search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-sysdig-event.c
blob7fe60d2611b8260b65b48fdf0779c004fe616827
1 /* EDIT WITH CARE.
2 * Many sections of this file were automatically generated.
3 */
4
5 /* packet-sysdig-event.c
6 * Routines for Sysdig event dissection
7 * http://www.sysdig.org/
8 * Copyright 2015, Gerald Combs <gerald@wireshark.org>
9 *
10 * Wireshark - Network traffic analyzer
11 * By Gerald Combs <gerald@wireshark.org>
12 * Copyright 1998 Gerald Combs
13 *
14 * SPDX-License-Identifier: GPL-2.0-or-later
15 */
16
17 /*
18 * Sysdig is a tool that captures and analyzes system state.
19 * This dissects pcapng Sysdig Event Blocks (0x00000204), which contains
20 * a system call entry or exit along with its associated parameters.
21 */
22
23 /*
24 * To do:
25 * - Event with flags (0x00000208).
26 * - Enter/exit delay.
27 * - Most of this could be automatically generated from the Sysdig sources.
28 * - Alternatively we could modify Sysdig to dump its internal tables and
29 * generate a dissector from that output.
30 * - Generate the column info table.
31 * - Pull metainformation (processes, users, etc) into hash tables.
32 */
33
34 #include <config.h>
35
36 #include <epan/exceptions.h>
37 #include <epan/packet.h>
38 #include <epan/strutil.h>
39
40 #include <packet-sysdig-event.h>
41
42 #include <wiretap/wtap.h>
43 #include <wiretap/pcapng_module.h>
44 /* #include <epan/expert.h> */
45 /* #include <epan/prefs.h> */
46
47 #define SYSDIG_PARAM_SIZE 2
48 #define SYSDIG_PARAM_SIZE_V2 2
49 #define SYSDIG_PARAM_SIZE_V2_LARGE 4
50
51 /* Prototypes */
52 void proto_reg_handoff_sysdig_event(void);
53 void proto_register_sysdig_event(void);
54
55 static dissector_handle_t sysdig_event_handle;
56
57 /* Initialize the protocol and registered fields */
58 static int proto_sysdig_event;
59 /* Add byte order? */
60 static int hf_se_cpu_id;
61 static int hf_se_thread_id;
62 static int hf_se_event_length;
63 static int hf_se_nparams;
64 static int hf_se_event_type;
65 static int hf_se_event_name;
66
67 static int hf_se_param_lens;
68 static int hf_se_param_len;
69
70 /* Name+type */
71 /* Header fields. Automatically generated by tools/generate-sysdig-event.py */
72 static int hf_param_ID_uint16;
73 static int hf_param_action_uint32;
74 static int hf_param_addr_bytes;
75 static int hf_param_addr_uint64;
76 static int hf_param_arg2_int_int64;
77 static int hf_param_arg2_str_string;
78 static int hf_param_arg_uint64;
79 static int hf_param_args_string;
80 static int hf_param_argument_uint64;
81 static int hf_param_aux_int32;
82 static int hf_param_backlog_int32;
83 static int hf_param_cap_effective_uint64;
84 static int hf_param_cap_inheritable_uint64;
85 static int hf_param_cap_permitted_uint64;
86 static int hf_param_cgroups_bytes;
87 static int hf_param_clockid_uint8;
88 static int hf_param_cmd_bytes;
89 static int hf_param_cmd_int16;
90 static int hf_param_cmd_int64;
91 static int hf_param_comm_string;
92 static int hf_param_container_id_string;
93 static int hf_param_core_uint8;
94 static int hf_param_cpu_sys_uint64;
95 static int hf_param_cpu_uint32;
96 static int hf_param_cpu_usr_uint64;
97 static int hf_param_cq_entries_uint32;
98 static int hf_param_cur_int64;
99 static int hf_param_cwd_string;
100 static int hf_param_data_bytes;
101 static int hf_param_desc_string;
102 static int hf_param_description_string;
103 static int hf_param_dev_string;
104 static int hf_param_dev_uint32;
105 static int hf_param_dir_string;
106 static int hf_param_dirfd_int64;
107 static int hf_param_domain_bytes;
108 static int hf_param_dpid_int64;
109 static int hf_param_dqb_bhardlimit_uint64;
110 static int hf_param_dqb_bsoftlimit_uint64;
111 static int hf_param_dqb_btime_bytes;
112 static int hf_param_dqb_curspace_uint64;
113 static int hf_param_dqb_ihardlimit_uint64;
114 static int hf_param_dqb_isoftlimit_uint64;
115 static int hf_param_dqb_itime_bytes;
116 static int hf_param_dqi_bgrace_bytes;
117 static int hf_param_dqi_flags_int8;
118 static int hf_param_dqi_igrace_bytes;
119 static int hf_param_egid_int32;
120 static int hf_param_entries_uint32;
121 static int hf_param_env_string;
122 static int hf_param_error_int32;
123 static int hf_param_euid_int32;
124 static int hf_param_event_data_bytes;
125 static int hf_param_event_data_uint64;
126 static int hf_param_event_type_uint32;
127 static int hf_param_exe_ino_ctime_bytes;
128 static int hf_param_exe_ino_mtime_bytes;
129 static int hf_param_exe_ino_uint64;
130 static int hf_param_exe_string;
131 static int hf_param_fd1_int64;
132 static int hf_param_fd2_int64;
133 static int hf_param_fd_in_int64;
134 static int hf_param_fd_int64;
135 static int hf_param_fd_out_int64;
136 static int hf_param_fdin_int64;
137 static int hf_param_fdlimit_int64;
138 static int hf_param_fdlimit_uint64;
139 static int hf_param_fdout_int64;
140 static int hf_param_fds_bytes;
141 static int hf_param_features_int32;
142 static int hf_param_filename_string;
143 static int hf_param_flags_int16;
144 static int hf_param_flags_int32;
145 static int hf_param_flags_uint32;
146 static int hf_param_flags_uint64;
147 static int hf_param_flags_uint8;
148 static int hf_param_gid_int32;
149 static int hf_param_gid_uint32;
150 static int hf_param_home_string;
151 static int hf_param_how_bytes;
152 static int hf_param_id_int64;
153 static int hf_param_id_string;
154 static int hf_param_id_uint32;
155 static int hf_param_image_string;
156 static int hf_param_img_bytes;
157 static int hf_param_in_fd_int64;
158 static int hf_param_initval_uint64;
159 static int hf_param_ino_uint64;
160 static int hf_param_interval_bytes;
161 static int hf_param_ip_uint64;
162 static int hf_param_json_string;
163 static int hf_param_key_int32;
164 static int hf_param_key_string;
165 static int hf_param_len_uint64;
166 static int hf_param_length_uint64;
167 static int hf_param_level_bytes;
168 static int hf_param_linkdirfd_int64;
169 static int hf_param_linkpath_string;
170 static int hf_param_loginuid_int32;
171 static int hf_param_mask_uint32;
172 static int hf_param_max_int64;
173 static int hf_param_maxevents_int64;
174 static int hf_param_min_complete_uint32;
175 static int hf_param_mode_int32;
176 static int hf_param_mode_uint32;
177 static int hf_param_mountfd_int64;
178 static int hf_param_msgcontrol_bytes;
179 static int hf_param_name_string;
180 static int hf_param_nativeID_uint16;
181 static int hf_param_newcur_int64;
182 static int hf_param_newdir_int64;
183 static int hf_param_newdirfd_int64;
184 static int hf_param_newfd_int64;
185 static int hf_param_newmax_int64;
186 static int hf_param_newpath_string;
187 static int hf_param_next_int64;
188 static int hf_param_nr_args_uint32;
189 static int hf_param_nsems_int32;
190 static int hf_param_nsops_uint32;
191 static int hf_param_nstype_int32;
192 static int hf_param_offin_uint64;
193 static int hf_param_offout_uint64;
194 static int hf_param_offset_uint64;
195 static int hf_param_oldcur_int64;
196 static int hf_param_olddir_int64;
197 static int hf_param_olddirfd_int64;
198 static int hf_param_oldfd_int64;
199 static int hf_param_oldmax_int64;
200 static int hf_param_oldpath_string;
201 static int hf_param_op_bytes;
202 static int hf_param_op_uint64;
203 static int hf_param_opcode_bytes;
204 static int hf_param_operation_int32;
205 static int hf_param_option_bytes;
206 static int hf_param_optlen_uint32;
207 static int hf_param_optname_bytes;
208 static int hf_param_out_fd_int64;
209 static int hf_param_path_string;
210 static int hf_param_pathname_string;
211 static int hf_param_peer_uint64;
212 static int hf_param_pgft_maj_uint64;
213 static int hf_param_pgft_min_uint64;
214 static int hf_param_pgid_int64;
215 static int hf_param_pgoffset_uint64;
216 static int hf_param_pid_fd_int64;
217 static int hf_param_pid_int64;
218 static int hf_param_pidns_init_start_ts_uint64;
219 static int hf_param_plugin_id_uint32;
220 static int hf_param_pos_uint64;
221 static int hf_param_prot_int32;
222 static int hf_param_proto_uint32;
223 static int hf_param_ptid_int64;
224 static int hf_param_queuelen_uint32;
225 static int hf_param_queuemax_uint32;
226 static int hf_param_queuepct_uint8;
227 static int hf_param_quota_fmt_int8;
228 static int hf_param_quota_fmt_out_int8;
229 static int hf_param_quotafilepath_string;
230 static int hf_param_ratio_uint32;
231 static int hf_param_reaper_tid_int64;
232 static int hf_param_request_bytes;
233 static int hf_param_request_uint64;
234 static int hf_param_res_int64;
235 static int hf_param_res_or_fd_bytes;
236 static int hf_param_res_uint64;
237 static int hf_param_resolve_int32;
238 static int hf_param_resource_bytes;
239 static int hf_param_ret_int64;
240 static int hf_param_rgid_int32;
241 static int hf_param_ruid_int32;
242 static int hf_param_scope_string;
243 static int hf_param_sem_flg_0_int16;
244 static int hf_param_sem_flg_1_int16;
245 static int hf_param_sem_num_0_uint16;
246 static int hf_param_sem_num_1_uint16;
247 static int hf_param_sem_op_0_int16;
248 static int hf_param_sem_op_1_int16;
249 static int hf_param_semflg_int32;
250 static int hf_param_semid_int32;
251 static int hf_param_semnum_int32;
252 static int hf_param_sgid_int32;
253 static int hf_param_shell_string;
254 static int hf_param_sig_bytes;
255 static int hf_param_sigmask_bytes;
256 static int hf_param_size_int32;
257 static int hf_param_size_uint32;
258 static int hf_param_size_uint64;
259 static int hf_param_source_string;
260 static int hf_param_source_uint64;
261 static int hf_param_special_string;
262 static int hf_param_spid_int64;
263 static int hf_param_sq_entries_uint32;
264 static int hf_param_sq_thread_cpu_uint32;
265 static int hf_param_sq_thread_idle_uint32;
266 static int hf_param_status_int64;
267 static int hf_param_suid_int32;
268 static int hf_param_tags_bytes;
269 static int hf_param_target_fd_int64;
270 static int hf_param_target_string;
271 static int hf_param_tid_int64;
272 static int hf_param_timeout_bytes;
273 static int hf_param_timeout_int64;
274 static int hf_param_to_submit_uint32;
275 static int hf_param_trusted_exepath_string;
276 static int hf_param_tty_int32;
277 static int hf_param_tty_uint32;
278 static int hf_param_tuple_bytes;
279 static int hf_param_type_int8;
280 static int hf_param_type_string;
281 static int hf_param_type_uint32;
282 static int hf_param_uargs_string;
283 static int hf_param_uid_int32;
284 static int hf_param_uid_uint32;
285 static int hf_param_val_bytes;
286 static int hf_param_val_int32;
287 static int hf_param_val_uint64;
288 static int hf_param_value_bytebuf_bytes;
289 static int hf_param_value_charbuf_string;
290 static int hf_param_vm_rss_uint32;
291 static int hf_param_vm_size_uint32;
292 static int hf_param_vm_swap_uint32;
293 static int hf_param_vpid_int64;
294 static int hf_param_vtid_int64;
295 static int hf_param_whence_bytes;
296
297 /* Initialize the subtree pointers */
298 static int ett_sysdig_event;
299 static int ett_sysdig_parm_lens;
300 static int ett_sysdig_syscall;
301
302 /* Initialize the pointer to the child plugin dissector */
303 static dissector_handle_t sinsp_dissector_handle;
304 static dissector_handle_t elf_dissector_handle;
305
306 #define SYSDIG_EVENT_MIN_LENGTH 8 /* XXX Fix */
307
308
309 /* Event names. Automatically generated by tools/generate-sysdig-event.py */
310 #define EVT_STR_NA "NA"
311 #define EVT_STR_ACCEPT "accept"
312 #define EVT_STR_ACCEPT4 "accept4"
313 #define EVT_STR_ACCESS "access"
314 #define EVT_STR_ASYNCEVENT "asyncevent"
315 #define EVT_STR_BIND "bind"
316 #define EVT_STR_BPF "bpf"
317 #define EVT_STR_BRK "brk"
318 #define EVT_STR_CAPSET "capset"
319 #define EVT_STR_CHDIR "chdir"
320 #define EVT_STR_CHMOD "chmod"
321 #define EVT_STR_CHOWN "chown"
322 #define EVT_STR_CHROOT "chroot"
323 #define EVT_STR_CLONE "clone"
