ebpf how to check the syscalls available

I am looking at an eBPF sample code it has this

SEC("kprobe/__x64_sys_tcp_connect") Now how does one know such a call exists?

I tried following

bpftrace -l & list all kprobes
list all events under this folder /sys/kernel/debug/tracing/events/syscalls
grep the kernel source code 4.look in /arch/x86/entry/syscalls/syscall_64.tbl

I do not see it In general how would one go about looking for such syscalls for use with eBPF

Solution

You can get the symbol names for the kprobe function via:

sudo bpftrace -l kprobe:*<keyword>*
sudo cat /proc/kallsyms | grep <keyword> |grep T

If you don't see it, it means you should use another name in the SEC or when attaching the kprobe function:

$ sudo bpftrace -l kprobe:*tcp_connect
kprobe:tcp_connect
$ sudo cat /proc/kallsyms | grep tcp_connect |grep T
ffffffff8e9e47f0 T tcp_connect


SEC("kprobe/tcp_connect")

How to retrieve a specific value from a structure in function arguments in an eBPF uprobe
Dynamically adding entries to an eBPF map of maps
eBPF trace at net:net_dev_queue not providing correct IP address
Libbpf: Find map pinned at a different location in Kernel Space
libbpf: Error loading .BTF into kernel: -22. Error: failed to open object file, vlen != 0
ebpf how to check the syscalls available
What is the performance impact added to eBPF via kprobe and uprobe
How eBPF stack works
How to bpf_prog_test_run_opts to a program that extends xdp_dispatcher
bpf_prog_test_run_opts error 524 when running an XDP program
Loading large BPF program fails with "Argument list too long" and "processed 0 insns"
Can an eBPF/XDP thread be preempted?
Testing XDP vs DPDK
BPF program is too large. Processed 1000001 insn
Why use BPF_F_LOCK if XDP map operations are thread safe
Reading from an eBPF map without paying for kernel-call
Could use memcpy or memset in ebpf prog ？
bpf_trace_printk format pointer
Use eBPF to change process's CPU affinity
eBPF XDP - Bad map relocation
How do you compute the performance impact of a eBPF probe?
Is there a way to safely update an eBPF map with a spin lock held in the ebpf program?
Is there a BPF_MAP_LOOKUP_AND_UPDATE_ELEM syscall similar to BPF_MAP_LOOKUP_AND_DELETE_ELEM?
where is the entry point in kernel for an eBPF msg_verdict program?
How to get payload data from tcp_probe tracepoint via ebpf?
ebpf bpf_map_lookup_elem use const char* as key type, can't get the value from bpf map
Is it possible to create and send a packet from a bpf program?
clang bpf: attribute always_inline does not working
bpf_probe_write_use() system overload
Using a program of type raw_tracepoint to trace sched_wakeup,bpf verifies that task_struct *p is empty