#syscalls #strace #half #intent #goes #process #page

app intentrace

intentrace is strace with intent, it goes all the way for you instead of half the way

11 unstable releases (3 breaking)

new 0.4.1 Dec 17, 2024
0.4.0 Dec 15, 2024
0.3.2 Dec 1, 2024
0.3.1 Nov 27, 2024
0.1.2 Oct 29, 2024

#66 in Unix APIs

Download history 191/week @ 2024-10-25 144/week @ 2024-11-01 395/week @ 2024-11-08 177/week @ 2024-11-15 134/week @ 2024-11-22 146/week @ 2024-11-29 69/week @ 2024-12-06 240/week @ 2024-12-13

596 downloads per month

MIT license

2MB
13K SLoC

Intentrace

About

intentrace is a strace for everyone, intentrace works similarly to strace in that it intercepts and records the system calls which are called by a process, it then reasons through these syscalls by consulting an enormous backlog of handwritten syscall deductions. Due to the fact that linux syscalls almost always have dual usage that's obfuscated by libraries, seeing what a syscall is exactly asking for is immensely useful when e.g. a programmer is debugging a crashing binary.

Intentrace Example

Intentrace follows a similar working methodology to the one employed by the UniKraft kernel in that it attempts to cover a high percentage of the most popular linux software despite supporting only around 166 syscalls out of the 380+ linux syscalls (see page 8 of the Unikraft Paper for an example of strategic syscall coverage: https://arxiv.org/pdf/2104.12721). It's planned eventually for intentrace to cover all linux syscalls.

Usage

to quickly see how intentrace works in action, you can run simple examples

intentrace ls

intentrace google-chrome

to disable program output from cluttering the syscall feed add -q

intentrace -q ls

to include the child processes of multi-threaded programs add -f

intentrace -f docker run alpine

Parameter Description Default value
-c
--summary
provide a summary table at the end of tracing false
-p pid
--attach pid
attach to an already running proceess not enabled
-f
--follow-forks
trace child process when traced programs create them false
-z
--failed-only
only print failed syscalls false
-q
--mute-stdout
mute traced program's std output false

Installation

Build from source

Prerequisites:

  • Latest stable version of Rust and Cargo.

Build and run intentrace:

git clone https://github.com/sectordistrict/intentrace.git
cd intentrace
cargo build --release

Install from crates.io:

cargo install intentrace

Package Manager Availability

Packaging status

Project status

intentrace is currently in beta, currently multi-threaded programs are a hit and miss.

intentrace was originally intended to be a 2 window TUI, where a top panel shows a normal stream of syscalls, and a bottom panel containing metadata and explanation, however this was abandoned in favor of the current scheme.

Supported architecture

intentrace currently only supports x86-64, given that the program is currently in beta, PRs for cross compatibility will unfortunately not be accepted until the program is stable enough.

Contributing

Support intentrace by contributing issues and PRs, don't feel discouraged from filing issues or creating PRs. Reading the source is a great way to learn how linux works.

Feel free to file issues and open Pull Requests. Issues and PRs can contain and involve:

  • better wording.
  • suggestions for granularity.
  • suggestions for fixes.
  • etc.. there are no rules, feel free to contribute as you see fit.

Dependencies

~12–22MB
~339K SLoC