324 #define EVT_STR_CLONE3 "clone3"
325 #define EVT_STR_CLOSE "close"
326 #define EVT_STR_CONNECT "connect"
327 #define EVT_STR_CONTAINER "container"
328 #define EVT_STR_COPY_FILE_RANGE "copy_file_range"
329 #define EVT_STR_CPU_HOTPLUG "cpu_hotplug"
330 #define EVT_STR_CREAT "creat"
331 #define EVT_STR_DELETE_MODULE "delete_module"
332 #define EVT_STR_DROP "drop"
333 #define EVT_STR_DUP "dup"
334 #define EVT_STR_DUP2 "dup2"
335 #define EVT_STR_DUP3 "dup3"
336 #define EVT_STR_EPOLL_CREATE "epoll_create"
337 #define EVT_STR_EPOLL_CREATE1 "epoll_create1"
338 #define EVT_STR_EPOLL_WAIT "epoll_wait"
339 #define EVT_STR_EVENTFD "eventfd"
340 #define EVT_STR_EVENTFD2 "eventfd2"
341 #define EVT_STR_EXECVE "execve"
342 #define EVT_STR_EXECVEAT "execveat"
343 #define EVT_STR_FCHDIR "fchdir"
344 #define EVT_STR_FCHMOD "fchmod"
345 #define EVT_STR_FCHMODAT "fchmodat"
346 #define EVT_STR_FCHOWN "fchown"
347 #define EVT_STR_FCHOWNAT "fchownat"
348 #define EVT_STR_FCNTL "fcntl"
349 #define EVT_STR_FINIT_MODULE "finit_module"
350 #define EVT_STR_FLOCK "flock"
351 #define EVT_STR_FORK "fork"
352 #define EVT_STR_FSCONFIG "fsconfig"
353 #define EVT_STR_FSTAT "fstat"
354 #define EVT_STR_FSTAT64 "fstat64"
355 #define EVT_STR_FUTEX "futex"
356 #define EVT_STR_GETCWD "getcwd"
357 #define EVT_STR_GETDENTS "getdents"
358 #define EVT_STR_GETDENTS64 "getdents64"
359 #define EVT_STR_GETEGID "getegid"
360 #define EVT_STR_GETEUID "geteuid"
361 #define EVT_STR_GETGID "getgid"
362 #define EVT_STR_GETPEERNAME "getpeername"
363 #define EVT_STR_GETRESGID "getresgid"
364 #define EVT_STR_GETRESUID "getresuid"
365 #define EVT_STR_GETRLIMIT "getrlimit"
366 #define EVT_STR_GETSOCKNAME "getsockname"
367 #define EVT_STR_GETSOCKOPT "getsockopt"
368 #define EVT_STR_GETUID "getuid"
369 #define EVT_STR_GROUPADDED "groupadded"
370 #define EVT_STR_GROUPDELETED "groupdeleted"
371 #define EVT_STR_INFRA "infra"
372 #define EVT_STR_INIT_MODULE "init_module"
373 #define EVT_STR_INOTIFY_INIT "inotify_init"
374 #define EVT_STR_INOTIFY_INIT1 "inotify_init1"
375 #define EVT_STR_IO_URING_ENTER "io_uring_enter"
376 #define EVT_STR_IO_URING_REGISTER "io_uring_register"
377 #define EVT_STR_IO_URING_SETUP "io_uring_setup"
378 #define EVT_STR_IOCTL "ioctl"
379 #define EVT_STR_K8S "k8s"
380 #define EVT_STR_KILL "kill"
381 #define EVT_STR_LCHOWN "lchown"
382 #define EVT_STR_LINK "link"
383 #define EVT_STR_LINKAT "linkat"
384 #define EVT_STR_LISTEN "listen"
385 #define EVT_STR_LLSEEK "llseek"
386 #define EVT_STR_LSEEK "lseek"
387 #define EVT_STR_LSTAT "lstat"
388 #define EVT_STR_LSTAT64 "lstat64"
389 #define EVT_STR_MEMFD_CREATE "memfd_create"
390 #define EVT_STR_MESOS "mesos"
391 #define EVT_STR_MKDIR "mkdir"
392 #define EVT_STR_MKDIRAT "mkdirat"
393 #define EVT_STR_MKNOD "mknod"
394 #define EVT_STR_MKNODAT "mknodat"
395 #define EVT_STR_MLOCK "mlock"
396 #define EVT_STR_MLOCK2 "mlock2"
397 #define EVT_STR_MLOCKALL "mlockall"
398 #define EVT_STR_MMAP "mmap"
399 #define EVT_STR_MMAP2 "mmap2"
400 #define EVT_STR_MOUNT "mount"
401 #define EVT_STR_MPROTECT "mprotect"
402 #define EVT_STR_MUNLOCK "munlock"
403 #define EVT_STR_MUNLOCKALL "munlockall"
404 #define EVT_STR_MUNMAP "munmap"
405 #define EVT_STR_NANOSLEEP "nanosleep"
406 #define EVT_STR_NEWFSTATAT "newfstatat"
407 #define EVT_STR_NOTIFICATION "notification"
408 #define EVT_STR_OPEN "open"
409 #define EVT_STR_OPEN_BY_HANDLE_AT "open_by_handle_at"
410 #define EVT_STR_OPENAT "openat"
411 #define EVT_STR_OPENAT2 "openat2"
412 #define EVT_STR_PAGE_FAULT "page_fault"
413 #define EVT_STR_PIDFD_GETFD "pidfd_getfd"
414 #define EVT_STR_PIDFD_OPEN "pidfd_open"
415 #define EVT_STR_PIPE "pipe"
416 #define EVT_STR_PIPE2 "pipe2"
417 #define EVT_STR_PLUGINEVENT "pluginevent"
418 #define EVT_STR_POLL "poll"
419 #define EVT_STR_PPOLL "ppoll"
420 #define EVT_STR_PRCTL "prctl"
421 #define EVT_STR_PREAD "pread"
422 #define EVT_STR_PREADV "preadv"
423 #define EVT_STR_PRLIMIT "prlimit"
424 #define EVT_STR_PROCESS_VM_READV "process_vm_readv"
425 #define EVT_STR_PROCESS_VM_WRITEV "process_vm_writev"
426 #define EVT_STR_PROCEXIT "procexit"
427 #define EVT_STR_PROCINFO "procinfo"
428 #define EVT_STR_PTRACE "ptrace"
429 #define EVT_STR_PWRITE "pwrite"
430 #define EVT_STR_PWRITEV "pwritev"
431 #define EVT_STR_QUOTACTL "quotactl"
432 #define EVT_STR_READ "read"
433 #define EVT_STR_READV "readv"
434 #define EVT_STR_RECV "recv"
435 #define EVT_STR_RECVFROM "recvfrom"
436 #define EVT_STR_RECVMMSG "recvmmsg"
437 #define EVT_STR_RECVMSG "recvmsg"
438 #define EVT_STR_RENAME "rename"
439 #define EVT_STR_RENAMEAT "renameat"
440 #define EVT_STR_RENAMEAT2 "renameat2"
441 #define EVT_STR_RMDIR "rmdir"
442 #define EVT_STR_SCAPEVENT "scapevent"
443 #define EVT_STR_SECCOMP "seccomp"
444 #define EVT_STR_SELECT "select"
445 #define EVT_STR_SEMCTL "semctl"
446 #define EVT_STR_SEMGET "semget"
447 #define EVT_STR_SEMOP "semop"
448 #define EVT_STR_SEND "send"
449 #define EVT_STR_SENDFILE "sendfile"
450 #define EVT_STR_SENDMMSG "sendmmsg"
451 #define EVT_STR_SENDMSG "sendmsg"
452 #define EVT_STR_SENDTO "sendto"
453 #define EVT_STR_SETGID "setgid"
454 #define EVT_STR_SETNS "setns"
455 #define EVT_STR_SETPGID "setpgid"
456 #define EVT_STR_SETREGID "setregid"
457 #define EVT_STR_SETRESGID "setresgid"
458 #define EVT_STR_SETRESUID "setresuid"
459 #define EVT_STR_SETREUID "setreuid"
460 #define EVT_STR_SETRLIMIT "setrlimit"
461 #define EVT_STR_SETSID "setsid"
462 #define EVT_STR_SETSOCKOPT "setsockopt"
463 #define EVT_STR_SETUID "setuid"
464 #define EVT_STR_SHUTDOWN "shutdown"
465 #define EVT_STR_SIGNALDELIVER "signaldeliver"
466 #define EVT_STR_SIGNALFD "signalfd"
467 #define EVT_STR_SIGNALFD4 "signalfd4"
468 #define EVT_STR_SOCKET "socket"
469 #define EVT_STR_SOCKETPAIR "socketpair"
470 #define EVT_STR_SPLICE "splice"
471 #define EVT_STR_STAT "stat"
472 #define EVT_STR_STAT64 "stat64"
473 #define EVT_STR_SWITCH "switch"
474 #define EVT_STR_SYMLINK "symlink"
475 #define EVT_STR_SYMLINKAT "symlinkat"
476 #define EVT_STR_SYSCALL "syscall"
477 #define EVT_STR_TGKILL "tgkill"
478 #define EVT_STR_TIMERFD_CREATE "timerfd_create"
479 #define EVT_STR_TKILL "tkill"
480 #define EVT_STR_TRACER "tracer"
481 #define EVT_STR_UMOUNT "umount"
482 #define EVT_STR_UMOUNT2 "umount2"
483 #define EVT_STR_UNLINK "unlink"
484 #define EVT_STR_UNLINKAT "unlinkat"
485 #define EVT_STR_UNSHARE "unshare"
486 #define EVT_STR_USERADDED "useradded"
487 #define EVT_STR_USERDELETED "userdeleted"
488 #define EVT_STR_USERFAULTFD "userfaultfd"
489 #define EVT_STR_VFORK "vfork"
490 #define EVT_STR_WRITE "write"
491 #define EVT_STR_WRITEV "writev"
492
493 /* EVT_... = PPME_... */
494 /* Event definitions. Automatically generated by tools/generate-sysdig-event.py */
495 #define EVT_GENERIC_E 0
496 #define EVT_GENERIC_X 1
497 #define EVT_SYSCALL_OPEN_E 2
498 #define EVT_SYSCALL_OPEN_X 3
499 #define EVT_SYSCALL_CLOSE_E 4
500 #define EVT_SYSCALL_CLOSE_X 5
501 #define EVT_SYSCALL_READ_E 6
502 #define EVT_SYSCALL_READ_X 7
503 #define EVT_SYSCALL_WRITE_E 8
504 #define EVT_SYSCALL_WRITE_X 9
505 #define EVT_SYSCALL_BRK_1_E 10
506 #define EVT_SYSCALL_BRK_1_X 11
507 #define EVT_SYSCALL_EXECVE_8_E 12
508 #define EVT_SYSCALL_EXECVE_8_X 13
509 #define EVT_SYSCALL_CLONE_11_E 14
510 #define EVT_SYSCALL_CLONE_11_X 15
511 #define EVT_PROCEXIT_E 16
512 #define EVT_PROCEXIT_X 17
513 #define EVT_SOCKET_SOCKET_E 18
514 #define EVT_SOCKET_SOCKET_X 19
515 #define EVT_SOCKET_BIND_E 20
516 #define EVT_SOCKET_BIND_X 21
517 #define EVT_SOCKET_CONNECT_E 22
518 #define EVT_SOCKET_CONNECT_X 23
519 #define EVT_SOCKET_LISTEN_E 24
520 #define EVT_SOCKET_LISTEN_X 25
521 #define EVT_SOCKET_ACCEPT_E 26
522 #define EVT_SOCKET_ACCEPT_X 27
523 #define EVT_SOCKET_SEND_E 28
524 #define EVT_SOCKET_SEND_X 29
525 #define EVT_SOCKET_SENDTO_E 30
526 #define EVT_SOCKET_SENDTO_X 31
527 #define EVT_SOCKET_RECV_E 32
528 #define EVT_SOCKET_RECV_X 33
529 #define EVT_SOCKET_RECVFROM_E 34
530 #define EVT_SOCKET_RECVFROM_X 35
531 #define EVT_SOCKET_SHUTDOWN_E 36
532 #define EVT_SOCKET_SHUTDOWN_X 37
533 #define EVT_SOCKET_GETSOCKNAME_E 38
534 #define EVT_SOCKET_GETSOCKNAME_X 39
535 #define EVT_SOCKET_GETPEERNAME_E 40
536 #define EVT_SOCKET_GETPEERNAME_X 41
537 #define EVT_SOCKET_SOCKETPAIR_E 42
538 #define EVT_SOCKET_SOCKETPAIR_X 43
539 #define EVT_SOCKET_SETSOCKOPT_E 44
540 #define EVT_SOCKET_SETSOCKOPT_X 45
541 #define EVT_SOCKET_GETSOCKOPT_E 46
542 #define EVT_SOCKET_GETSOCKOPT_X 47
543 #define EVT_SOCKET_SENDMSG_E 48
544 #define EVT_SOCKET_SENDMSG_X 49
545 #define EVT_SOCKET_SENDMMSG_E 50
546 #define EVT_SOCKET_SENDMMSG_X 51
547 #define EVT_SOCKET_RECVMSG_E 52
548 #define EVT_SOCKET_RECVMSG_X 53
549 #define EVT_SOCKET_RECVMMSG_E 54
550 #define EVT_SOCKET_RECVMMSG_X 55
551 #define EVT_SOCKET_ACCEPT4_E 56
552 #define EVT_SOCKET_ACCEPT4_X 57
553 #define EVT_SYSCALL_CREAT_E 58
554 #define EVT_SYSCALL_CREAT_X 59
555 #define EVT_SYSCALL_PIPE_E 60
556 #define EVT_SYSCALL_PIPE_X 61
557 #define EVT_SYSCALL_EVENTFD_E 62
558 #define EVT_SYSCALL_EVENTFD_X 63
559 #define EVT_SYSCALL_FUTEX_E 64
560 #define EVT_SYSCALL_FUTEX_X 65
561 #define EVT_SYSCALL_STAT_E 66
562 #define EVT_SYSCALL_STAT_X 67
563 #define EVT_SYSCALL_LSTAT_E 68
564 #define EVT_SYSCALL_LSTAT_X 69
565 #define EVT_SYSCALL_FSTAT_E 70
566 #define EVT_SYSCALL_FSTAT_X 71
567 #define EVT_SYSCALL_STAT64_E 72
568 #define EVT_SYSCALL_STAT64_X 73
569 #define EVT_SYSCALL_LSTAT64_E 74
570 #define EVT_SYSCALL_LSTAT64_X 75
571 #define EVT_SYSCALL_FSTAT64_E 76
572 #define EVT_SYSCALL_FSTAT64_X 77
573 #define EVT_SYSCALL_EPOLLWAIT_E 78
574 #define EVT_SYSCALL_EPOLLWAIT_X 79
575 #define EVT_SYSCALL_POLL_E 80
576 #define EVT_SYSCALL_POLL_X 81
577 #define EVT_SYSCALL_SELECT_E 82
578 #define EVT_SYSCALL_SELECT_X 83
579 #define EVT_SYSCALL_NEWSELECT_E 84
580 #define EVT_SYSCALL_NEWSELECT_X 85
581 #define EVT_SYSCALL_LSEEK_E 86
582 #define EVT_SYSCALL_LSEEK_X 87
583 #define EVT_SYSCALL_LLSEEK_E 88
584 #define EVT_SYSCALL_LLSEEK_X 89
585 #define EVT_SYSCALL_IOCTL_2_E 90
586 #define EVT_SYSCALL_IOCTL_2_X 91
587 #define EVT_SYSCALL_GETCWD_E 92
588 #define EVT_SYSCALL_GETCWD_X 93
589 #define EVT_SYSCALL_CHDIR_E 94
590 #define EVT_SYSCALL_CHDIR_X 95
591 #define EVT_SYSCALL_FCHDIR_E 96
592 #define EVT_SYSCALL_FCHDIR_X 97
593 #define EVT_SYSCALL_MKDIR_E 98
594 #define EVT_SYSCALL_MKDIR_X 99
595 #define EVT_SYSCALL_RMDIR_E 100
596 #define EVT_SYSCALL_RMDIR_X 101
597 #define EVT_SYSCALL_OPENAT_E 102
598 #define EVT_SYSCALL_OPENAT_X 103
599 #define EVT_SYSCALL_LINK_E 104
600 #define EVT_SYSCALL_LINK_X 105
601 #define EVT_SYSCALL_LINKAT_E 106
602 #define EVT_SYSCALL_LINKAT_X 107
603 #define EVT_SYSCALL_UNLINK_E 108
604 #define EVT_SYSCALL_UNLINK_X 109
605 #define EVT_SYSCALL_UNLINKAT_E 110
606 #define EVT_SYSCALL_UNLINKAT_X 111
607 #define EVT_SYSCALL_PREAD_E 112
608 #define EVT_SYSCALL_PREAD_X 113
609 #define EVT_SYSCALL_PWRITE_E 114
610 #define EVT_SYSCALL_PWRITE_X 115
611 #define EVT_SYSCALL_READV_E 116
612 #define EVT_SYSCALL_READV_X 117
613 #define EVT_SYSCALL_WRITEV_E 118
614 #define EVT_SYSCALL_WRITEV_X 119
615 #define EVT_SYSCALL_PREADV_E 120
616 #define EVT_SYSCALL_PREADV_X 121
617 #define EVT_SYSCALL_PWRITEV_E 122
618 #define EVT_SYSCALL_PWRITEV_X 123
619 #define EVT_SYSCALL_DUP_E 124
620 #define EVT_SYSCALL_DUP_X 125
621 #define EVT_SYSCALL_SIGNALFD_E 126
622 #define EVT_SYSCALL_SIGNALFD_X 127
623 #define EVT_SYSCALL_KILL_E 128
624 #define EVT_SYSCALL_KILL_X 129
625 #define EVT_SYSCALL_TKILL_E 130
626 #define EVT_SYSCALL_TKILL_X 131
627 #define EVT_SYSCALL_TGKILL_E 132
628 #define EVT_SYSCALL_TGKILL_X 133
629 #define EVT_SYSCALL_NANOSLEEP_E 134
630 #define EVT_SYSCALL_NANOSLEEP_X 135
631 #define EVT_SYSCALL_TIMERFD_CREATE_E 136
632 #define EVT_SYSCALL_TIMERFD_CREATE_X 137
633 #define EVT_SYSCALL_INOTIFY_INIT_E 138
634 #define EVT_SYSCALL_INOTIFY_INIT_X 139
