Hi, I am currently doing a massive rewrite of lurk (@JakWai01 has been graciously merging my PRs). I think all three of us can join forces on these efforts, especially since @jasonwhite has created an awesome lib of all syscalls for lots of platforms.

Ideally we could either work under @JakWai01's repo, or set up a new org for this (takes a few min) -- this would ensure rapid iterations on the project. What do you think?

What to do with mmap?

At the mmap syscall, the analysis essentially ends. There is no more information to be gained, because there are no follow up syscalls because mmap is not implemented in terms of read / write but the kernel actually does the rest, which we can't look into with strace.

• Should we just ignore mmap?
• Should we print to STDERR that file has been mmaped?

export $PATH="$PWD/target/universal/stage/bin:$PATH" should have the $ removed from $PATH on the left hand side.

• flat memory curve instead of huge blob
• use e.g. fs2

observed case: star -c -f data.tar data:

star.strace.97073:1532348050.103783 open("data-star.tar", O_RDWR|O_CREAT, 0666) = 7 <0.000976>
star.strace.97073:1532348050.105748 clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f6089f3ea70) = 97074 <0.000213>
star.strace.97074:1532348050.204140 write(7, "data/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 10240)             = 10240 <0.000452>

• -y and -yy for filename and port:ip resolution - does this work across different log files?
• -P path to limit to path in advance
• modify suggestion / recommendation in README / man page accordingly

In some cases it might make sense to accumulate the syscalls over multiple log files. The following is sort of a dummy example to showcase this:

$ strace -T -ttt -ff -o /tmp/strace-dd.log dd if=/dev/zero of=/dev/null count=1024 bs=1M
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 0.322192 s, 3.3 GB/s

$ strace -T -ttt -ff -o /tmp/strace-dd.log dd if=/dev/zero of=/dev/null count=1024 bs=1M
1024+0 records in
1024+0 records out
1073741824 bytes (1.1 GB, 1.0 GiB) copied, 0.365162 s, 2.9 GB/s

$ ls -lh /tmp/strace-dd.log.*
-rw-r--r-- 1 wookietreiber users 261K Mar 26 11:08 /tmp/strace-dd.log.23687
-rw-r--r-- 1 wookietreiber users 261K Mar 26 11:08 /tmp/strace-dd.log.23694

$ strace-analyzer write /tmp/strace-dd.log.* | column -t 
write  1G   in  27.621  ms  (~  36G   /  s)  with  1024  ops  (~  1M  /  op,  ~  1M  request  size)  /dev/null
write  101  in  229     us  (~  431K  /  s)  with  3     ops  (~  34  /  op,  ~  34  request  size)  STDERR
write  1G   in  27.885  ms  (~  36G   /  s)  with  1024  ops  (~  1M  /  op,  ~  1M  request  size)  /dev/null
write  101  in  4.667   ms  (~  21K   /  s)  with  3     ops  (~  34  /  op,  ~  34  request  size)  STDERR

Also, if the stats are not accumulated over multiple files, the output should include from which log file they are.

https://docs.google.com/document/d/1CvAClvFfyA5R-PhYUmn5OOQtYMH4h6I0nSsKchNAySU/preview# describes the format, there are very nice inspection tools like the chrome://tracing/ UI.

An alternative would be to export the strace parser from your crate to allow other folk to write the converter (and then there are three things - a parser, a tool for summarising, and a tool for converting to trace event format).

It shows how to call strace-analyzer, but does not show or explain what do I get from it.

By the way, does it work well for non-file things, like NETLINK sockets or tricky ioctls? README should also clarify what the tool can and what cannot do.