function::pstrace - Linux


pstrace is a powerful Linux command used to trace and debug processes by recording their system calls and other events. It can provide valuable insights into a process’s behavior, resource usage, and interactions with the system.


pstrace [-a] [-e filter] [-g group] [-I interval] [-L length] [-M max] [-m min] [-o file] [-p pid | command] [-s sort] [-t] [-u user] [-V n] [-w] [-x events] [-z events]


  • -a: Trace all processes.
  • -e filter: Filter events based on a specified expression (e.g., -e syscall:read).
  • -g group: Group events by specified criteria (e.g., -g pid).
  • -I interval: Set the sampling interval in microseconds (default: 0).
  • -L length: Specify the maximum length of the trace in bytes (default: 256 MB).
  • -M max: Set the maximum number of events to trace (default: unlimited).
  • -m min: Set the minimum number of events to trace (default: 0).
  • -o file: Save the trace to a specified file.
  • -p pid | command: Trace a specific process by PID or command name.
  • -s sort: Sort events by specified criteria (e.g., -s time).
  • -t: Trace the entire process tree of a specified PID.
  • -u user: Trace processes belonging to a specific user.
  • -V n: Specify the number of events to summarize per line (default: 1).
  • -w: Wait for the traced process to exit.
  • -x events: Exclude specified events from tracing.
  • -z events: Enable tracing of additional events (e.g., -z syscalls:all).


Simple Trace:

pstrace -p 1234

Filter Events by Syscall:

pstrace -e syscall:read

Group Events by PID:

pstrace -g pid

Save Trace to File:

pstrace -o trace.dat -p 1234

Common Issues

  • No output: Ensure that the traced process is running. Check if the -p option is specified correctly.
  • Truncated output: The trace length may have been exceeded. Use the -L option to increase the limit.
  • Permission denied: Make sure you have sufficient permissions to trace the process. Running pstrace as root may be necessary.


pstrace can be combined with other Linux commands to analyze results. For example:

  • Summarize Events: pstrace -p 1234 | awk '{print $1, $4}'
  • Filter Events by Duration: pstrace -p 1234 | grep "syscall:" | awk '{if ($2 > 10000) print}'

Related Commands

  • strace: Trace system calls and signals for a process.
  • ltrace: Trace library calls for a process.
  • ftrace: Trace kernel events and functions.