Question 1

How to trace sudo commands with tracexec?

Accepted Answer

Use 'sudo tracexec --user $(whoami) tui -t -- sudo ls' to trace setuid binaries. This requires root privileges and enables interactive TUI mode with pseudo-terminal for viewing nested executions and environment changes.

Question 2

tracexec vs strace for process execution debugging?

Accepted Answer

tracexec focuses solely on execve and execveat calls with cleaner output, Perfetto export, and TUI, while strace provides comprehensive system call tracing but with more verbose output. Choose tracexec for targeted exec analysis and visualization.

Question 3

Can tracexec trace all exec calls system-wide?

Accepted Answer

Yes, in experimental eBPF mode, use 'sudo -E tracexec ebpf tui' for system-wide exec tracing. However, this requires kernel 5.17+ and has limitations in detail capture, as noted in the known issues.

Question 4

How to export traces to Perfetto UI?

Accepted Answer

Run 'tracexec collect --format=perfetto -o out.pftrace -- cmd' to collect traces. Then, upload out.pftrace to perfetto.ui.dev to visualize the execution tree, identify bottlenecks, and analyze process parallelism.

Question 5

Is tracexec ready for production debugging?

Accepted Answer

Due to experimental features, output instability, and known issues like lossy string conversion, tracexec is better suited for development, analysis, and debugging in non-critical environments rather than production systems.

Question 6

What kernel version is needed for eBPF mode?

Accepted Answer

eBPF mode requires a minimum kernel version of 5.17. Check with 'uname -r' and ensure compatibility; older kernels will default to less performant tracing methods, especially for setuid binaries.

tracexec

What is tracexec?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Open Source Alternative To

Frequently Asked Questions