In the previous article the strace command observed, today we are going to understand how the strace tool works and write a simple system tracer program to trace system calls of ls program.
At first let strace the ls program
strace -o ls.strace ls
To know which system calls the strace uses lets run it on itself.
strace -o strace.strace strace ls
As we can see the strace use a lot of system calls, but the one of them (ptrace) appears a lot in the log. The ptrace provides a means to get information from the child process (see man ptrace).The following simple program uses the ptrace to trace system calls of ls program
We also need to know the names of system calls by their syscall number. We can extract that information from the sources of strace. The file "strace-4.6/linux/x86_64/syscallent.h" contains the information that we need, we can parse it and get the list of system calls arranged by syscall number (see the instructions in the sources).