How to track child process using strace?

Question

I used strace to attach to a process briefly. The process created 90 threads. When I found the offending thread, I had to tediously search for the parent thread

Answer 1

To capture traffic for a single process you can use strace, as @stackmate suggested.

strace -f -e trace=network -s 10000 -p <PID>;

or output it to a file.

strace -f -e trace=network -s 10000 -o dumpfile -p <PID>

-f for all forked process, -s for string size to print, and -o to dump the output to a file.

Answer 2

I can't see an easy way:

You could use the -ff option with -o filename to produce multiple files (one per pid).

eg:

strace -o process_dump -ff ./executable
grep clone process_dump*

that would help you see which parent created what. Maybe that would help you - at least then you could search backwards.

Answer 3

strace -f to trace child process that's fork()ed.

Answer 4

There is a perl script called strace-graph. Here is a version from github. It is packaged with crosstool-ng versions of compilers. It works for me even used cross platform.

ARM Linux box.

$ ./strace -f -q -s 100 -o app.trc -p 449
$ tftp -pr app.trc 172.0.0.133

X86_64 Linux box.

$ ./strace-graph /srv/tftp/app.trc 
 (anon)
  +-- touch /tmp/ppp.sleep
  +-- killall -HUP pppd
  +-- amixer set Speaker 70%
  +-- amixer set Speaker 70%
  +-- amixer set Speaker 70%
  +-- amixer set Speaker 70%
  +-- amixer set Speaker 50%
  +-- amixer set Speaker 70%
  `-- amixer set Speaker 50%

The output can be used to help navigate the main trace log.