635 #define EVT_SYSCALL_GETRLIMIT_E 140
636 #define EVT_SYSCALL_GETRLIMIT_X 141
637 #define EVT_SYSCALL_SETRLIMIT_E 142
638 #define EVT_SYSCALL_SETRLIMIT_X 143
639 #define EVT_SYSCALL_PRLIMIT_E 144
640 #define EVT_SYSCALL_PRLIMIT_X 145
641 #define EVT_SCHEDSWITCH_1_E 146
642 #define EVT_SCHEDSWITCH_1_X 147
643 #define EVT_DROP_E 148
644 #define EVT_DROP_X 149
645 #define EVT_SYSCALL_FCNTL_E 150
646 #define EVT_SYSCALL_FCNTL_X 151
647 #define EVT_SCHEDSWITCH_6_E 152
648 #define EVT_SCHEDSWITCH_6_X 153
649 #define EVT_SYSCALL_EXECVE_13_E 154
650 #define EVT_SYSCALL_EXECVE_13_X 155
651 #define EVT_SYSCALL_CLONE_16_E 156
652 #define EVT_SYSCALL_CLONE_16_X 157
653 #define EVT_SYSCALL_BRK_4_E 158
654 #define EVT_SYSCALL_BRK_4_X 159
655 #define EVT_SYSCALL_MMAP_E 160
656 #define EVT_SYSCALL_MMAP_X 161
657 #define EVT_SYSCALL_MMAP2_E 162
658 #define EVT_SYSCALL_MMAP2_X 163
659 #define EVT_SYSCALL_MUNMAP_E 164
660 #define EVT_SYSCALL_MUNMAP_X 165
661 #define EVT_SYSCALL_SPLICE_E 166
662 #define EVT_SYSCALL_SPLICE_X 167
663 #define EVT_SYSCALL_PTRACE_E 168
664 #define EVT_SYSCALL_PTRACE_X 169
665 #define EVT_SYSCALL_IOCTL_3_E 170
666 #define EVT_SYSCALL_IOCTL_3_X 171
667 #define EVT_SYSCALL_EXECVE_14_E 172
668 #define EVT_SYSCALL_EXECVE_14_X 173
669 #define EVT_SYSCALL_RENAME_E 174
670 #define EVT_SYSCALL_RENAME_X 175
671 #define EVT_SYSCALL_RENAMEAT_E 176
672 #define EVT_SYSCALL_RENAMEAT_X 177
673 #define EVT_SYSCALL_SYMLINK_E 178
674 #define EVT_SYSCALL_SYMLINK_X 179
675 #define EVT_SYSCALL_SYMLINKAT_E 180
676 #define EVT_SYSCALL_SYMLINKAT_X 181
677 #define EVT_SYSCALL_FORK_E 182
678 #define EVT_SYSCALL_FORK_X 183
679 #define EVT_SYSCALL_VFORK_E 184
680 #define EVT_SYSCALL_VFORK_X 185
681 #define EVT_PROCEXIT_1_E 186
682 #define EVT_PROCEXIT_1_X 187
683 #define EVT_SYSCALL_SENDFILE_E 188
684 #define EVT_SYSCALL_SENDFILE_X 189
685 #define EVT_SYSCALL_QUOTACTL_E 190
686 #define EVT_SYSCALL_QUOTACTL_X 191
687 #define EVT_SYSCALL_SETRESUID_E 192
688 #define EVT_SYSCALL_SETRESUID_X 193
689 #define EVT_SYSCALL_SETRESGID_E 194
690 #define EVT_SYSCALL_SETRESGID_X 195
691 #define EVT_SCAPEVENT_E 196
692 #define EVT_SCAPEVENT_X 197
693 #define EVT_SYSCALL_SETUID_E 198
694 #define EVT_SYSCALL_SETUID_X 199
695 #define EVT_SYSCALL_SETGID_E 200
696 #define EVT_SYSCALL_SETGID_X 201
697 #define EVT_SYSCALL_GETUID_E 202
698 #define EVT_SYSCALL_GETUID_X 203
699 #define EVT_SYSCALL_GETEUID_E 204
700 #define EVT_SYSCALL_GETEUID_X 205
701 #define EVT_SYSCALL_GETGID_E 206
702 #define EVT_SYSCALL_GETGID_X 207
703 #define EVT_SYSCALL_GETEGID_E 208
704 #define EVT_SYSCALL_GETEGID_X 209
705 #define EVT_SYSCALL_GETRESUID_E 210
706 #define EVT_SYSCALL_GETRESUID_X 211
707 #define EVT_SYSCALL_GETRESGID_E 212
708 #define EVT_SYSCALL_GETRESGID_X 213
709 #define EVT_SYSCALL_EXECVE_15_E 214
710 #define EVT_SYSCALL_EXECVE_15_X 215
711 #define EVT_SYSCALL_CLONE_17_E 216
712 #define EVT_SYSCALL_CLONE_17_X 217
713 #define EVT_SYSCALL_FORK_17_E 218
714 #define EVT_SYSCALL_FORK_17_X 219
715 #define EVT_SYSCALL_VFORK_17_E 220
716 #define EVT_SYSCALL_VFORK_17_X 221
717 #define EVT_SYSCALL_CLONE_20_E 222
718 #define EVT_SYSCALL_CLONE_20_X 223
719 #define EVT_SYSCALL_FORK_20_E 224
720 #define EVT_SYSCALL_FORK_20_X 225
721 #define EVT_SYSCALL_VFORK_20_E 226
722 #define EVT_SYSCALL_VFORK_20_X 227
723 #define EVT_CONTAINER_E 228
724 #define EVT_CONTAINER_X 229
725 #define EVT_SYSCALL_EXECVE_16_E 230
726 #define EVT_SYSCALL_EXECVE_16_X 231
727 #define EVT_SIGNALDELIVER_E 232
728 #define EVT_SIGNALDELIVER_X 233
729 #define EVT_PROCINFO_E 234
730 #define EVT_PROCINFO_X 235
731 #define EVT_SYSCALL_GETDENTS_E 236
732 #define EVT_SYSCALL_GETDENTS_X 237
733 #define EVT_SYSCALL_GETDENTS64_E 238
734 #define EVT_SYSCALL_GETDENTS64_X 239
735 #define EVT_SYSCALL_SETNS_E 240
736 #define EVT_SYSCALL_SETNS_X 241
737 #define EVT_SYSCALL_FLOCK_E 242
738 #define EVT_SYSCALL_FLOCK_X 243
739 #define EVT_CPU_HOTPLUG_E 244
740 #define EVT_CPU_HOTPLUG_X 245
741 #define EVT_SOCKET_ACCEPT_5_E 246
742 #define EVT_SOCKET_ACCEPT_5_X 247
743 #define EVT_SOCKET_ACCEPT4_5_E 248
744 #define EVT_SOCKET_ACCEPT4_5_X 249
745 #define EVT_SYSCALL_SEMOP_E 250
746 #define EVT_SYSCALL_SEMOP_X 251
747 #define EVT_SYSCALL_SEMCTL_E 252
748 #define EVT_SYSCALL_SEMCTL_X 253
749 #define EVT_SYSCALL_PPOLL_E 254
750 #define EVT_SYSCALL_PPOLL_X 255
751 #define EVT_SYSCALL_MOUNT_E 256
752 #define EVT_SYSCALL_MOUNT_X 257
753 #define EVT_SYSCALL_UMOUNT_E 258
754 #define EVT_SYSCALL_UMOUNT_X 259
755 #define EVT_K8S_E 260
756 #define EVT_K8S_X 261
757 #define EVT_SYSCALL_SEMGET_E 262
758 #define EVT_SYSCALL_SEMGET_X 263
759 #define EVT_SYSCALL_ACCESS_E 264
760 #define EVT_SYSCALL_ACCESS_X 265
761 #define EVT_SYSCALL_CHROOT_E 266
762 #define EVT_SYSCALL_CHROOT_X 267
763 #define EVT_TRACER_E 268
764 #define EVT_TRACER_X 269
765 #define EVT_MESOS_E 270
766 #define EVT_MESOS_X 271
767 #define EVT_CONTAINER_JSON_E 272
768 #define EVT_CONTAINER_JSON_X 273
769 #define EVT_SYSCALL_SETSID_E 274
770 #define EVT_SYSCALL_SETSID_X 275
771 #define EVT_SYSCALL_MKDIR_2_E 276
772 #define EVT_SYSCALL_MKDIR_2_X 277
773 #define EVT_SYSCALL_RMDIR_2_E 278
774 #define EVT_SYSCALL_RMDIR_2_X 279
775 #define EVT_NOTIFICATION_E 280
776 #define EVT_NOTIFICATION_X 281
777 #define EVT_SYSCALL_EXECVE_17_E 282
778 #define EVT_SYSCALL_EXECVE_17_X 283
779 #define EVT_SYSCALL_UNSHARE_E 284
780 #define EVT_SYSCALL_UNSHARE_X 285
781 #define EVT_INFRASTRUCTURE_EVENT_E 286
782 #define EVT_INFRASTRUCTURE_EVENT_X 287
783 #define EVT_SYSCALL_EXECVE_18_E 288
784 #define EVT_SYSCALL_EXECVE_18_X 289
785 #define EVT_PAGE_FAULT_E 290
786 #define EVT_PAGE_FAULT_X 291
787 #define EVT_SYSCALL_EXECVE_19_E 292
788 #define EVT_SYSCALL_EXECVE_19_X 293
789 #define EVT_SYSCALL_SETPGID_E 294
790 #define EVT_SYSCALL_SETPGID_X 295
791 #define EVT_SYSCALL_BPF_E 296
792 #define EVT_SYSCALL_BPF_X 297
793 #define EVT_SYSCALL_SECCOMP_E 298
794 #define EVT_SYSCALL_SECCOMP_X 299
795 #define EVT_SYSCALL_UNLINK_2_E 300
796 #define EVT_SYSCALL_UNLINK_2_X 301
797 #define EVT_SYSCALL_UNLINKAT_2_E 302
798 #define EVT_SYSCALL_UNLINKAT_2_X 303
799 #define EVT_SYSCALL_MKDIRAT_E 304
800 #define EVT_SYSCALL_MKDIRAT_X 305
801 #define EVT_SYSCALL_OPENAT_2_E 306
802 #define EVT_SYSCALL_OPENAT_2_X 307
803 #define EVT_SYSCALL_LINK_2_E 308
804 #define EVT_SYSCALL_LINK_2_X 309
805 #define EVT_SYSCALL_LINKAT_2_E 310
806 #define EVT_SYSCALL_LINKAT_2_X 311
807 #define EVT_SYSCALL_FCHMODAT_E 312
808 #define EVT_SYSCALL_FCHMODAT_X 313
809 #define EVT_SYSCALL_CHMOD_E 314
810 #define EVT_SYSCALL_CHMOD_X 315
811 #define EVT_SYSCALL_FCHMOD_E 316
812 #define EVT_SYSCALL_FCHMOD_X 317
813 #define EVT_SYSCALL_RENAMEAT2_E 318
814 #define EVT_SYSCALL_RENAMEAT2_X 319
815 #define EVT_SYSCALL_USERFAULTFD_E 320
816 #define EVT_SYSCALL_USERFAULTFD_X 321
817 #define EVT_PLUGINEVENT_E 322
818 #define EVT_PLUGINEVENT_X 323
819 #define EVT_CONTAINER_JSON_2_E 324
820 #define EVT_CONTAINER_JSON_2_X 325
821 #define EVT_SYSCALL_OPENAT2_E 326
822 #define EVT_SYSCALL_OPENAT2_X 327
823 #define EVT_SYSCALL_MPROTECT_E 328
824 #define EVT_SYSCALL_MPROTECT_X 329
825 #define EVT_SYSCALL_EXECVEAT_E 330
826 #define EVT_SYSCALL_EXECVEAT_X 331
827 #define EVT_SYSCALL_COPY_FILE_RANGE_E 332
828 #define EVT_SYSCALL_COPY_FILE_RANGE_X 333
829 #define EVT_SYSCALL_CLONE3_E 334
830 #define EVT_SYSCALL_CLONE3_X 335
831 #define EVT_SYSCALL_OPEN_BY_HANDLE_AT_E 336
832 #define EVT_SYSCALL_OPEN_BY_HANDLE_AT_X 337
833 #define EVT_SYSCALL_IO_URING_SETUP_E 338
834 #define EVT_SYSCALL_IO_URING_SETUP_X 339
835 #define EVT_SYSCALL_IO_URING_ENTER_E 340
836 #define EVT_SYSCALL_IO_URING_ENTER_X 341
837 #define EVT_SYSCALL_IO_URING_REGISTER_E 342
838 #define EVT_SYSCALL_IO_URING_REGISTER_X 343
839 #define EVT_SYSCALL_MLOCK_E 344
840 #define EVT_SYSCALL_MLOCK_X 345
841 #define EVT_SYSCALL_MUNLOCK_E 346
842 #define EVT_SYSCALL_MUNLOCK_X 347
843 #define EVT_SYSCALL_MLOCKALL_E 348
844 #define EVT_SYSCALL_MLOCKALL_X 349
845 #define EVT_SYSCALL_MUNLOCKALL_E 350
846 #define EVT_SYSCALL_MUNLOCKALL_X 351
847 #define EVT_SYSCALL_CAPSET_E 352
848 #define EVT_SYSCALL_CAPSET_X 353
849 #define EVT_USER_ADDED_E 354
850 #define EVT_USER_ADDED_X 355
851 #define EVT_USER_DELETED_E 356
852 #define EVT_USER_DELETED_X 357
853 #define EVT_GROUP_ADDED_E 358
854 #define EVT_GROUP_ADDED_X 359
855 #define EVT_GROUP_DELETED_E 360
856 #define EVT_GROUP_DELETED_X 361
857 #define EVT_SYSCALL_DUP2_E 362
858 #define EVT_SYSCALL_DUP2_X 363
859 #define EVT_SYSCALL_DUP3_E 364
860 #define EVT_SYSCALL_DUP3_X 365
861 #define EVT_SYSCALL_DUP_1_E 366
862 #define EVT_SYSCALL_DUP_1_X 367
863 #define EVT_SYSCALL_BPF_2_E 368
864 #define EVT_SYSCALL_BPF_2_X 369
865 #define EVT_SYSCALL_MLOCK2_E 370
866 #define EVT_SYSCALL_MLOCK2_X 371
867 #define EVT_SYSCALL_FSCONFIG_E 372
868 #define EVT_SYSCALL_FSCONFIG_X 373
869 #define EVT_SYSCALL_EPOLL_CREATE_E 374
870 #define EVT_SYSCALL_EPOLL_CREATE_X 375
871 #define EVT_SYSCALL_EPOLL_CREATE1_E 376
872 #define EVT_SYSCALL_EPOLL_CREATE1_X 377
873 #define EVT_SYSCALL_CHOWN_E 378
874 #define EVT_SYSCALL_CHOWN_X 379
875 #define EVT_SYSCALL_LCHOWN_E 380
876 #define EVT_SYSCALL_LCHOWN_X 381
877 #define EVT_SYSCALL_FCHOWN_E 382
878 #define EVT_SYSCALL_FCHOWN_X 383
879 #define EVT_SYSCALL_FCHOWNAT_E 384
880 #define EVT_SYSCALL_FCHOWNAT_X 385
881 #define EVT_SYSCALL_UMOUNT_1_E 386
882 #define EVT_SYSCALL_UMOUNT_1_X 387
883 #define EVT_SOCKET_ACCEPT4_6_E 388
884 #define EVT_SOCKET_ACCEPT4_6_X 389
885 #define EVT_SYSCALL_UMOUNT2_E 390
886 #define EVT_SYSCALL_UMOUNT2_X 391
887 #define EVT_SYSCALL_PIPE2_E 392
888 #define EVT_SYSCALL_PIPE2_X 393
889 #define EVT_SYSCALL_INOTIFY_INIT1_E 394
890 #define EVT_SYSCALL_INOTIFY_INIT1_X 395
891 #define EVT_SYSCALL_EVENTFD2_E 396
892 #define EVT_SYSCALL_EVENTFD2_X 397
893 #define EVT_SYSCALL_SIGNALFD4_E 398
894 #define EVT_SYSCALL_SIGNALFD4_X 399
895 #define EVT_SYSCALL_PRCTL_E 400
896 #define EVT_SYSCALL_PRCTL_X 401
897 #define EVT_ASYNCEVENT_E 402
898 #define EVT_ASYNCEVENT_X 403
899 #define EVT_SYSCALL_MEMFD_CREATE_E 404
900 #define EVT_SYSCALL_MEMFD_CREATE_X 405
901 #define EVT_SYSCALL_PIDFD_GETFD_E 406
902 #define EVT_SYSCALL_PIDFD_GETFD_X 407
903 #define EVT_SYSCALL_PIDFD_OPEN_E 408
904 #define EVT_SYSCALL_PIDFD_OPEN_X 409
905 #define EVT_SYSCALL_INIT_MODULE_E 410
906 #define EVT_SYSCALL_INIT_MODULE_X 411
907 #define EVT_SYSCALL_FINIT_MODULE_E 412
908 #define EVT_SYSCALL_FINIT_MODULE_X 413
909 #define EVT_SYSCALL_MKNOD_E 414
910 #define EVT_SYSCALL_MKNOD_X 415
911 #define EVT_SYSCALL_MKNODAT_E 416
912 #define EVT_SYSCALL_MKNODAT_X 417
913 #define EVT_SYSCALL_NEWFSTATAT_E 418
914 #define EVT_SYSCALL_NEWFSTATAT_X 419
915 #define EVT_SYSCALL_PROCESS_VM_READV_E 420
916 #define EVT_SYSCALL_PROCESS_VM_READV_X 421
917 #define EVT_SYSCALL_PROCESS_VM_WRITEV_E 422
918 #define EVT_SYSCALL_PROCESS_VM_WRITEV_X 423
919 #define EVT_SYSCALL_DELETE_MODULE_E 424
920 #define EVT_SYSCALL_DELETE_MODULE_X 425
921 #define EVT_SYSCALL_SETREUID_E 426
922 #define EVT_SYSCALL_SETREUID_X 427
923 #define EVT_SYSCALL_SETREGID_E 428
924 #define EVT_SYSCALL_SETREGID_X 429
925
926 static const value_string event_type_vals[] = {
927 /* Value strings. Automatically generated by tools/generate-sysdig-event.py */
928 { EVT_GENERIC_E, EVT_STR_SYSCALL },
929 { EVT_GENERIC_X, EVT_STR_SYSCALL },
930 { EVT_SYSCALL_OPEN_E, EVT_STR_OPEN },
931 { EVT_SYSCALL_OPEN_X, EVT_STR_OPEN },
932 { EVT_SYSCALL_CLOSE_E, EVT_STR_CLOSE },
933 { EVT_SYSCALL_CLOSE_X, EVT_STR_CLOSE },
934 { EVT_SYSCALL_READ_E, EVT_STR_READ },
935 { EVT_SYSCALL_READ_X, EVT_STR_READ },
936 { EVT_SYSCALL_WRITE_E, EVT_STR_WRITE },
937 { EVT_SYSCALL_WRITE_X, EVT_STR_WRITE },
938 { EVT_SYSCALL_BRK_1_E, EVT_STR_BRK },
939 { EVT_SYSCALL_BRK_1_X, EVT_STR_BRK },
940 { EVT_SYSCALL_EXECVE_8_E, EVT_STR_EXECVE },
941 { EVT_SYSCALL_EXECVE_8_X, EVT_STR_EXECVE },
