I have this code, which is largely inspired by the syscount.py tool present in BCC:
BPF_HASH(data, u32, u64);
TRACEPOINT_PROBE(raw_syscalls,sys_exit){
u64 pid_tgid = bpf_get_current_pid_tgid();
u32 key = pid_tgid >> 32;
u32 tid = (u32)pid_tgid;
u64 *val, zero = 0;
val = data.lookup_or_try_init(&key, &zero);
if(val){
lock_xadd(val,1);
}
This counts the system calls performed by each process.
How can I get the name, or the ID of the system call being handled, so that I can create an array of the system calls used?
As far as I know there is no lookup table of function in linux itself, there are a number of places where people made translation tables such as:
The hassle is that the numbers can vary quite a bit between architectures. The most complete lists that I know of exist in the Golang source code https://cs.opensource.google/go/go/+/refs/tags/go1.20.1:src/syscall/zsysnum_linux_arm.go which defines most of them for most architectures.
You can use these resources to construct your own lookup table