Understand What a System Call Is

User programs cannot directly access hardware, write to disk, or open network connections. The Linux kernel provides a stable interface — the system call ABI — through which programs request these privileged operations. On x86-64, a program places a sysca

Attach strace to a Running Process

Install strace: sudo apt install strace. Find the PID of the process you want to trace: ps aux | grep your-process-name. Attach strace to it: sudo strace -p 1234, where 1234 is the PID. strace will print each syscall the process makes as it happens: the s

Read strace Output for a Web Request

When you strace a process making an HTTP request, you see the full sequence: socket(AF_INET, SOCK_STREAM, 0) creates a TCP socket and returns a file descriptor number. connect(fd, {sa_family=AF_INET, sin_addr="93.184.216.34"}, 16) initiates the TCP connec

Understand Why strace Has an Overhead Problem

strace uses the ptrace kernel mechanism, which works by stopping the traced process before and after every syscall so the tracer can inspect it. This stop-and-start adds significant latency to every syscall — traced processes run five to ten times slower

Get Started with eBPF and bpftrace

eBPF is a kernel facility that lets you run small verified programs at specific hook points inside the kernel with near-zero overhead. Unlike ptrace, eBPF programs do not stop the traced process — they run asynchronously in a kernel buffer and collect dat

Debug a Docker Container That Fails to Start

A Docker container that exits immediately after starting is a common frustrating problem. The logs might show nothing useful. Use strace to find the actual cause: run docker run --rm your-image your-binary under strace with strace -f -e trace=file,process