942 { EVT_SYSCALL_CLONE_11_E, EVT_STR_CLONE },
943 { EVT_SYSCALL_CLONE_11_X, EVT_STR_CLONE },
944 { EVT_PROCEXIT_E, EVT_STR_PROCEXIT },
945 { EVT_PROCEXIT_X, EVT_STR_NA },
946 { EVT_SOCKET_SOCKET_E, EVT_STR_SOCKET },
947 { EVT_SOCKET_SOCKET_X, EVT_STR_SOCKET },
948 { EVT_SOCKET_BIND_E, EVT_STR_BIND },
949 { EVT_SOCKET_BIND_X, EVT_STR_BIND },
950 { EVT_SOCKET_CONNECT_E, EVT_STR_CONNECT },
951 { EVT_SOCKET_CONNECT_X, EVT_STR_CONNECT },
952 { EVT_SOCKET_LISTEN_E, EVT_STR_LISTEN },
953 { EVT_SOCKET_LISTEN_X, EVT_STR_LISTEN },
954 { EVT_SOCKET_ACCEPT_E, EVT_STR_ACCEPT },
955 { EVT_SOCKET_ACCEPT_X, EVT_STR_ACCEPT },
956 { EVT_SOCKET_SEND_E, EVT_STR_SEND },
957 { EVT_SOCKET_SEND_X, EVT_STR_SEND },
958 { EVT_SOCKET_SENDTO_E, EVT_STR_SENDTO },
959 { EVT_SOCKET_SENDTO_X, EVT_STR_SENDTO },
960 { EVT_SOCKET_RECV_E, EVT_STR_RECV },
961 { EVT_SOCKET_RECV_X, EVT_STR_RECV },
962 { EVT_SOCKET_RECVFROM_E, EVT_STR_RECVFROM },
963 { EVT_SOCKET_RECVFROM_X, EVT_STR_RECVFROM },
964 { EVT_SOCKET_SHUTDOWN_E, EVT_STR_SHUTDOWN },
965 { EVT_SOCKET_SHUTDOWN_X, EVT_STR_SHUTDOWN },
966 { EVT_SOCKET_GETSOCKNAME_E, EVT_STR_GETSOCKNAME },
967 { EVT_SOCKET_GETSOCKNAME_X, EVT_STR_GETSOCKNAME },
968 { EVT_SOCKET_GETPEERNAME_E, EVT_STR_GETPEERNAME },
969 { EVT_SOCKET_GETPEERNAME_X, EVT_STR_GETPEERNAME },
970 { EVT_SOCKET_SOCKETPAIR_E, EVT_STR_SOCKETPAIR },
971 { EVT_SOCKET_SOCKETPAIR_X, EVT_STR_SOCKETPAIR },
972 { EVT_SOCKET_SETSOCKOPT_E, EVT_STR_SETSOCKOPT },
973 { EVT_SOCKET_SETSOCKOPT_X, EVT_STR_SETSOCKOPT },
974 { EVT_SOCKET_GETSOCKOPT_E, EVT_STR_GETSOCKOPT },
975 { EVT_SOCKET_GETSOCKOPT_X, EVT_STR_GETSOCKOPT },
976 { EVT_SOCKET_SENDMSG_E, EVT_STR_SENDMSG },
977 { EVT_SOCKET_SENDMSG_X, EVT_STR_SENDMSG },
978 { EVT_SOCKET_SENDMMSG_E, EVT_STR_SENDMMSG },
979 { EVT_SOCKET_SENDMMSG_X, EVT_STR_SENDMMSG },
980 { EVT_SOCKET_RECVMSG_E, EVT_STR_RECVMSG },
981 { EVT_SOCKET_RECVMSG_X, EVT_STR_RECVMSG },
982 { EVT_SOCKET_RECVMMSG_E, EVT_STR_RECVMMSG },
983 { EVT_SOCKET_RECVMMSG_X, EVT_STR_RECVMMSG },
984 { EVT_SOCKET_ACCEPT4_E, EVT_STR_ACCEPT },
985 { EVT_SOCKET_ACCEPT4_X, EVT_STR_ACCEPT },
986 { EVT_SYSCALL_CREAT_E, EVT_STR_CREAT },
987 { EVT_SYSCALL_CREAT_X, EVT_STR_CREAT },
988 { EVT_SYSCALL_PIPE_E, EVT_STR_PIPE },
989 { EVT_SYSCALL_PIPE_X, EVT_STR_PIPE },
990 { EVT_SYSCALL_EVENTFD_E, EVT_STR_EVENTFD },
991 { EVT_SYSCALL_EVENTFD_X, EVT_STR_EVENTFD },
992 { EVT_SYSCALL_FUTEX_E, EVT_STR_FUTEX },
993 { EVT_SYSCALL_FUTEX_X, EVT_STR_FUTEX },
994 { EVT_SYSCALL_STAT_E, EVT_STR_STAT },
995 { EVT_SYSCALL_STAT_X, EVT_STR_STAT },
996 { EVT_SYSCALL_LSTAT_E, EVT_STR_LSTAT },
997 { EVT_SYSCALL_LSTAT_X, EVT_STR_LSTAT },
998 { EVT_SYSCALL_FSTAT_E, EVT_STR_FSTAT },
999 { EVT_SYSCALL_FSTAT_X, EVT_STR_FSTAT },
1000 { EVT_SYSCALL_STAT64_E, EVT_STR_STAT64 },
1001 { EVT_SYSCALL_STAT64_X, EVT_STR_STAT64 },
1002 { EVT_SYSCALL_LSTAT64_E, EVT_STR_LSTAT64 },
1003 { EVT_SYSCALL_LSTAT64_X, EVT_STR_LSTAT64 },
1004 { EVT_SYSCALL_FSTAT64_E, EVT_STR_FSTAT64 },
1005 { EVT_SYSCALL_FSTAT64_X, EVT_STR_FSTAT64 },
1006 { EVT_SYSCALL_EPOLLWAIT_E, EVT_STR_EPOLL_WAIT },
1007 { EVT_SYSCALL_EPOLLWAIT_X, EVT_STR_EPOLL_WAIT },
1008 { EVT_SYSCALL_POLL_E, EVT_STR_POLL },
1009 { EVT_SYSCALL_POLL_X, EVT_STR_POLL },
1010 { EVT_SYSCALL_SELECT_E, EVT_STR_SELECT },
1011 { EVT_SYSCALL_SELECT_X, EVT_STR_SELECT },
1012 { EVT_SYSCALL_NEWSELECT_E, EVT_STR_SELECT },
1013 { EVT_SYSCALL_NEWSELECT_X, EVT_STR_SELECT },
1014 { EVT_SYSCALL_LSEEK_E, EVT_STR_LSEEK },
1015 { EVT_SYSCALL_LSEEK_X, EVT_STR_LSEEK },
1016 { EVT_SYSCALL_LLSEEK_E, EVT_STR_LLSEEK },
1017 { EVT_SYSCALL_LLSEEK_X, EVT_STR_LLSEEK },
1018 { EVT_SYSCALL_IOCTL_2_E, EVT_STR_IOCTL },
1019 { EVT_SYSCALL_IOCTL_2_X, EVT_STR_IOCTL },
1020 { EVT_SYSCALL_GETCWD_E, EVT_STR_GETCWD },
1021 { EVT_SYSCALL_GETCWD_X, EVT_STR_GETCWD },
1022 { EVT_SYSCALL_CHDIR_E, EVT_STR_CHDIR },
1023 { EVT_SYSCALL_CHDIR_X, EVT_STR_CHDIR },
1024 { EVT_SYSCALL_FCHDIR_E, EVT_STR_FCHDIR },
1025 { EVT_SYSCALL_FCHDIR_X, EVT_STR_FCHDIR },
1026 { EVT_SYSCALL_MKDIR_E, EVT_STR_MKDIR },
1027 { EVT_SYSCALL_MKDIR_X, EVT_STR_MKDIR },
1028 { EVT_SYSCALL_RMDIR_E, EVT_STR_RMDIR },
1029 { EVT_SYSCALL_RMDIR_X, EVT_STR_RMDIR },
1030 { EVT_SYSCALL_OPENAT_E, EVT_STR_OPENAT },
1031 { EVT_SYSCALL_OPENAT_X, EVT_STR_OPENAT },
1032 { EVT_SYSCALL_LINK_E, EVT_STR_LINK },
1033 { EVT_SYSCALL_LINK_X, EVT_STR_LINK },
1034 { EVT_SYSCALL_LINKAT_E, EVT_STR_LINKAT },
1035 { EVT_SYSCALL_LINKAT_X, EVT_STR_LINKAT },
1036 { EVT_SYSCALL_UNLINK_E, EVT_STR_UNLINK },
1037 { EVT_SYSCALL_UNLINK_X, EVT_STR_UNLINK },
1038 { EVT_SYSCALL_UNLINKAT_E, EVT_STR_UNLINKAT },
1039 { EVT_SYSCALL_UNLINKAT_X, EVT_STR_UNLINKAT },
1040 { EVT_SYSCALL_PREAD_E, EVT_STR_PREAD },
1041 { EVT_SYSCALL_PREAD_X, EVT_STR_PREAD },
1042 { EVT_SYSCALL_PWRITE_E, EVT_STR_PWRITE },
1043 { EVT_SYSCALL_PWRITE_X, EVT_STR_PWRITE },
1044 { EVT_SYSCALL_READV_E, EVT_STR_READV },
1045 { EVT_SYSCALL_READV_X, EVT_STR_READV },
1046 { EVT_SYSCALL_WRITEV_E, EVT_STR_WRITEV },
1047 { EVT_SYSCALL_WRITEV_X, EVT_STR_WRITEV },
1048 { EVT_SYSCALL_PREADV_E, EVT_STR_PREADV },
1049 { EVT_SYSCALL_PREADV_X, EVT_STR_PREADV },
1050 { EVT_SYSCALL_PWRITEV_E, EVT_STR_PWRITEV },
1051 { EVT_SYSCALL_PWRITEV_X, EVT_STR_PWRITEV },
1052 { EVT_SYSCALL_DUP_E, EVT_STR_DUP },
1053 { EVT_SYSCALL_DUP_X, EVT_STR_DUP },
1054 { EVT_SYSCALL_SIGNALFD_E, EVT_STR_SIGNALFD },
1055 { EVT_SYSCALL_SIGNALFD_X, EVT_STR_SIGNALFD },
1056 { EVT_SYSCALL_KILL_E, EVT_STR_KILL },
1057 { EVT_SYSCALL_KILL_X, EVT_STR_KILL },
1058 { EVT_SYSCALL_TKILL_E, EVT_STR_TKILL },
1059 { EVT_SYSCALL_TKILL_X, EVT_STR_TKILL },
1060 { EVT_SYSCALL_TGKILL_E, EVT_STR_TGKILL },
1061 { EVT_SYSCALL_TGKILL_X, EVT_STR_TGKILL },
1062 { EVT_SYSCALL_NANOSLEEP_E, EVT_STR_NANOSLEEP },
1063 { EVT_SYSCALL_NANOSLEEP_X, EVT_STR_NANOSLEEP },
1064 { EVT_SYSCALL_TIMERFD_CREATE_E, EVT_STR_TIMERFD_CREATE },
1065 { EVT_SYSCALL_TIMERFD_CREATE_X, EVT_STR_TIMERFD_CREATE },
1066 { EVT_SYSCALL_INOTIFY_INIT_E, EVT_STR_INOTIFY_INIT },
1067 { EVT_SYSCALL_INOTIFY_INIT_X, EVT_STR_INOTIFY_INIT },
1068 { EVT_SYSCALL_GETRLIMIT_E, EVT_STR_GETRLIMIT },
1069 { EVT_SYSCALL_GETRLIMIT_X, EVT_STR_GETRLIMIT },
1070 { EVT_SYSCALL_SETRLIMIT_E, EVT_STR_SETRLIMIT },
1071 { EVT_SYSCALL_SETRLIMIT_X, EVT_STR_SETRLIMIT },
1072 { EVT_SYSCALL_PRLIMIT_E, EVT_STR_PRLIMIT },
1073 { EVT_SYSCALL_PRLIMIT_X, EVT_STR_PRLIMIT },
1074 { EVT_SCHEDSWITCH_1_E, EVT_STR_SWITCH },
1075 { EVT_SCHEDSWITCH_1_X, EVT_STR_NA },
1076 { EVT_DROP_E, EVT_STR_DROP },
1077 { EVT_DROP_X, EVT_STR_DROP },
1078 { EVT_SYSCALL_FCNTL_E, EVT_STR_FCNTL },
1079 { EVT_SYSCALL_FCNTL_X, EVT_STR_FCNTL },
1080 { EVT_SCHEDSWITCH_6_E, EVT_STR_SWITCH },
1081 { EVT_SCHEDSWITCH_6_X, EVT_STR_NA },
1082 { EVT_SYSCALL_EXECVE_13_E, EVT_STR_EXECVE },
1083 { EVT_SYSCALL_EXECVE_13_X, EVT_STR_EXECVE },
1084 { EVT_SYSCALL_CLONE_16_E, EVT_STR_CLONE },
1085 { EVT_SYSCALL_CLONE_16_X, EVT_STR_CLONE },
1086 { EVT_SYSCALL_BRK_4_E, EVT_STR_BRK },
1087 { EVT_SYSCALL_BRK_4_X, EVT_STR_BRK },
1088 { EVT_SYSCALL_MMAP_E, EVT_STR_MMAP },
1089 { EVT_SYSCALL_MMAP_X, EVT_STR_MMAP },
1090 { EVT_SYSCALL_MMAP2_E, EVT_STR_MMAP2 },
1091 { EVT_SYSCALL_MMAP2_X, EVT_STR_MMAP2 },
1092 { EVT_SYSCALL_MUNMAP_E, EVT_STR_MUNMAP },
1093 { EVT_SYSCALL_MUNMAP_X, EVT_STR_MUNMAP },
1094 { EVT_SYSCALL_SPLICE_E, EVT_STR_SPLICE },
1095 { EVT_SYSCALL_SPLICE_X, EVT_STR_SPLICE },
1096 { EVT_SYSCALL_PTRACE_E, EVT_STR_PTRACE },
1097 { EVT_SYSCALL_PTRACE_X, EVT_STR_PTRACE },
1098 { EVT_SYSCALL_IOCTL_3_E, EVT_STR_IOCTL },
1099 { EVT_SYSCALL_IOCTL_3_X, EVT_STR_IOCTL },
1100 { EVT_SYSCALL_EXECVE_14_E, EVT_STR_EXECVE },
1101 { EVT_SYSCALL_EXECVE_14_X, EVT_STR_EXECVE },
1102 { EVT_SYSCALL_RENAME_E, EVT_STR_RENAME },
1103 { EVT_SYSCALL_RENAME_X, EVT_STR_RENAME },
1104 { EVT_SYSCALL_RENAMEAT_E, EVT_STR_RENAMEAT },
1105 { EVT_SYSCALL_RENAMEAT_X, EVT_STR_RENAMEAT },
1106 { EVT_SYSCALL_SYMLINK_E, EVT_STR_SYMLINK },
1107 { EVT_SYSCALL_SYMLINK_X, EVT_STR_SYMLINK },
1108 { EVT_SYSCALL_SYMLINKAT_E, EVT_STR_SYMLINKAT },
1109 { EVT_SYSCALL_SYMLINKAT_X, EVT_STR_SYMLINKAT },
1110 { EVT_SYSCALL_FORK_E, EVT_STR_FORK },
1111 { EVT_SYSCALL_FORK_X, EVT_STR_FORK },
1112 { EVT_SYSCALL_VFORK_E, EVT_STR_VFORK },
1113 { EVT_SYSCALL_VFORK_X, EVT_STR_VFORK },
1114 { EVT_PROCEXIT_1_E, EVT_STR_PROCEXIT },
1115 { EVT_PROCEXIT_1_X, EVT_STR_NA },
1116 { EVT_SYSCALL_SENDFILE_E, EVT_STR_SENDFILE },
1117 { EVT_SYSCALL_SENDFILE_X, EVT_STR_SENDFILE },
1118 { EVT_SYSCALL_QUOTACTL_E, EVT_STR_QUOTACTL },
1119 { EVT_SYSCALL_QUOTACTL_X, EVT_STR_QUOTACTL },
1120 { EVT_SYSCALL_SETRESUID_E, EVT_STR_SETRESUID },
1121 { EVT_SYSCALL_SETRESUID_X, EVT_STR_SETRESUID },
1122 { EVT_SYSCALL_SETRESGID_E, EVT_STR_SETRESGID },
1123 { EVT_SYSCALL_SETRESGID_X, EVT_STR_SETRESGID },
1124 { EVT_SCAPEVENT_E, EVT_STR_SCAPEVENT },
1125 { EVT_SCAPEVENT_X, EVT_STR_SCAPEVENT },
1126 { EVT_SYSCALL_SETUID_E, EVT_STR_SETUID },
1127 { EVT_SYSCALL_SETUID_X, EVT_STR_SETUID },
1128 { EVT_SYSCALL_SETGID_E, EVT_STR_SETGID },
1129 { EVT_SYSCALL_SETGID_X, EVT_STR_SETGID },
1130 { EVT_SYSCALL_GETUID_E, EVT_STR_GETUID },
1131 { EVT_SYSCALL_GETUID_X, EVT_STR_GETUID },
1132 { EVT_SYSCALL_GETEUID_E, EVT_STR_GETEUID },
1133 { EVT_SYSCALL_GETEUID_X, EVT_STR_GETEUID },
1134 { EVT_SYSCALL_GETGID_E, EVT_STR_GETGID },
1135 { EVT_SYSCALL_GETGID_X, EVT_STR_GETGID },
1136 { EVT_SYSCALL_GETEGID_E, EVT_STR_GETEGID },
1137 { EVT_SYSCALL_GETEGID_X, EVT_STR_GETEGID },
1138 { EVT_SYSCALL_GETRESUID_E, EVT_STR_GETRESUID },
1139 { EVT_SYSCALL_GETRESUID_X, EVT_STR_GETRESUID },
1140 { EVT_SYSCALL_GETRESGID_E, EVT_STR_GETRESGID },
1141 { EVT_SYSCALL_GETRESGID_X, EVT_STR_GETRESGID },
1142 { EVT_SYSCALL_EXECVE_15_E, EVT_STR_EXECVE },
1143 { EVT_SYSCALL_EXECVE_15_X, EVT_STR_EXECVE },
1144 { EVT_SYSCALL_CLONE_17_E, EVT_STR_CLONE },
1145 { EVT_SYSCALL_CLONE_17_X, EVT_STR_CLONE },
1146 { EVT_SYSCALL_FORK_17_E, EVT_STR_FORK },
1147 { EVT_SYSCALL_FORK_17_X, EVT_STR_FORK },
1148 { EVT_SYSCALL_VFORK_17_E, EVT_STR_VFORK },
1149 { EVT_SYSCALL_VFORK_17_X, EVT_STR_VFORK },
1150 { EVT_SYSCALL_CLONE_20_E, EVT_STR_CLONE },
1151 { EVT_SYSCALL_CLONE_20_X, EVT_STR_CLONE },
1152 { EVT_SYSCALL_FORK_20_E, EVT_STR_FORK },
1153 { EVT_SYSCALL_FORK_20_X, EVT_STR_FORK },
1154 { EVT_SYSCALL_VFORK_20_E, EVT_STR_VFORK },
1155 { EVT_SYSCALL_VFORK_20_X, EVT_STR_VFORK },
1156 { EVT_CONTAINER_E, EVT_STR_CONTAINER },
1157 { EVT_CONTAINER_X, EVT_STR_NA },
1158 { EVT_SYSCALL_EXECVE_16_E, EVT_STR_EXECVE },
1159 { EVT_SYSCALL_EXECVE_16_X, EVT_STR_EXECVE },
1160 { EVT_SIGNALDELIVER_E, EVT_STR_SIGNALDELIVER },
1161 { EVT_SIGNALDELIVER_X, EVT_STR_NA },
1162 { EVT_PROCINFO_E, EVT_STR_PROCINFO },
1163 { EVT_PROCINFO_X, EVT_STR_NA },
1164 { EVT_SYSCALL_GETDENTS_E, EVT_STR_GETDENTS },
1165 { EVT_SYSCALL_GETDENTS_X, EVT_STR_GETDENTS },
1166 { EVT_SYSCALL_GETDENTS64_E, EVT_STR_GETDENTS64 },
1167 { EVT_SYSCALL_GETDENTS64_X, EVT_STR_GETDENTS64 },
1168 { EVT_SYSCALL_SETNS_E, EVT_STR_SETNS },
1169 { EVT_SYSCALL_SETNS_X, EVT_STR_SETNS },
1170 { EVT_SYSCALL_FLOCK_E, EVT_STR_FLOCK },
1171 { EVT_SYSCALL_FLOCK_X, EVT_STR_FLOCK },
1172 { EVT_CPU_HOTPLUG_E, EVT_STR_CPU_HOTPLUG },
1173 { EVT_CPU_HOTPLUG_X, EVT_STR_NA },
1174 { EVT_SOCKET_ACCEPT_5_E, EVT_STR_ACCEPT },
1175 { EVT_SOCKET_ACCEPT_5_X, EVT_STR_ACCEPT },
1176 { EVT_SOCKET_ACCEPT4_5_E, EVT_STR_ACCEPT },
1177 { EVT_SOCKET_ACCEPT4_5_X, EVT_STR_ACCEPT },
1178 { EVT_SYSCALL_SEMOP_E, EVT_STR_SEMOP },
1179 { EVT_SYSCALL_SEMOP_X, EVT_STR_SEMOP },
1180 { EVT_SYSCALL_SEMCTL_E, EVT_STR_SEMCTL },
1181 { EVT_SYSCALL_SEMCTL_X, EVT_STR_SEMCTL },
1182 { EVT_SYSCALL_PPOLL_E, EVT_STR_PPOLL },
1183 { EVT_SYSCALL_PPOLL_X, EVT_STR_PPOLL },
1184 { EVT_SYSCALL_MOUNT_E, EVT_STR_MOUNT },
1185 { EVT_SYSCALL_MOUNT_X, EVT_STR_MOUNT },
1186 { EVT_SYSCALL_UMOUNT_E, EVT_STR_UMOUNT },
1187 { EVT_SYSCALL_UMOUNT_X, EVT_STR_UMOUNT },
1188 { EVT_K8S_E, EVT_STR_K8S },
1189 { EVT_K8S_X, EVT_STR_NA },
1190 { EVT_SYSCALL_SEMGET_E, EVT_STR_SEMGET },
1191 { EVT_SYSCALL_SEMGET_X, EVT_STR_SEMGET },
