There are times when debugging system behaviour when it can be very useful to see what the inputs and/or outputs of a process are: to read its STDIN and STDOUT filehandles. It can be handy to know what’s being printed to an unseen screen, particularly if there is no log file, or it may be handy to snoop on what a user is typing. This is a yet another way of using the Swiss Army knife that is
In its most basic form, with few options, strace can print out every system call that a process makes, and if the “-f” or “-ff” switches are used, also print out all the system calls from the child processes that the process forks. Like this:
# strace -f -p <PID>
This provides far too much information though, so it’s often desirable to run strace with filter expressions to narrow the search down, specified with the “-e” switch. The man page provides an exhaustive list of these filters.
To specify a filter for reading STDIN, STDOUT and STDERR, the following expression will do the trick:
# strace -ff -e trace=write -e write=1,2 -p <PID>
Make use of this how you will.
Matt Parsons is a freelance Linux specialist who has designed, built and supported Unix and Linux systems in the finance, telecommunications and media industries.
He lives and works in London.