I am trying to use strace to sniff unix domain socket.
I run a process having multiple file descriptors, some file descriptors would call recvmsg system call. But I just want to sniff only specific file descriptor like 1 and run command below:
strace -e trace=recvmsg -p 27366 -e recvmsg=1 But strace showed this error. How can I solve this problem?
strace: invalid system call 'recvmsg=1' Use -e read=fd instead of -e recvmsg=fd.
recvmsg is a kind of read.
Example:
$ cat foo.c #include <sys/socket.h> #include <unistd.h> #include <err.h> int main(void){ char buf[512]; int fd[2]; struct iovec iov = { buf, sizeof buf }; struct msghdr msg = { .msg_iov = &iov, .msg_iovlen = 1 }; if(socketpair(AF_UNIX, SOCK_DGRAM, 0, fd)) err(1, "socketpair"); write(fd[0], "foo\n", 4); recvmsg(fd[1], &msg, 0); } $ cc -s -Wall foo.c -o foo $ strace -e trace=recvmsg -e read=all ./foo recvmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="foo\n", iov_len=512}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 4 * 4 bytes in buffer 0 | 00000 66 6f 6f 0a foo. | +++ exited with 0 +++ Adding a late answer. While it wasn't available at the time this question was asked, it seems that current versions of strace (>= 6.3) allow setting one or more FDs to watch
From the manpage:
-e trace-fd=set -e trace-fds=set -e fd=set -e fds=set --trace-fds=set Trace only the syscalls that operate on the specified subset of (non-negative) file descriptors. Note that usage of this option also filters out all the syscalls that do not operate on file descriptors at all. Applies in (inclusive) disjunction with the --trace-path option. Release notes: https://github.com/strace/strace/releases/tag/v6.3