1192 { EVT_SYSCALL_ACCESS_E, EVT_STR_ACCESS },
1193 { EVT_SYSCALL_ACCESS_X, EVT_STR_ACCESS },
1194 { EVT_SYSCALL_CHROOT_E, EVT_STR_CHROOT },
1195 { EVT_SYSCALL_CHROOT_X, EVT_STR_CHROOT },
1196 { EVT_TRACER_E, EVT_STR_TRACER },
1197 { EVT_TRACER_X, EVT_STR_TRACER },
1198 { EVT_MESOS_E, EVT_STR_MESOS },
1199 { EVT_MESOS_X, EVT_STR_NA },
1200 { EVT_CONTAINER_JSON_E, EVT_STR_CONTAINER },
1201 { EVT_CONTAINER_JSON_X, EVT_STR_NA },
1202 { EVT_SYSCALL_SETSID_E, EVT_STR_SETSID },
1203 { EVT_SYSCALL_SETSID_X, EVT_STR_SETSID },
1204 { EVT_SYSCALL_MKDIR_2_E, EVT_STR_MKDIR },
1205 { EVT_SYSCALL_MKDIR_2_X, EVT_STR_MKDIR },
1206 { EVT_SYSCALL_RMDIR_2_E, EVT_STR_RMDIR },
1207 { EVT_SYSCALL_RMDIR_2_X, EVT_STR_RMDIR },
1208 { EVT_NOTIFICATION_E, EVT_STR_NOTIFICATION },
1209 { EVT_NOTIFICATION_X, EVT_STR_NA },
1210 { EVT_SYSCALL_EXECVE_17_E, EVT_STR_EXECVE },
1211 { EVT_SYSCALL_EXECVE_17_X, EVT_STR_EXECVE },
1212 { EVT_SYSCALL_UNSHARE_E, EVT_STR_UNSHARE },
1213 { EVT_SYSCALL_UNSHARE_X, EVT_STR_UNSHARE },
1214 { EVT_INFRASTRUCTURE_EVENT_E, EVT_STR_INFRA },
1215 { EVT_INFRASTRUCTURE_EVENT_X, EVT_STR_NA },
1216 { EVT_SYSCALL_EXECVE_18_E, EVT_STR_EXECVE },
1217 { EVT_SYSCALL_EXECVE_18_X, EVT_STR_EXECVE },
1218 { EVT_PAGE_FAULT_E, EVT_STR_PAGE_FAULT },
1219 { EVT_PAGE_FAULT_X, EVT_STR_NA },
1220 { EVT_SYSCALL_EXECVE_19_E, EVT_STR_EXECVE },
1221 { EVT_SYSCALL_EXECVE_19_X, EVT_STR_EXECVE },
1222 { EVT_SYSCALL_SETPGID_E, EVT_STR_SETPGID },
1223 { EVT_SYSCALL_SETPGID_X, EVT_STR_SETPGID },
1224 { EVT_SYSCALL_BPF_E, EVT_STR_BPF },
1225 { EVT_SYSCALL_BPF_X, EVT_STR_BPF },
1226 { EVT_SYSCALL_SECCOMP_E, EVT_STR_SECCOMP },
1227 { EVT_SYSCALL_SECCOMP_X, EVT_STR_SECCOMP },
1228 { EVT_SYSCALL_UNLINK_2_E, EVT_STR_UNLINK },
1229 { EVT_SYSCALL_UNLINK_2_X, EVT_STR_UNLINK },
1230 { EVT_SYSCALL_UNLINKAT_2_E, EVT_STR_UNLINKAT },
1231 { EVT_SYSCALL_UNLINKAT_2_X, EVT_STR_UNLINKAT },
1232 { EVT_SYSCALL_MKDIRAT_E, EVT_STR_MKDIRAT },
1233 { EVT_SYSCALL_MKDIRAT_X, EVT_STR_MKDIRAT },
1234 { EVT_SYSCALL_OPENAT_2_E, EVT_STR_OPENAT },
1235 { EVT_SYSCALL_OPENAT_2_X, EVT_STR_OPENAT },
1236 { EVT_SYSCALL_LINK_2_E, EVT_STR_LINK },
1237 { EVT_SYSCALL_LINK_2_X, EVT_STR_LINK },
1238 { EVT_SYSCALL_LINKAT_2_E, EVT_STR_LINKAT },
1239 { EVT_SYSCALL_LINKAT_2_X, EVT_STR_LINKAT },
1240 { EVT_SYSCALL_FCHMODAT_E, EVT_STR_FCHMODAT },
1241 { EVT_SYSCALL_FCHMODAT_X, EVT_STR_FCHMODAT },
1242 { EVT_SYSCALL_CHMOD_E, EVT_STR_CHMOD },
1243 { EVT_SYSCALL_CHMOD_X, EVT_STR_CHMOD },
1244 { EVT_SYSCALL_FCHMOD_E, EVT_STR_FCHMOD },
1245 { EVT_SYSCALL_FCHMOD_X, EVT_STR_FCHMOD },
1246 { EVT_SYSCALL_RENAMEAT2_E, EVT_STR_RENAMEAT2 },
1247 { EVT_SYSCALL_RENAMEAT2_X, EVT_STR_RENAMEAT2 },
1248 { EVT_SYSCALL_USERFAULTFD_E, EVT_STR_USERFAULTFD },
1249 { EVT_SYSCALL_USERFAULTFD_X, EVT_STR_USERFAULTFD },
1250 { EVT_PLUGINEVENT_E, EVT_STR_PLUGINEVENT },
1251 { EVT_PLUGINEVENT_X, EVT_STR_NA },
1252 { EVT_CONTAINER_JSON_2_E, EVT_STR_CONTAINER },
1253 { EVT_CONTAINER_JSON_2_X, EVT_STR_NA },
1254 { EVT_SYSCALL_OPENAT2_E, EVT_STR_OPENAT2 },
1255 { EVT_SYSCALL_OPENAT2_X, EVT_STR_OPENAT2 },
1256 { EVT_SYSCALL_MPROTECT_E, EVT_STR_MPROTECT },
1257 { EVT_SYSCALL_MPROTECT_X, EVT_STR_MPROTECT },
1258 { EVT_SYSCALL_EXECVEAT_E, EVT_STR_EXECVEAT },
1259 { EVT_SYSCALL_EXECVEAT_X, EVT_STR_EXECVEAT },
1260 { EVT_SYSCALL_COPY_FILE_RANGE_E, EVT_STR_COPY_FILE_RANGE },
1261 { EVT_SYSCALL_COPY_FILE_RANGE_X, EVT_STR_COPY_FILE_RANGE },
1262 { EVT_SYSCALL_CLONE3_E, EVT_STR_CLONE3 },
1263 { EVT_SYSCALL_CLONE3_X, EVT_STR_CLONE3 },
1264 { EVT_SYSCALL_OPEN_BY_HANDLE_AT_E, EVT_STR_OPEN_BY_HANDLE_AT },
1265 { EVT_SYSCALL_OPEN_BY_HANDLE_AT_X, EVT_STR_OPEN_BY_HANDLE_AT },
1266 { EVT_SYSCALL_IO_URING_SETUP_E, EVT_STR_IO_URING_SETUP },
1267 { EVT_SYSCALL_IO_URING_SETUP_X, EVT_STR_IO_URING_SETUP },
1268 { EVT_SYSCALL_IO_URING_ENTER_E, EVT_STR_IO_URING_ENTER },
1269 { EVT_SYSCALL_IO_URING_ENTER_X, EVT_STR_IO_URING_ENTER },
1270 { EVT_SYSCALL_IO_URING_REGISTER_E, EVT_STR_IO_URING_REGISTER },
1271 { EVT_SYSCALL_IO_URING_REGISTER_X, EVT_STR_IO_URING_REGISTER },
1272 { EVT_SYSCALL_MLOCK_E, EVT_STR_MLOCK },
1273 { EVT_SYSCALL_MLOCK_X, EVT_STR_MLOCK },
1274 { EVT_SYSCALL_MUNLOCK_E, EVT_STR_MUNLOCK },
1275 { EVT_SYSCALL_MUNLOCK_X, EVT_STR_MUNLOCK },
1276 { EVT_SYSCALL_MLOCKALL_E, EVT_STR_MLOCKALL },
1277 { EVT_SYSCALL_MLOCKALL_X, EVT_STR_MLOCKALL },
1278 { EVT_SYSCALL_MUNLOCKALL_E, EVT_STR_MUNLOCKALL },
1279 { EVT_SYSCALL_MUNLOCKALL_X, EVT_STR_MUNLOCKALL },
1280 { EVT_SYSCALL_CAPSET_E, EVT_STR_CAPSET },
1281 { EVT_SYSCALL_CAPSET_X, EVT_STR_CAPSET },
1282 { EVT_USER_ADDED_E, EVT_STR_USERADDED },
1283 { EVT_USER_ADDED_X, EVT_STR_NA },
1284 { EVT_USER_DELETED_E, EVT_STR_USERDELETED },
1285 { EVT_USER_DELETED_X, EVT_STR_NA },
1286 { EVT_GROUP_ADDED_E, EVT_STR_GROUPADDED },
1287 { EVT_GROUP_ADDED_X, EVT_STR_NA },
1288 { EVT_GROUP_DELETED_E, EVT_STR_GROUPDELETED },
1289 { EVT_GROUP_DELETED_X, EVT_STR_NA },
1290 { EVT_SYSCALL_DUP2_E, EVT_STR_DUP2 },
1291 { EVT_SYSCALL_DUP2_X, EVT_STR_DUP2 },
1292 { EVT_SYSCALL_DUP3_E, EVT_STR_DUP3 },
1293 { EVT_SYSCALL_DUP3_X, EVT_STR_DUP3 },
1294 { EVT_SYSCALL_DUP_1_E, EVT_STR_DUP },
1295 { EVT_SYSCALL_DUP_1_X, EVT_STR_DUP },
1296 { EVT_SYSCALL_BPF_2_E, EVT_STR_BPF },
1297 { EVT_SYSCALL_BPF_2_X, EVT_STR_BPF },
1298 { EVT_SYSCALL_MLOCK2_E, EVT_STR_MLOCK2 },
1299 { EVT_SYSCALL_MLOCK2_X, EVT_STR_MLOCK2 },
1300 { EVT_SYSCALL_FSCONFIG_E, EVT_STR_FSCONFIG },
1301 { EVT_SYSCALL_FSCONFIG_X, EVT_STR_FSCONFIG },
1302 { EVT_SYSCALL_EPOLL_CREATE_E, EVT_STR_EPOLL_CREATE },
1303 { EVT_SYSCALL_EPOLL_CREATE_X, EVT_STR_EPOLL_CREATE },
1304 { EVT_SYSCALL_EPOLL_CREATE1_E, EVT_STR_EPOLL_CREATE1 },
1305 { EVT_SYSCALL_EPOLL_CREATE1_X, EVT_STR_EPOLL_CREATE1 },
1306 { EVT_SYSCALL_CHOWN_E, EVT_STR_CHOWN },
1307 { EVT_SYSCALL_CHOWN_X, EVT_STR_CHOWN },
1308 { EVT_SYSCALL_LCHOWN_E, EVT_STR_LCHOWN },
1309 { EVT_SYSCALL_LCHOWN_X, EVT_STR_LCHOWN },
1310 { EVT_SYSCALL_FCHOWN_E, EVT_STR_FCHOWN },
1311 { EVT_SYSCALL_FCHOWN_X, EVT_STR_FCHOWN },
1312 { EVT_SYSCALL_FCHOWNAT_E, EVT_STR_FCHOWNAT },
1313 { EVT_SYSCALL_FCHOWNAT_X, EVT_STR_FCHOWNAT },
1314 { EVT_SYSCALL_UMOUNT_1_E, EVT_STR_UMOUNT },
1315 { EVT_SYSCALL_UMOUNT_1_X, EVT_STR_UMOUNT },
1316 { EVT_SOCKET_ACCEPT4_6_E, EVT_STR_ACCEPT4 },
1317 { EVT_SOCKET_ACCEPT4_6_X, EVT_STR_ACCEPT4 },
1318 { EVT_SYSCALL_UMOUNT2_E, EVT_STR_UMOUNT2 },
1319 { EVT_SYSCALL_UMOUNT2_X, EVT_STR_UMOUNT2 },
1320 { EVT_SYSCALL_PIPE2_E, EVT_STR_PIPE2 },
1321 { EVT_SYSCALL_PIPE2_X, EVT_STR_PIPE2 },
1322 { EVT_SYSCALL_INOTIFY_INIT1_E, EVT_STR_INOTIFY_INIT1 },
1323 { EVT_SYSCALL_INOTIFY_INIT1_X, EVT_STR_INOTIFY_INIT1 },
1324 { EVT_SYSCALL_EVENTFD2_E, EVT_STR_EVENTFD2 },
1325 { EVT_SYSCALL_EVENTFD2_X, EVT_STR_EVENTFD2 },
1326 { EVT_SYSCALL_SIGNALFD4_E, EVT_STR_SIGNALFD4 },
1327 { EVT_SYSCALL_SIGNALFD4_X, EVT_STR_SIGNALFD4 },
1328 { EVT_SYSCALL_PRCTL_E, EVT_STR_PRCTL },
1329 { EVT_SYSCALL_PRCTL_X, EVT_STR_PRCTL },
1330 { EVT_ASYNCEVENT_E, EVT_STR_ASYNCEVENT },
1331 { EVT_ASYNCEVENT_X, EVT_STR_NA },
1332 { EVT_SYSCALL_MEMFD_CREATE_E, EVT_STR_MEMFD_CREATE },
1333 { EVT_SYSCALL_MEMFD_CREATE_X, EVT_STR_MEMFD_CREATE },
1334 { EVT_SYSCALL_PIDFD_GETFD_E, EVT_STR_PIDFD_GETFD },
1335 { EVT_SYSCALL_PIDFD_GETFD_X, EVT_STR_PIDFD_GETFD },
1336 { EVT_SYSCALL_PIDFD_OPEN_E, EVT_STR_PIDFD_OPEN },
1337 { EVT_SYSCALL_PIDFD_OPEN_X, EVT_STR_PIDFD_OPEN },
1338 { EVT_SYSCALL_INIT_MODULE_E, EVT_STR_INIT_MODULE },
1339 { EVT_SYSCALL_INIT_MODULE_X, EVT_STR_INIT_MODULE },
1340 { EVT_SYSCALL_FINIT_MODULE_E, EVT_STR_FINIT_MODULE },
1341 { EVT_SYSCALL_FINIT_MODULE_X, EVT_STR_FINIT_MODULE },
1342 { EVT_SYSCALL_MKNOD_E, EVT_STR_MKNOD },
1343 { EVT_SYSCALL_MKNOD_X, EVT_STR_MKNOD },
1344 { EVT_SYSCALL_MKNODAT_E, EVT_STR_MKNODAT },
1345 { EVT_SYSCALL_MKNODAT_X, EVT_STR_MKNODAT },
1346 { EVT_SYSCALL_NEWFSTATAT_E, EVT_STR_NEWFSTATAT },
1347 { EVT_SYSCALL_NEWFSTATAT_X, EVT_STR_NEWFSTATAT },
1348 { EVT_SYSCALL_PROCESS_VM_READV_E, EVT_STR_PROCESS_VM_READV },
1349 { EVT_SYSCALL_PROCESS_VM_READV_X, EVT_STR_PROCESS_VM_READV },
1350 { EVT_SYSCALL_PROCESS_VM_WRITEV_E, EVT_STR_PROCESS_VM_WRITEV },
1351 { EVT_SYSCALL_PROCESS_VM_WRITEV_X, EVT_STR_PROCESS_VM_WRITEV },
1352 { EVT_SYSCALL_DELETE_MODULE_E, EVT_STR_DELETE_MODULE },
1353 { EVT_SYSCALL_DELETE_MODULE_X, EVT_STR_DELETE_MODULE },
1354 { EVT_SYSCALL_SETREUID_E, EVT_STR_SETREUID },
1355 { EVT_SYSCALL_SETREUID_X, EVT_STR_SETREUID },
1356 { EVT_SYSCALL_SETREGID_E, EVT_STR_SETREGID },
1357 { EVT_SYSCALL_SETREGID_X, EVT_STR_SETREGID },
1358
1359 {0, NULL }
1360 };
1361
1362 /*
1363 * "Interesting" parameters, which are appended to COL_INFO.
1364 * Manually generated for now.
1365 */
1366 struct _event_col_info_param {
1367 const int param_num;
1368 const char *param_name;
1369 enum ftenum param_ftype;
1370 };
1371
1372 static const struct _event_col_info_param open_x_params[] = {
1373 { 0, "fd", FT_UINT64 },
1374 { 1, "name", FT_STRING },
1375 { 0, NULL, FT_NONE }
1376 };
1377
1378 static const struct _event_col_info_param close_e_params[] = {
1379 { 0, "fd", FT_UINT64 },
1380 { 0, NULL, FT_NONE }
1381 };
1382
1383 static const struct _event_col_info_param read_e_params[] = {
1384 { 0, "fd", FT_UINT64 },
1385 { 0, NULL, FT_NONE }
1386 };
1387
1388 static const struct _event_col_info_param write_e_params[] = {
1389 { 0, "fd", FT_UINT64 },
1390 { 0, NULL, FT_NONE }
1391 };
1392
1393 static const struct _event_col_info_param execve_15_x_params[] = {
1394 { 1, "exe", FT_STRING },
1395 { 2, "args", FT_STRING },
1396 { 0, NULL, FT_NONE }
1397 };
1398
1399 struct _event_col_info {
1400 const unsigned event_type;
1401 const int num_len_fields;
1402 const struct _event_col_info_param *params;
1403 };
1404
1405 /* Info column parameters */
1406 static const struct _event_col_info event_col_info[] = {
1407 { EVT_SYSCALL_OPEN_X, 4, open_x_params },
1408 { EVT_SYSCALL_CLOSE_E, 1, close_e_params },
1409 { EVT_SYSCALL_READ_E, 2, read_e_params },
1410 { EVT_SYSCALL_WRITE_E, 2, write_e_params },
1411 { EVT_SYSCALL_EXECVE_15_X, 15, execve_15_x_params },
1412 { 0, 0, NULL }
1413 };
1414
1415 struct _event_tree_info {
1416 const unsigned event_type;
1417 /* int num_params; */
1418 int * const *hf_indexes;
1419 };
1420
1421 static int * const no_indexes[] = { NULL };
1422
1423 /* Parameter indexes. Automatically generated by tools/generate-sysdig-event.py */
1424 static int * const generic_e_indexes[] = { &hf_param_ID_uint16, &hf_param_nativeID_uint16, NULL };
1425 static int * const generic_x_indexes[] = { &hf_param_ID_uint16, NULL };
1426 static int * const syscall_open_e_indexes[] = { &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, NULL };
1427 static int * const syscall_open_x_indexes[] = { &hf_param_fd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL };
1428 static int * const syscall_close_e_indexes[] = { &hf_param_fd_int64, NULL };
1429 static int * const syscall_close_x_indexes[] = { &hf_param_res_int64, NULL };
1430 static int * const syscall_read_e_indexes[] = { &hf_param_fd_int64, &hf_param_size_uint32, NULL };
1431 static int * const syscall_read_x_indexes[] = { &hf_param_res_int64, &hf_param_data_bytes, NULL };
1432 #define syscall_write_e_indexes syscall_read_e_indexes
1433 #define syscall_write_x_indexes syscall_read_x_indexes
1434 static int * const syscall_brk_1_e_indexes[] = { &hf_param_size_uint32, NULL };
1435 static int * const syscall_brk_1_x_indexes[] = { &hf_param_res_uint64, NULL };
1436 #define syscall_execve_8_e_indexes no_indexes
1437 static int * const syscall_execve_8_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, NULL };
1438 #define syscall_clone_11_e_indexes no_indexes
1439 static int * const syscall_clone_11_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_int64, &hf_param_flags_int32, &hf_param_uid_uint32, &hf_param_gid_uint32, NULL };
1440 #define procexit_e_indexes no_indexes
1441 #define procexit_x_indexes no_indexes
