How to get the name, or the ID, of the System Call that was detected with BCC/eBPF

Question

I have this code, which is largely inspired by the syscount.py tool present in BCC:

BPF_HASH(data, u32, u64);

TRACEPOINT_PROBE(raw_syscalls,sys_exit){
u64 pid_tgid = bpf_get_current_pid_tgid();
u32 key = pid_tgid >> 32;
u32 tid = (u32)pid_tgid;
u64 *val, zero = 0;
val = data.lookup_or_try_init(&key, &zero);
if(val){
    lock_xadd(val,1);
}

This counts the system calls performed by each process.

How can I get the name, or the ID of the system call being handled, so that I can create an array of the system calls used?

score 2 · Accepted Answer · answered Feb 15 '23 at 10:55

2

As far as I know there is no lookup table of function in linux itself, there are a number of places where people made translation tables such as:

The hassle is that the numbers can vary quite a bit between architectures. The most complete lists that I know of exist in the Golang source code https://cs.opensource.google/go/go/+/refs/tags/go1.20.1:src/syscall/zsysnum_linux_arm.go which defines most of them for most architectures.

You can use these resources to construct your own lookup table

answered Feb 15 '23 at 10:55

Dylan Reimerink

5,874
2
15
21

Thanks! But how would I get the system call ID? – Afonso Pinto Feb 15 '23 at 16:17
1

Located in the `args->id` field. https://github.com/iovisor/bcc/blob/master/tools/syscount.py#L120 – Dylan Reimerink Feb 16 '23 at 08:45

How to get the name, or the ID, of the System Call that was detected with BCC/eBPF

1 Answers1