9

Linux utility "strace" show the list of syscall that started after run of strace. How I can see syscall that run in current moment by process? before start of strace.

Improve this question
2
  • 1
    You open a console window and start typing /usr/sbin.... dang the current time is over, it's already the next moment! Missed it! Next time start a couple of moments earlier than the current time! Commented Mar 8, 2017 at 17:20
  • I agree. I will reformulate my question: how to see the system calls that are currently being executed by the process? Commented Mar 8, 2017 at 18:11

3 Answers 3

Reset to default
8

proc offers some information about what the kernel is currently doing "for" a process
/proc/${pid}/syscall /proc/${pid}/stack

More information:

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

6

Assuming that you know the PID of the of process, you can simply use strace to track all the syscalls being made in realtime.

strace -p PID

Improve this answer

Comments

1

You find that out using ps:

ps -p PID_OF_PROC -ocmd,stat,wchan

The wchan is the key here. From man ps:

wchan WCHAN name of the kernel function in which the process is sleeping, a "-" if the process is running, or a "*" if the process is multi-threaded and ps is not displaying threads.

PROCESS STATE CODES Here are the different values that the s, stat and state output specifiers (header "STAT" or "S") will display to describe the state of a process:

           D    uninterruptible sleep (usually IO)
           R    running or runnable (on run queue)
           S    interruptible sleep (waiting for an event to complete)
           T    stopped by job control signal
           t    stopped by debugger during the tracing
           W    paging (not valid since the 2.6.xx kernel)
           X    dead (should never be seen)
           Z    defunct ("zombie") process, terminated but not reaped by its parent

  For BSD formats and when the stat keyword is used, additional characters may be displayed:

          <    high-priority (not nice to other users)
          N    low-priority (nice to other users)
          L    has pages locked into memory (for real-time and custom IO)
          s    is a session leader
          l    is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)
          +    is in the foreground process group
Improve this answer

4 Comments

Useful, but kernel function and syscall are not necessarily the same.
@GL2014 True, but this is all you can get from ps.
PS: Just saw the accepted answer in this thread, looks like that's the way to go
wchan is the top frame of what is shown in /proc/pid/stack (when the process is not in TASK_RUNNING state)

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.