Essential Linux Tools for Binary Inspection, Debugging, and Performance Analysis

01 Overview

The article lists essential Linux tools for examining compiled binaries, tracing program execution, profiling performance, and inspecting system information.

Compilation Phase Tools

nm – displays symbol information (functions, variables) in a binary. Useful options: -C – demangle C++ symbols. -A – show the source file for each symbol. -a – list all symbols, including debugging symbols. -l – show source line numbers for defined symbols. -n – sort symbols by address. -u – list undefined symbols only.

strings – extracts printable string constants from a binary. Common options: -a – scan the entire file. -f – prefix each string with the file name. -n minlen – only print strings of at least minlen characters (default 4).

Example: strings <binary> | grep '^.{16}$' finds 16‑character strings, useful for detecting leaked keys.

strip – removes symbol tables from an executable to reduce size. Typically used after debugging is complete.

readelf – displays detailed ELF file information. Important options: -a – all ELF information. -h – ELF header. -l – program headers and segment layout. -S – section headers. -s – symbol table. -r – relocation entries. -d – dynamic section.

Usage: readelf <option> <elf_file> objdump – attempts to disassemble binaries. Example to get source‑level disassembly when compiled with -g: objdump -S <exe> addr2line – maps an address to the corresponding source file and line number. Requires the binary to contain debugging symbols. Example: addr2line -e <exe> <addr> Useful when only a crash log with an address is available.

Runtime Phase Tools

gdb – powerful interactive debugger.

ldd – shows required shared libraries and the actual files loaded. Example output columns: needed library, actual file, load address.

strace – traces system calls of a running process. Common options: -p <pid> – attach to a process. -c – summary of call counts. -T – print call timestamps. -t/-tt/-ttt – control time format. -f/-F – follow forked children. -o <file> – write output to a file. -e <expr> – filter traced calls (e.g., -e open).

Example: strace -f -o ~/result.txt <program> ltrace – similar to strace but traces library function calls. Options are analogous to strace.

time – measures real, user, and system CPU time of a command. Example: time ps aux | grep hi Note: time only measures the parent process; it does not follow forks.

gprof – profiles user‑mode function execution time. Requires compiling with -pg. Steps:

Compile/link with -pg (e.g., gcc -pg -o exec exec.c).

Run the program to generate gmon.out.

Analyze with gprof exec gmon.out > profile.txt.

The program must exit normally; forced termination (e.g., kill) prevents profiling data.

opprofile – CPU profiling tool. Typical workflow:

Initialize: opcontrol --init (optionally --no-vmlinux to skip kernel stats).

Start collection: opcontrol --start.

Dump data: opcontrol --dump.

Reset: opcontrol --reset.

Report: opreport (overall) or opreport -l (per‑function).

valgrind – memory‑error detector (memcheck). Usage example: valgrind --tool=memcheck --leak-check=full ./test Works only for heap memory; it cannot detect stack or static object errors and may slow the program significantly.

mtrace – glibc utility that records malloc/free calls. Typical steps:

Add setenv("MALLOC_TRACE", "./memleak.log", 1); mtrace(); in the source (under a DEBUG guard).

Compile with debugging symbols (e.g., gcc -g -DDEBUG -o test1 test1.c).

Run the program; a memleak.log file is created.

Analyze with mtrace <program> memleak.log to see un‑freed allocations.

Other Useful Information

proc filesystem – a virtual filesystem exposing kernel and process information. Key entries include /proc/cpuinfo, /proc/meminfo, /proc/uptime, and per‑process directories /proc/<pid>/ (e.g., cmdline, environ, fd, status, exe).

System logs – located under /var/log/. Important files: /var/log/messages – general system messages, including kernel, mail, cron, daemon, auth. /var/log/auth.log – authentication events. /var/log/boot.log – boot‑time messages. /var/log/daemon.log – daemon‑specific logs. /var/log/cron – cron job execution logs. /var/log/wtmp / /var/log/utmp – login records. /var/log/faillog – failed login attempts.