1442 static int * const socket_socket_e_indexes[] = { &hf_param_domain_bytes, &hf_param_type_uint32, &hf_param_proto_uint32, NULL };
1443 #define socket_socket_x_indexes syscall_close_e_indexes
1444 #define socket_bind_e_indexes syscall_close_e_indexes
1445 static int * const socket_bind_x_indexes[] = { &hf_param_res_int64, &hf_param_addr_bytes, NULL };
1446 static int * const socket_connect_e_indexes[] = { &hf_param_fd_int64, &hf_param_addr_bytes, NULL };
1447 static int * const socket_connect_x_indexes[] = { &hf_param_res_int64, &hf_param_tuple_bytes, &hf_param_fd_int64, NULL };
1448 static int * const socket_listen_e_indexes[] = { &hf_param_fd_int64, &hf_param_backlog_int32, NULL };
1449 #define socket_listen_x_indexes syscall_close_x_indexes
1450 #define socket_accept_e_indexes no_indexes
1451 static int * const socket_accept_x_indexes[] = { &hf_param_fd_int64, &hf_param_tuple_bytes, &hf_param_queuepct_uint8, NULL };
1452 #define socket_send_e_indexes syscall_read_e_indexes
1453 #define socket_send_x_indexes syscall_read_x_indexes
1454 static int * const socket_sendto_e_indexes[] = { &hf_param_fd_int64, &hf_param_size_uint32, &hf_param_tuple_bytes, NULL };
1455 #define socket_sendto_x_indexes syscall_read_x_indexes
1456 #define socket_recv_e_indexes syscall_read_e_indexes
1457 #define socket_recv_x_indexes syscall_read_x_indexes
1458 #define socket_recvfrom_e_indexes syscall_read_e_indexes
1459 static int * const socket_recvfrom_x_indexes[] = { &hf_param_res_int64, &hf_param_data_bytes, &hf_param_tuple_bytes, NULL };
1460 static int * const socket_shutdown_e_indexes[] = { &hf_param_fd_int64, &hf_param_how_bytes, NULL };
1461 #define socket_shutdown_x_indexes syscall_close_x_indexes
1462 #define socket_getsockname_e_indexes no_indexes
1463 #define socket_getsockname_x_indexes no_indexes
1464 #define socket_getpeername_e_indexes no_indexes
1465 #define socket_getpeername_x_indexes no_indexes
1466 #define socket_socketpair_e_indexes socket_socket_e_indexes
1467 static int * const socket_socketpair_x_indexes[] = { &hf_param_res_int64, &hf_param_fd1_int64, &hf_param_fd2_int64, &hf_param_source_uint64, &hf_param_peer_uint64, NULL };
1468 #define socket_setsockopt_e_indexes no_indexes
1469 static int * const socket_setsockopt_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_level_bytes, &hf_param_optname_bytes, &hf_param_val_bytes, &hf_param_optlen_uint32, NULL };
1470 #define socket_getsockopt_e_indexes no_indexes
1471 #define socket_getsockopt_x_indexes socket_setsockopt_x_indexes
1472 #define socket_sendmsg_e_indexes socket_sendto_e_indexes
1473 #define socket_sendmsg_x_indexes syscall_read_x_indexes
1474 #define socket_sendmmsg_e_indexes no_indexes
1475 #define socket_sendmmsg_x_indexes no_indexes
1476 #define socket_recvmsg_e_indexes syscall_close_e_indexes
1477 static int * const socket_recvmsg_x_indexes[] = { &hf_param_res_int64, &hf_param_size_uint32, &hf_param_data_bytes, &hf_param_tuple_bytes, &hf_param_msgcontrol_bytes, NULL };
1478 #define socket_recvmmsg_e_indexes no_indexes
1479 #define socket_recvmmsg_x_indexes no_indexes
1480 static int * const socket_accept4_e_indexes[] = { &hf_param_flags_uint32, NULL };
1481 #define socket_accept4_x_indexes socket_accept_x_indexes
1482 static int * const syscall_creat_e_indexes[] = { &hf_param_name_string, &hf_param_mode_uint32, NULL };
1483 static int * const syscall_creat_x_indexes[] = { &hf_param_fd_int64, &hf_param_name_string, &hf_param_mode_uint32, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL };
1484 #define syscall_pipe_e_indexes no_indexes
1485 static int * const syscall_pipe_x_indexes[] = { &hf_param_res_int64, &hf_param_fd1_int64, &hf_param_fd2_int64, &hf_param_ino_uint64, NULL };
1486 static int * const syscall_eventfd_e_indexes[] = { &hf_param_initval_uint64, &hf_param_flags_uint32, NULL };
1487 #define syscall_eventfd_x_indexes syscall_close_x_indexes
1488 static int * const syscall_futex_e_indexes[] = { &hf_param_addr_uint64, &hf_param_op_bytes, &hf_param_val_uint64, NULL };
1489 #define syscall_futex_x_indexes syscall_close_x_indexes
1490 #define syscall_stat_e_indexes no_indexes
1491 static int * const syscall_stat_x_indexes[] = { &hf_param_res_int64, &hf_param_path_string, NULL };
1492 #define syscall_lstat_e_indexes no_indexes
1493 #define syscall_lstat_x_indexes syscall_stat_x_indexes
1494 #define syscall_fstat_e_indexes syscall_close_e_indexes
1495 #define syscall_fstat_x_indexes syscall_close_x_indexes
1496 #define syscall_stat64_e_indexes no_indexes
1497 #define syscall_stat64_x_indexes syscall_stat_x_indexes
1498 #define syscall_lstat64_e_indexes no_indexes
1499 #define syscall_lstat64_x_indexes syscall_stat_x_indexes
1500 #define syscall_fstat64_e_indexes syscall_close_e_indexes
1501 #define syscall_fstat64_x_indexes syscall_close_x_indexes
1502 static int * const syscall_epollwait_e_indexes[] = { &hf_param_maxevents_int64, NULL };
1503 #define syscall_epollwait_x_indexes syscall_close_x_indexes
1504 static int * const syscall_poll_e_indexes[] = { &hf_param_fds_bytes, &hf_param_timeout_int64, NULL };
1505 static int * const syscall_poll_x_indexes[] = { &hf_param_res_int64, &hf_param_fds_bytes, NULL };
1506 #define syscall_select_e_indexes no_indexes
1507 #define syscall_select_x_indexes syscall_close_x_indexes
1508 #define syscall_newselect_e_indexes no_indexes
1509 #define syscall_newselect_x_indexes syscall_close_x_indexes
1510 static int * const syscall_lseek_e_indexes[] = { &hf_param_fd_int64, &hf_param_offset_uint64, &hf_param_whence_bytes, NULL };
1511 #define syscall_lseek_x_indexes syscall_close_x_indexes
1512 #define syscall_llseek_e_indexes syscall_lseek_e_indexes
1513 #define syscall_llseek_x_indexes syscall_close_x_indexes
1514 static int * const syscall_ioctl_2_e_indexes[] = { &hf_param_fd_int64, &hf_param_request_uint64, NULL };
1515 #define syscall_ioctl_2_x_indexes syscall_close_x_indexes
1516 #define syscall_getcwd_e_indexes no_indexes
1517 #define syscall_getcwd_x_indexes syscall_stat_x_indexes
1518 #define syscall_chdir_e_indexes no_indexes
1519 #define syscall_chdir_x_indexes syscall_stat_x_indexes
1520 #define syscall_fchdir_e_indexes syscall_close_e_indexes
1521 #define syscall_fchdir_x_indexes syscall_close_x_indexes
1522 static int * const syscall_mkdir_e_indexes[] = { &hf_param_path_string, &hf_param_mode_uint32, NULL };
1523 #define syscall_mkdir_x_indexes syscall_close_x_indexes
1524 static int * const syscall_rmdir_e_indexes[] = { &hf_param_path_string, NULL };
1525 #define syscall_rmdir_x_indexes syscall_close_x_indexes
1526 static int * const syscall_openat_e_indexes[] = { &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, NULL };
1527 #define syscall_openat_x_indexes syscall_close_e_indexes
1528 static int * const syscall_link_e_indexes[] = { &hf_param_oldpath_string, &hf_param_newpath_string, NULL };
1529 #define syscall_link_x_indexes syscall_close_x_indexes
1530 static int * const syscall_linkat_e_indexes[] = { &hf_param_olddir_int64, &hf_param_oldpath_string, &hf_param_newdir_int64, &hf_param_newpath_string, NULL };
1531 #define syscall_linkat_x_indexes syscall_close_x_indexes
1532 #define syscall_unlink_e_indexes syscall_rmdir_e_indexes
1533 #define syscall_unlink_x_indexes syscall_close_x_indexes
1534 static int * const syscall_unlinkat_e_indexes[] = { &hf_param_dirfd_int64, &hf_param_name_string, NULL };
1535 #define syscall_unlinkat_x_indexes syscall_close_x_indexes
1536 static int * const syscall_pread_e_indexes[] = { &hf_param_fd_int64, &hf_param_size_uint32, &hf_param_pos_uint64, NULL };
1537 #define syscall_pread_x_indexes syscall_read_x_indexes
1538 #define syscall_pwrite_e_indexes syscall_pread_e_indexes
1539 #define syscall_pwrite_x_indexes syscall_read_x_indexes
1540 #define syscall_readv_e_indexes syscall_close_e_indexes
1541 static int * const syscall_readv_x_indexes[] = { &hf_param_res_int64, &hf_param_size_uint32, &hf_param_data_bytes, NULL };
1542 #define syscall_writev_e_indexes syscall_read_e_indexes
1543 #define syscall_writev_x_indexes syscall_read_x_indexes
1544 static int * const syscall_preadv_e_indexes[] = { &hf_param_fd_int64, &hf_param_pos_uint64, NULL };
1545 #define syscall_preadv_x_indexes syscall_readv_x_indexes
1546 #define syscall_pwritev_e_indexes syscall_pread_e_indexes
1547 #define syscall_pwritev_x_indexes syscall_read_x_indexes
1548 #define syscall_dup_e_indexes syscall_close_e_indexes
1549 #define syscall_dup_x_indexes syscall_close_x_indexes
1550 static int * const syscall_signalfd_e_indexes[] = { &hf_param_fd_int64, &hf_param_mask_uint32, &hf_param_flags_uint8, NULL };
1551 #define syscall_signalfd_x_indexes syscall_close_x_indexes
1552 static int * const syscall_kill_e_indexes[] = { &hf_param_pid_int64, &hf_param_sig_bytes, NULL };
1553 #define syscall_kill_x_indexes syscall_close_x_indexes
1554 static int * const syscall_tkill_e_indexes[] = { &hf_param_tid_int64, &hf_param_sig_bytes, NULL };
1555 #define syscall_tkill_x_indexes syscall_close_x_indexes
1556 static int * const syscall_tgkill_e_indexes[] = { &hf_param_pid_int64, &hf_param_tid_int64, &hf_param_sig_bytes, NULL };
1557 #define syscall_tgkill_x_indexes syscall_close_x_indexes
1558 static int * const syscall_nanosleep_e_indexes[] = { &hf_param_interval_bytes, NULL };
1559 #define syscall_nanosleep_x_indexes syscall_close_x_indexes
1560 static int * const syscall_timerfd_create_e_indexes[] = { &hf_param_clockid_uint8, &hf_param_flags_uint8, NULL };
1561 #define syscall_timerfd_create_x_indexes syscall_close_x_indexes
1562 static int * const syscall_inotify_init_e_indexes[] = { &hf_param_flags_uint8, NULL };
1563 #define syscall_inotify_init_x_indexes syscall_close_x_indexes
1564 static int * const syscall_getrlimit_e_indexes[] = { &hf_param_resource_bytes, NULL };
1565 static int * const syscall_getrlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_cur_int64, &hf_param_max_int64, NULL };
1566 #define syscall_setrlimit_e_indexes syscall_getrlimit_e_indexes
1567 static int * const syscall_setrlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_cur_int64, &hf_param_max_int64, &hf_param_resource_bytes, NULL };
1568 static int * const syscall_prlimit_e_indexes[] = { &hf_param_pid_int64, &hf_param_resource_bytes, NULL };
1569 static int * const syscall_prlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_newcur_int64, &hf_param_newmax_int64, &hf_param_oldcur_int64, &hf_param_oldmax_int64, &hf_param_pid_int64, &hf_param_resource_bytes, NULL };
1570 static int * const schedswitch_1_e_indexes[] = { &hf_param_next_int64, NULL };
1571 #define schedswitch_1_x_indexes no_indexes
1572 static int * const drop_e_indexes[] = { &hf_param_ratio_uint32, NULL };
1573 #define drop_x_indexes drop_e_indexes
1574 static int * const syscall_fcntl_e_indexes[] = { &hf_param_fd_int64, &hf_param_cmd_bytes, NULL };
1575 static int * const syscall_fcntl_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_cmd_bytes, NULL };
1576 static int * const schedswitch_6_e_indexes[] = { &hf_param_next_int64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, NULL };
1577 #define schedswitch_6_x_indexes no_indexes
1578 #define syscall_execve_13_e_indexes no_indexes
1579 static int * const syscall_execve_13_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, NULL };
1580 #define syscall_clone_16_e_indexes no_indexes
1581 static int * const syscall_clone_16_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_int64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_flags_int32, &hf_param_uid_uint32, &hf_param_gid_uint32, NULL };
1582 static int * const syscall_brk_4_e_indexes[] = { &hf_param_addr_uint64, NULL };
1583 static int * const syscall_brk_4_x_indexes[] = { &hf_param_res_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, NULL };
