5, TF, sys_setxattr, "lsetxattr" }, /* 227 */
{ 4, TF, sys_getxattr, "getxattr" }, /* 229 */
{ 4, TF, sys_getxattr, "lgetxattr" }, /* 230 */
{ 3, TF, sys_listxattr, "listxattr" }, /* 232 */
{ 3, TF, sys_listxattr, "llistxattr" }, /* 233 */
{ 2, TF, sys_removexattr, "removexattr" }, /* 235 */
{ 2, TF, sys_removexattr, "lremovexattr" }, /* 236 */
{ 3, TF, sys_statfs64, "statfs64" }, /* 268 */
{ 2, TF, sys_utimes, "utimes" }, /* 271 */
{ 4, TD|TF, sys_openat, "openat" }, /* 295 */
{ 3, TD|TF, sys_mkdirat, "mkdirat" }, /* 296 */
{ 4, TD|TF, sys_mknodat, "mknodat" }, /* 297 */
{ 5, TD|TF, sys_fchownat, "fchownat" }, /* 298 */
{ 3, TD|TF, sys_futimesat, "futimesat" }, /* 299 */
{ 4, TD|TF, sys_newfstatat, "fstatat64" }, /* 300 */
{ 3, TD|TF, sys_unlinkat, "unlinkat" }, /* 301 */
{ 4, TD|TF, sys_renameat, "renameat" }, /* 302 */
{ 5, TD|TF, sys_linkat, "linkat" }, /* 303 */
{ 3, TD|TF, sys_symlinkat, "symlinkat" }, /* 304 */
{ 4, TD|TF, sys_readlinkat, "readlinkat" }, /* 305 */
{ 3, TD|TF, sys_fchmodat, "fchmodat" }, /* 306 */
{ 3, TD|TF, sys_faccessat, "faccessat" }, /* 307 */
{ 4, TD|TF, sys_utimensat, "utimensat" }, /* 320 */
{ 6, TD|TF, sys_fanotify_mark, "fanotify_mark" }, /* 339 */
{ 5, TD|TF, sys_name_to_handle_at, "name_to_handle_at"}, /* 341 */
{ 5, TD|TF, sys_renameat2, "renameat2" }, /* 353 */
TF
stands for file related class of system calls used by strace
.
Note that this example list is for i386 architecture. The list might be different for other platforms.
And long names for classes:
/* Define these shorthand notations to simplify the syscallent files. */
#define TD TRACE_DESC
#define TF TRACE_FILE
#define TI TRACE_IPC
#define TN TRACE_NETWORK
#define TP TRACE_PROCESS
#define TS TRACE_SIGNAL
#define TM TRACE_MEMORY
#define NF SYSCALL_NEVER_FAILS
#define MA MAX_ARGS
#define SI STACKTRACE_INVALIDATE_CACHE
#define SE STACKTRACE_CAPTURE_ON_ENTER
Best Answer
You are correct, there is no history available.
In case it is not obvious, the output shows that the process is in a
poll
call, waiting for input from file descriptors 3 and 6. Runningls -l /proc/195/fd
should show what these descriptors are connected to.