How to Trace System Calls with htop and strace?

Monitoring a running process in Linux often requires identifying the exact system calls it makes to the kernel. While strace is the standard command-line utility for this task, navigating process IDs (PIDs) manually can be cumbersome. The htop interactive process viewer solves this by allowing users to select any running process from a real-time visual list and immediately attach strace with a single keystroke. This article provides a quick guide on how to configure, initiate, and navigate system call tracing directly from within the htop interface.

Prerequisites and Permissions

Before using strace inside htop, you must ensure both utilities are installed and that your user account has the necessary permissions to attach to running processes.

• Installation: Most modern Linux distributions include htop by default, but strace might need to be installed manually via your package manager (e.g., sudo apt install strace or sudo dnf install strace).
• Privileges: Tracing system calls requires elevated privileges. You should either run htop as the root user (sudo htop) or configure your system’s security settings to allow non-root ptrace operations.
• Kernel Restrictions: On many modern Linux distributions, a security feature called Yama restricts the use of ptrace. If you cannot trace processes owned by your own user, you may need to temporarily adjust the ptrace_scope sysctl variable by running: sudo sysctl -w kernel.yama.ptrace_scope=0

Initiating strace from htop

Once the prerequisites are met, launching the trace takes only a few keystrokes.

1. Launch htop: Open your terminal and start the utility by typing sudo htop.
2. Locate the Target Process: Use the arrow keys to scroll through the process list, or press F3 (or /) to open the search bar and type the name of the process you want to monitor.
3. Trigger the Trace: Highlight the desired process and press s on your keyboard.

The htop interface will immediately pause and open a nested window displaying a live feed of the system calls, arguments, and return values generated by the selected process.

Navigating the strace Window

The embedded strace view inside htop provides basic controls to analyze the output in real time without cluttering your terminal history.

• Pausing the Output: System calls can generate text at an overwhelming speed. You can press the Spacebar at any time to freeze the output scroll, allowing you to read specific lines. Pressing the Spacebar again resumes the live feed.
• Clearing the Screen: If you want to wipe the current history to watch for a specific upcoming event or user action in the target application, press c.
• Exiting the Trace: When you are finished monitoring the system calls, press q or F10 to safely detach strace from the process and return to the main htop process monitoring screen.