1584 static int * const syscall_mmap_e_indexes[] = { &hf_param_addr_uint64, &hf_param_length_uint64, &hf_param_prot_int32, &hf_param_flags_int32, &hf_param_fd_int64, &hf_param_offset_uint64, NULL };
1585 static int * const syscall_mmap_x_indexes[] = { &hf_param_res_int64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, NULL };
1586 static int * const syscall_mmap2_e_indexes[] = { &hf_param_addr_uint64, &hf_param_length_uint64, &hf_param_prot_int32, &hf_param_flags_int32, &hf_param_fd_int64, &hf_param_pgoffset_uint64, NULL };
1587 #define syscall_mmap2_x_indexes syscall_mmap_x_indexes
1588 static int * const syscall_munmap_e_indexes[] = { &hf_param_addr_uint64, &hf_param_length_uint64, NULL };
1589 #define syscall_munmap_x_indexes syscall_mmap_x_indexes
1590 static int * const syscall_splice_e_indexes[] = { &hf_param_fd_in_int64, &hf_param_fd_out_int64, &hf_param_size_uint64, &hf_param_flags_int32, NULL };
1591 #define syscall_splice_x_indexes syscall_close_x_indexes
1592 static int * const syscall_ptrace_e_indexes[] = { &hf_param_request_bytes, &hf_param_pid_int64, NULL };
1593 static int * const syscall_ptrace_x_indexes[] = { &hf_param_res_int64, &hf_param_addr_bytes, &hf_param_data_bytes, NULL };
1594 static int * const syscall_ioctl_3_e_indexes[] = { &hf_param_fd_int64, &hf_param_request_uint64, &hf_param_argument_uint64, NULL };
1595 #define syscall_ioctl_3_x_indexes syscall_close_x_indexes
1596 #define syscall_execve_14_e_indexes no_indexes
1597 static int * const syscall_execve_14_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_env_string, NULL };
1598 #define syscall_rename_e_indexes no_indexes
1599 static int * const syscall_rename_x_indexes[] = { &hf_param_res_int64, &hf_param_oldpath_string, &hf_param_newpath_string, NULL };
1600 #define syscall_renameat_e_indexes no_indexes
1601 static int * const syscall_renameat_x_indexes[] = { &hf_param_res_int64, &hf_param_olddirfd_int64, &hf_param_oldpath_string, &hf_param_newdirfd_int64, &hf_param_newpath_string, NULL };
1602 #define syscall_symlink_e_indexes no_indexes
1603 static int * const syscall_symlink_x_indexes[] = { &hf_param_res_int64, &hf_param_target_string, &hf_param_linkpath_string, NULL };
1604 #define syscall_symlinkat_e_indexes no_indexes
1605 static int * const syscall_symlinkat_x_indexes[] = { &hf_param_res_int64, &hf_param_target_string, &hf_param_linkdirfd_int64, &hf_param_linkpath_string, NULL };
1606 #define syscall_fork_e_indexes no_indexes
1607 #define syscall_fork_x_indexes syscall_clone_16_x_indexes
1608 #define syscall_vfork_e_indexes no_indexes
1609 #define syscall_vfork_x_indexes syscall_clone_16_x_indexes
1610 static int * const procexit_1_e_indexes[] = { &hf_param_status_int64, &hf_param_ret_int64, &hf_param_sig_bytes, &hf_param_core_uint8, &hf_param_reaper_tid_int64, NULL };
1611 #define procexit_1_x_indexes no_indexes
1612 static int * const syscall_sendfile_e_indexes[] = { &hf_param_out_fd_int64, &hf_param_in_fd_int64, &hf_param_offset_uint64, &hf_param_size_uint64, NULL };
1613 static int * const syscall_sendfile_x_indexes[] = { &hf_param_res_int64, &hf_param_offset_uint64, NULL };
1614 static int * const syscall_quotactl_e_indexes[] = { &hf_param_cmd_int16, &hf_param_type_int8, &hf_param_id_uint32, &hf_param_quota_fmt_int8, NULL };
1615 static int * const syscall_quotactl_x_indexes[] = { &hf_param_res_int64, &hf_param_special_string, &hf_param_quotafilepath_string, &hf_param_dqb_bhardlimit_uint64, &hf_param_dqb_bsoftlimit_uint64, &hf_param_dqb_curspace_uint64, &hf_param_dqb_ihardlimit_uint64, &hf_param_dqb_isoftlimit_uint64, &hf_param_dqb_btime_bytes, &hf_param_dqb_itime_bytes, &hf_param_dqi_bgrace_bytes, &hf_param_dqi_igrace_bytes, &hf_param_dqi_flags_int8, &hf_param_quota_fmt_out_int8, NULL };
1616 static int * const syscall_setresuid_e_indexes[] = { &hf_param_ruid_int32, &hf_param_euid_int32, &hf_param_suid_int32, NULL };
1617 #define syscall_setresuid_x_indexes syscall_close_x_indexes
1618 static int * const syscall_setresgid_e_indexes[] = { &hf_param_rgid_int32, &hf_param_egid_int32, &hf_param_sgid_int32, NULL };
1619 #define syscall_setresgid_x_indexes syscall_close_x_indexes
1620 static int * const scapevent_e_indexes[] = { &hf_param_event_type_uint32, &hf_param_event_data_uint64, NULL };
1621 #define scapevent_x_indexes no_indexes
1622 static int * const syscall_setuid_e_indexes[] = { &hf_param_uid_int32, NULL };
1623 #define syscall_setuid_x_indexes syscall_close_x_indexes
1624 static int * const syscall_setgid_e_indexes[] = { &hf_param_gid_int32, NULL };
1625 #define syscall_setgid_x_indexes syscall_close_x_indexes
1626 #define syscall_getuid_e_indexes no_indexes
1627 #define syscall_getuid_x_indexes syscall_setuid_e_indexes
1628 #define syscall_geteuid_e_indexes no_indexes
1629 static int * const syscall_geteuid_x_indexes[] = { &hf_param_euid_int32, NULL };
1630 #define syscall_getgid_e_indexes no_indexes
1631 #define syscall_getgid_x_indexes syscall_setgid_e_indexes
1632 #define syscall_getegid_e_indexes no_indexes
1633 static int * const syscall_getegid_x_indexes[] = { &hf_param_egid_int32, NULL };
1634 #define syscall_getresuid_e_indexes no_indexes
1635 static int * const syscall_getresuid_x_indexes[] = { &hf_param_res_int64, &hf_param_ruid_int32, &hf_param_euid_int32, &hf_param_suid_int32, NULL };
1636 #define syscall_getresgid_e_indexes no_indexes
1637 static int * const syscall_getresgid_x_indexes[] = { &hf_param_res_int64, &hf_param_rgid_int32, &hf_param_egid_int32, &hf_param_sgid_int32, NULL };
1638 #define syscall_execve_15_e_indexes no_indexes
1639 static int * const syscall_execve_15_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_env_string, NULL };
1640 #define syscall_clone_17_e_indexes no_indexes
1641 static int * const syscall_clone_17_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_int64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_flags_int32, &hf_param_uid_uint32, &hf_param_gid_uint32, NULL };
1642 #define syscall_fork_17_e_indexes no_indexes
1643 #define syscall_fork_17_x_indexes syscall_clone_17_x_indexes
1644 #define syscall_vfork_17_e_indexes no_indexes
1645 #define syscall_vfork_17_x_indexes syscall_clone_17_x_indexes
1646 #define syscall_clone_20_e_indexes no_indexes
1647 static int * const syscall_clone_20_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_int64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_cgroups_bytes, &hf_param_flags_int32, &hf_param_uid_uint32, &hf_param_gid_uint32, &hf_param_vtid_int64, &hf_param_vpid_int64, &hf_param_pidns_init_start_ts_uint64, NULL };
1648 #define syscall_fork_20_e_indexes no_indexes
1649 #define syscall_fork_20_x_indexes syscall_clone_20_x_indexes
1650 #define syscall_vfork_20_e_indexes no_indexes
1651 #define syscall_vfork_20_x_indexes syscall_clone_20_x_indexes
1652 static int * const container_e_indexes[] = { &hf_param_id_string, &hf_param_type_uint32, &hf_param_name_string, &hf_param_image_string, NULL };
1653 #define container_x_indexes no_indexes
1654 #define syscall_execve_16_e_indexes no_indexes
1655 static int * const syscall_execve_16_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_cgroups_bytes, &hf_param_env_string, NULL };
1656 static int * const signaldeliver_e_indexes[] = { &hf_param_spid_int64, &hf_param_dpid_int64, &hf_param_sig_bytes, NULL };
1657 #define signaldeliver_x_indexes no_indexes
1658 static int * const procinfo_e_indexes[] = { &hf_param_cpu_usr_uint64, &hf_param_cpu_sys_uint64, NULL };
1659 #define procinfo_x_indexes no_indexes
1660 #define syscall_getdents_e_indexes syscall_close_e_indexes
1661 #define syscall_getdents_x_indexes syscall_close_x_indexes
1662 #define syscall_getdents64_e_indexes syscall_close_e_indexes
1663 #define syscall_getdents64_x_indexes syscall_close_x_indexes
1664 static int * const syscall_setns_e_indexes[] = { &hf_param_fd_int64, &hf_param_nstype_int32, NULL };
1665 #define syscall_setns_x_indexes syscall_close_x_indexes
1666 static int * const syscall_flock_e_indexes[] = { &hf_param_fd_int64, &hf_param_operation_int32, NULL };
1667 #define syscall_flock_x_indexes syscall_close_x_indexes
1668 static int * const cpu_hotplug_e_indexes[] = { &hf_param_cpu_uint32, &hf_param_action_uint32, NULL };
1669 #define cpu_hotplug_x_indexes no_indexes
1670 #define socket_accept_5_e_indexes no_indexes
1671 static int * const socket_accept_5_x_indexes[] = { &hf_param_fd_int64, &hf_param_tuple_bytes, &hf_param_queuepct_uint8, &hf_param_queuelen_uint32, &hf_param_queuemax_uint32, NULL };
1672 #define socket_accept4_5_e_indexes socket_accept4_e_indexes
1673 #define socket_accept4_5_x_indexes socket_accept_5_x_indexes
1674 static int * const syscall_semop_e_indexes[] = { &hf_param_semid_int32, NULL };
1675 static int * const syscall_semop_x_indexes[] = { &hf_param_res_int64, &hf_param_nsops_uint32, &hf_param_sem_num_0_uint16, &hf_param_sem_op_0_int16, &hf_param_sem_flg_0_int16, &hf_param_sem_num_1_uint16, &hf_param_sem_op_1_int16, &hf_param_sem_flg_1_int16, NULL };
1676 static int * const syscall_semctl_e_indexes[] = { &hf_param_semid_int32, &hf_param_semnum_int32, &hf_param_cmd_int16, &hf_param_val_int32, NULL };
1677 #define syscall_semctl_x_indexes syscall_close_x_indexes
1678 static int * const syscall_ppoll_e_indexes[] = { &hf_param_fds_bytes, &hf_param_timeout_bytes, &hf_param_sigmask_bytes, NULL };
1679 #define syscall_ppoll_x_indexes syscall_poll_x_indexes
1680 static int * const syscall_mount_e_indexes[] = { &hf_param_flags_int32, NULL };
1681 static int * const syscall_mount_x_indexes[] = { &hf_param_res_int64, &hf_param_dev_string, &hf_param_dir_string, &hf_param_type_string, NULL };
1682 #define syscall_umount_e_indexes syscall_mount_e_indexes
1683 static int * const syscall_umount_x_indexes[] = { &hf_param_res_int64, &hf_param_name_string, NULL };
1684 static int * const k8s_e_indexes[] = { &hf_param_json_string, NULL };
1685 #define k8s_x_indexes no_indexes
1686 static int * const syscall_semget_e_indexes[] = { &hf_param_key_int32, &hf_param_nsems_int32, &hf_param_semflg_int32, NULL };
1687 #define syscall_semget_x_indexes syscall_close_x_indexes
1688 static int * const syscall_access_e_indexes[] = { &hf_param_mode_int32, NULL };
1689 #define syscall_access_x_indexes syscall_umount_x_indexes
1690 #define syscall_chroot_e_indexes no_indexes
1691 #define syscall_chroot_x_indexes syscall_stat_x_indexes
1692 static int * const tracer_e_indexes[] = { &hf_param_id_int64, &hf_param_tags_bytes, &hf_param_args_string, NULL };
1693 #define tracer_x_indexes tracer_e_indexes
1694 #define mesos_e_indexes k8s_e_indexes
1695 #define mesos_x_indexes no_indexes
1696 #define container_json_e_indexes k8s_e_indexes
1697 #define container_json_x_indexes no_indexes
1698 #define syscall_setsid_e_indexes no_indexes
1699 #define syscall_setsid_x_indexes syscall_close_x_indexes
1700 static int * const syscall_mkdir_2_e_indexes[] = { &hf_param_mode_uint32, NULL };
1701 #define syscall_mkdir_2_x_indexes syscall_stat_x_indexes
1702 #define syscall_rmdir_2_e_indexes no_indexes
1703 #define syscall_rmdir_2_x_indexes syscall_stat_x_indexes
1704 static int * const notification_e_indexes[] = { &hf_param_id_string, &hf_param_desc_string, NULL };
1705 #define notification_x_indexes no_indexes
1706 #define syscall_execve_17_e_indexes no_indexes
1707 static int * const syscall_execve_17_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_cgroups_bytes, &hf_param_env_string, &hf_param_tty_int32, NULL };
1708 #define syscall_unshare_e_indexes syscall_mount_e_indexes
1709 #define syscall_unshare_x_indexes syscall_close_x_indexes
1710 static int * const infrastructure_event_e_indexes[] = { &hf_param_source_string, &hf_param_name_string, &hf_param_description_string, &hf_param_scope_string, NULL };
1711 #define infrastructure_event_x_indexes no_indexes
