How do I use truss?
truss is a command that is used to track system calls and signals.
The simplest way to use it is have it run the command.
$ truss ls
execve("/usr/bin/ls", 0xFFBEEC6C, 0xFFBEEC74) argc = 1
mmap(0x00000000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANON, -1, 0) = 0xFF3A0000
resolvepath("/usr/lib/ld.so.1", "/usr/lib/ld.so.1", 1023) = 16
stat("/usr/bin/ls", 0xFFBEE9A8) = 0
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libc.so.1", O_RDONLY) = 3
fstat(3, 0xFFBEE33C) = 0
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF390000
mmap(0x00000000, 786432, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF280000
mmap(0xFF338000, 24720, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 688128) = 0xFF338000
munmap(0xFF328000, 65536) = 0
memcntl(0xFF280000, 112632, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(3) = 0
open("/usr/lib/libdl.so.1", O_RDONLY) = 3
fstat(3, 0xFFBEE33C) = 0
mmap(0xFF390000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xFF390000
close(3) = 0
open("/usr/platform/SUNW,Ultra-Enterprise/lib/libc_psr.so.1", O_RDONLY) = 3
fstat(3, 0xFFBEE1CC) = 0
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF380000
mmap(0x00000000, 16384, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF370000
close(3) = 0
munmap(0xFF380000, 8192) = 0
The first part shows the as the application is loading shared libraries and mmapping the files into
memory.
brk(0x00024C98) = 0
brk(0x00026C98) = 0
time() = 1023238401
ioctl(1, TCGETA, 0xFFBEEB94) = 0
ioctl(1, TIOCGWINSZ, 0x0002472A) = 0
brk(0x00026C98) = 0
brk(0x0002EC98) = 0
lstat64(".", 0xFFBEEB10) = 0
open64(".", O_RDONLY|O_NDELAY) = 3
fcntl(3, F_SETFD, 0x00000001) = 0
fstat64(3, 0xFFBEEA50) = 0
brk(0x0002EC98) = 0
brk(0x00030C98) = 0
getdents64(3, 0x0002EBD0, 1048) = 1032
getdents64(3, 0x0002EBD0, 1048) = 1040
getdents64(3, 0x0002EBD0, 1048) = 1040
brk(0x00030C98) = 0
brk(0x00038C98) = 0
getdents64(3, 0x0002EBD0, 1048) = 1016
The next part shows the application opening "." and reading the directory entries.
..
prot12239.tmp prot27715.tmp workshop.cc.sparc.2.1004.5.00
write(1, " p r o t 1 2 2 3 9 . t m".., 104) = 104
prot12245.tmp prot27716.tmp workshop.cc.sparc.2.163.5.00
write(1, " p r o t 1 2 2 4 5 . t m".., 103) = 103
prot12275.tmp prot27862.tmp workshop.cc.sparc.2.240.5.00
write(1, " p r o t 1 2 2 7 5 . t m".., 103) = 103
prot12281.tmp prot27883.tmp workshop.cc.sparc.2.255.5.00
write(1, " p r o t 1 2 2 8 1 . t m".., 103) = 103
prot12293.tmp prot2789.tmp workshop.cc.sparc.2.288.5.00
write(1, " p r o t 1 2 2 9 3 . t m".., 103) = 103
prot12320.tmp prot27966.tmp workshop.cc.sparc.2.420.5.00
write(1, " p r o t 1 2 3 2 0 . t m".., 103) = 103
prot12325.tmp prot2811.tmp workshop.cc.sparc.2.440.5.00
write(1, " p r o t 1 2 3 2 5 . t m".., 103) = 103
prot12329.tmp prot28283.tmp workshop.cc.sparc.2.468.5.00
write(1, " p r o t 1 2 3 2 9 . t m".., 103) = 103
prot12335.tmp prot28287.tmp workshop.cc.sparc.2.510.5.00
write(1, " p r o t 1 2 3 3 5 . t m".., 103) = 103
prot12336.tmp prot28299.tmp workshop.cc.sparc.2.517.5.00
write(1, " p r o t 1 2 3 3 6 . t m".., 103) = 103
prot12337.tmp prot28310.tmp workshop.cc.sparc.2.608.5.00
write(1, " p r o t 1 2 3 3 7 . t m".., 103) = 103
prot12338.tmp prot28435.tmp workshop.cc.sparc.2.688.5.00
write(1, " p r o t 1 2 3 3 8 . t m".., 103) = 103
prot12347.tmp prot28774.tmp workshop.cc.sparc.2.689.5.00
write(1, " p r o t 1 2 3 4 7 . t m".., 103) = 103
prot12398.tmp prot28882.tmp workshop.cc.sparc.2.725.5.00
write(1, " p r o t 1 2 3 9 8 . t m".., 103) = 103
prot12404.tmp prot28897.tmp workshop_install-tmpdir.22309
write(1, " p r o t 1 2 4 0 4 . t m".., 104) = 104
llseek(0, 0, SEEK_CUR) = 590008
_exit(0)
$
And the end shows it writing the contents of the directory to screen.
If you want to track only one system call use the -t option.
$ truss -topen ls
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libc.so.1", O_RDONLY) = 3
open("/usr/lib/libdl.so.1", O_RDONLY) = 3
open("/usr/platform/SUNW,Ultra-Enterprise/lib/libc_psr.so.1", O_RDONLY) = 3
open64(".", O_RDONLY|O_NDELAY) = 3
...
truss or a truss-like tool is available on most UNIX platforms.
The following is a list of the useful options and the name of the truss tool for each OS.
truss
-p pid attach to process
-tsystem calls trace only these system calls
-t!system calls ignore these system calls
-ssystem calls trace only these signals
-s!system calls ignore these signals
-rfile descriptors show data buffers for these descriptors ( -rall will show all)
-wfile descriptors show data buffers for these descriptors ( -wall will show all)
-f follow forks
-a show arguments from exec
-e show environment from exec
truss (SunOS, Solaris)
usage: truss [-fcaeildD] [-[tTvx] [!]syscalls] [-[sS] [!]signals] \
[-[mM] [!]faults] [-[rw] [!]fds] [-[uU] [!]libs:[:][!]functs] \
[-o outfile] command | -p pid ...
tusc (HPUX 11)
usage: tusc [-] -OR-
-a: show exec arguments
-A: append to output file
-c: count syscalls instead of printing trace
-d [+][!][fd | all]: select only syscalls using fd
-e: show environment variables
-E: show syscall entries
-f: follow forks
-F: show kernel's ttrace feature level
-g: don't attach to members of my session
-h: show state of all processes when idle
-i: don't display interruptible syscalls
-I start[/stop]: single-step and show instructions
-k: keep alive (wait for *all* processes)
-l: print lwpids
-n: print process names
-o [file|fd]: send trace output to file or fd
-p: print pids
-Q: be quiet about some warnings
-r [!][fd | all]: dump read buffers
-R: show syscall restarts
-s [!]syscalls: [un]select these syscalls
-S [!]signals: [un]select these signals
-t: detach process if it becomes traced
-T timestamp: print time stamps
-u: print user thread IDs (pthreads)
-v: verbose (some system calls only)
-V: print version
-w [!][fd | all]: dump write buffers
-x: print raw (hex) arguments
trace (OSF1, alpha)
Usage: trace [-f] [-P] [-o outfile] [-O outfile_template] [-s string_length] command [arguments]
trace [-f] [-P] [-o outfile] [-O outfile_template] [-s string_length] -p pid
truss (FreeBSD)
usage: truss [-S] [-o file] -p pid
truss [-S] [-o file] command [args]
strace (Linux)
truss (SCO, PowerMAX)