1712 static int * const syscall_execve_18_e_indexes[] = { &hf_param_filename_string, NULL };
1713 #define syscall_execve_18_x_indexes syscall_execve_17_x_indexes
1714 static int * const page_fault_e_indexes[] = { &hf_param_addr_uint64, &hf_param_ip_uint64, &hf_param_error_int32, NULL };
1715 #define page_fault_x_indexes no_indexes
1716 #define syscall_execve_19_e_indexes syscall_execve_18_e_indexes
1717 static int * const syscall_execve_19_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_cgroups_bytes, &hf_param_env_string, &hf_param_tty_uint32, &hf_param_pgid_int64, &hf_param_loginuid_int32, &hf_param_flags_int32, &hf_param_cap_inheritable_uint64, &hf_param_cap_permitted_uint64, &hf_param_cap_effective_uint64, &hf_param_exe_ino_uint64, &hf_param_exe_ino_ctime_bytes, &hf_param_exe_ino_mtime_bytes, &hf_param_uid_int32, &hf_param_trusted_exepath_string, NULL };
1718 static int * const syscall_setpgid_e_indexes[] = { &hf_param_pid_int64, &hf_param_pgid_int64, NULL };
1719 #define syscall_setpgid_x_indexes syscall_close_x_indexes
1720 static int * const syscall_bpf_e_indexes[] = { &hf_param_cmd_int64, NULL };
1721 static int * const syscall_bpf_x_indexes[] = { &hf_param_res_or_fd_bytes, NULL };
1722 static int * const syscall_seccomp_e_indexes[] = { &hf_param_op_uint64, &hf_param_flags_uint64, NULL };
1723 #define syscall_seccomp_x_indexes syscall_close_x_indexes
1724 #define syscall_unlink_2_e_indexes no_indexes
1725 #define syscall_unlink_2_x_indexes syscall_stat_x_indexes
1726 #define syscall_unlinkat_2_e_indexes no_indexes
1727 static int * const syscall_unlinkat_2_x_indexes[] = { &hf_param_res_int64, &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, NULL };
1728 #define syscall_mkdirat_e_indexes no_indexes
1729 static int * const syscall_mkdirat_x_indexes[] = { &hf_param_res_int64, &hf_param_dirfd_int64, &hf_param_path_string, &hf_param_mode_uint32, NULL };
1730 #define syscall_openat_2_e_indexes syscall_openat_e_indexes
1731 static int * const syscall_openat_2_x_indexes[] = { &hf_param_fd_int64, &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL };
1732 #define syscall_link_2_e_indexes no_indexes
1733 #define syscall_link_2_x_indexes syscall_rename_x_indexes
1734 #define syscall_linkat_2_e_indexes no_indexes
1735 static int * const syscall_linkat_2_x_indexes[] = { &hf_param_res_int64, &hf_param_olddir_int64, &hf_param_oldpath_string, &hf_param_newdir_int64, &hf_param_newpath_string, &hf_param_flags_int32, NULL };
1736 #define syscall_fchmodat_e_indexes no_indexes
1737 static int * const syscall_fchmodat_x_indexes[] = { &hf_param_res_int64, &hf_param_dirfd_int64, &hf_param_filename_string, &hf_param_mode_int32, NULL };
1738 #define syscall_chmod_e_indexes no_indexes
1739 static int * const syscall_chmod_x_indexes[] = { &hf_param_res_int64, &hf_param_filename_string, &hf_param_mode_int32, NULL };
1740 #define syscall_fchmod_e_indexes no_indexes
1741 static int * const syscall_fchmod_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_mode_int32, NULL };
1742 #define syscall_renameat2_e_indexes no_indexes
1743 static int * const syscall_renameat2_x_indexes[] = { &hf_param_res_int64, &hf_param_olddirfd_int64, &hf_param_oldpath_string, &hf_param_newdirfd_int64, &hf_param_newpath_string, &hf_param_flags_int32, NULL };
1744 #define syscall_userfaultfd_e_indexes no_indexes
1745 static int * const syscall_userfaultfd_x_indexes[] = { &hf_param_res_int64, &hf_param_flags_int32, NULL };
1746 static int * const pluginevent_e_indexes[] = { &hf_param_plugin_id_uint32, &hf_param_event_data_bytes, NULL };
1747 #define pluginevent_x_indexes no_indexes
1748 #define container_json_2_e_indexes k8s_e_indexes
1749 #define container_json_2_x_indexes no_indexes
1750 static int * const syscall_openat2_e_indexes[] = { &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, &hf_param_resolve_int32, NULL };
1751 static int * const syscall_openat2_x_indexes[] = { &hf_param_fd_int64, &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, &hf_param_resolve_int32, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL };
1752 static int * const syscall_mprotect_e_indexes[] = { &hf_param_addr_uint64, &hf_param_length_uint64, &hf_param_prot_int32, NULL };
1753 #define syscall_mprotect_x_indexes syscall_close_x_indexes
1754 static int * const syscall_execveat_e_indexes[] = { &hf_param_dirfd_int64, &hf_param_pathname_string, &hf_param_flags_int32, NULL };
1755 #define syscall_execveat_x_indexes syscall_execve_19_x_indexes
1756 static int * const syscall_copy_file_range_e_indexes[] = { &hf_param_fdin_int64, &hf_param_offin_uint64, &hf_param_len_uint64, NULL };
1757 static int * const syscall_copy_file_range_x_indexes[] = { &hf_param_res_int64, &hf_param_fdout_int64, &hf_param_offout_uint64, NULL };
1758 #define syscall_clone3_e_indexes no_indexes
1759 #define syscall_clone3_x_indexes syscall_clone_20_x_indexes
1760 #define syscall_open_by_handle_at_e_indexes no_indexes
1761 static int * const syscall_open_by_handle_at_x_indexes[] = { &hf_param_fd_int64, &hf_param_mountfd_int64, &hf_param_flags_int32, &hf_param_path_string, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL };
1762 #define syscall_io_uring_setup_e_indexes no_indexes
1763 static int * const syscall_io_uring_setup_x_indexes[] = { &hf_param_res_int64, &hf_param_entries_uint32, &hf_param_sq_entries_uint32, &hf_param_cq_entries_uint32, &hf_param_flags_int32, &hf_param_sq_thread_cpu_uint32, &hf_param_sq_thread_idle_uint32, &hf_param_features_int32, NULL };
1764 #define syscall_io_uring_enter_e_indexes no_indexes
1765 static int * const syscall_io_uring_enter_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_to_submit_uint32, &hf_param_min_complete_uint32, &hf_param_flags_int32, &hf_param_sig_bytes, NULL };
1766 #define syscall_io_uring_register_e_indexes no_indexes
1767 static int * const syscall_io_uring_register_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_opcode_bytes, &hf_param_arg_uint64, &hf_param_nr_args_uint32, NULL };
1768 #define syscall_mlock_e_indexes no_indexes
1769 static int * const syscall_mlock_x_indexes[] = { &hf_param_res_int64, &hf_param_addr_uint64, &hf_param_len_uint64, NULL };
1770 #define syscall_munlock_e_indexes no_indexes
1771 #define syscall_munlock_x_indexes syscall_mlock_x_indexes
1772 #define syscall_mlockall_e_indexes no_indexes
1773 #define syscall_mlockall_x_indexes syscall_userfaultfd_x_indexes
1774 #define syscall_munlockall_e_indexes no_indexes
1775 #define syscall_munlockall_x_indexes syscall_close_x_indexes
1776 #define syscall_capset_e_indexes no_indexes
1777 static int * const syscall_capset_x_indexes[] = { &hf_param_res_int64, &hf_param_cap_inheritable_uint64, &hf_param_cap_permitted_uint64, &hf_param_cap_effective_uint64, NULL };
1778 static int * const user_added_e_indexes[] = { &hf_param_uid_uint32, &hf_param_gid_uint32, &hf_param_name_string, &hf_param_home_string, &hf_param_shell_string, &hf_param_container_id_string, NULL };
1779 #define user_added_x_indexes no_indexes
1780 #define user_deleted_e_indexes user_added_e_indexes
1781 #define user_deleted_x_indexes no_indexes
1782 static int * const group_added_e_indexes[] = { &hf_param_gid_uint32, &hf_param_name_string, &hf_param_container_id_string, NULL };
1783 #define group_added_x_indexes no_indexes
1784 #define group_deleted_e_indexes group_added_e_indexes
1785 #define group_deleted_x_indexes no_indexes
1786 #define syscall_dup2_e_indexes syscall_close_e_indexes
1787 static int * const syscall_dup2_x_indexes[] = { &hf_param_res_int64, &hf_param_oldfd_int64, &hf_param_newfd_int64, NULL };
1788 #define syscall_dup3_e_indexes syscall_close_e_indexes
1789 static int * const syscall_dup3_x_indexes[] = { &hf_param_res_int64, &hf_param_oldfd_int64, &hf_param_newfd_int64, &hf_param_flags_int32, NULL };
1790 #define syscall_dup_1_e_indexes syscall_close_e_indexes
1791 static int * const syscall_dup_1_x_indexes[] = { &hf_param_res_int64, &hf_param_oldfd_int64, NULL };
1792 #define syscall_bpf_2_e_indexes syscall_bpf_e_indexes
1793 #define syscall_bpf_2_x_indexes syscall_fcntl_e_indexes
1794 #define syscall_mlock2_e_indexes no_indexes
1795 static int * const syscall_mlock2_x_indexes[] = { &hf_param_res_int64, &hf_param_addr_uint64, &hf_param_len_uint64, &hf_param_flags_int32, NULL };
1796 #define syscall_fsconfig_e_indexes no_indexes
1797 static int * const syscall_fsconfig_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_cmd_bytes, &hf_param_key_string, &hf_param_value_bytebuf_bytes, &hf_param_value_charbuf_string, &hf_param_aux_int32, NULL };
1798 static int * const syscall_epoll_create_e_indexes[] = { &hf_param_size_int32, NULL };
1799 #define syscall_epoll_create_x_indexes syscall_close_x_indexes
1800 #define syscall_epoll_create1_e_indexes syscall_mount_e_indexes
1801 #define syscall_epoll_create1_x_indexes syscall_close_x_indexes
1802 #define syscall_chown_e_indexes no_indexes
1803 static int * const syscall_chown_x_indexes[] = { &hf_param_res_int64, &hf_param_path_string, &hf_param_uid_uint32, &hf_param_gid_uint32, NULL };
1804 #define syscall_lchown_e_indexes no_indexes
1805 #define syscall_lchown_x_indexes syscall_chown_x_indexes
1806 #define syscall_fchown_e_indexes no_indexes
1807 static int * const syscall_fchown_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_uid_uint32, &hf_param_gid_uint32, NULL };
1808 #define syscall_fchownat_e_indexes no_indexes
1809 static int * const syscall_fchownat_x_indexes[] = { &hf_param_res_int64, &hf_param_dirfd_int64, &hf_param_pathname_string, &hf_param_uid_uint32, &hf_param_gid_uint32, &hf_param_flags_int32, NULL };
1810 #define syscall_umount_1_e_indexes no_indexes
1811 #define syscall_umount_1_x_indexes syscall_umount_x_indexes
1812 #define socket_accept4_6_e_indexes socket_accept4_e_indexes
1813 #define socket_accept4_6_x_indexes socket_accept_5_x_indexes
1814 #define syscall_umount2_e_indexes syscall_mount_e_indexes
1815 #define syscall_umount2_x_indexes syscall_umount_x_indexes
1816 #define syscall_pipe2_e_indexes no_indexes
1817 static int * const syscall_pipe2_x_indexes[] = { &hf_param_res_int64, &hf_param_fd1_int64, &hf_param_fd2_int64, &hf_param_ino_uint64, &hf_param_flags_int32, NULL };
1818 #define syscall_inotify_init1_e_indexes no_indexes
1819 static int * const syscall_inotify_init1_x_indexes[] = { &hf_param_res_int64, &hf_param_flags_int16, NULL };
1820 static int * const syscall_eventfd2_e_indexes[] = { &hf_param_initval_uint64, NULL };
1821 #define syscall_eventfd2_x_indexes syscall_inotify_init1_x_indexes
1822 static int * const syscall_signalfd4_e_indexes[] = { &hf_param_fd_int64, &hf_param_mask_uint32, NULL };
1823 #define syscall_signalfd4_x_indexes syscall_inotify_init1_x_indexes
1824 #define syscall_prctl_e_indexes no_indexes
1825 static int * const syscall_prctl_x_indexes[] = { &hf_param_res_int64, &hf_param_option_bytes, &hf_param_arg2_str_string, &hf_param_arg2_int_int64, NULL };
1826 static int * const asyncevent_e_indexes[] = { &hf_param_plugin_id_uint32, &hf_param_name_string, &hf_param_data_bytes, NULL };
1827 #define asyncevent_x_indexes no_indexes
1828 #define syscall_memfd_create_e_indexes no_indexes
1829 static int * const syscall_memfd_create_x_indexes[] = { &hf_param_fd_int64, &hf_param_name_string, &hf_param_flags_int32, NULL };
1830 #define syscall_pidfd_getfd_e_indexes no_indexes
1831 static int * const syscall_pidfd_getfd_x_indexes[] = { &hf_param_fd_int64, &hf_param_pid_fd_int64, &hf_param_target_fd_int64, &hf_param_flags_uint32, NULL };
1832 #define syscall_pidfd_open_e_indexes no_indexes
1833 static int * const syscall_pidfd_open_x_indexes[] = { &hf_param_fd_int64, &hf_param_pid_int64, &hf_param_flags_int32, NULL };
1834 #define syscall_init_module_e_indexes no_indexes
1835 static int * const syscall_init_module_x_indexes[] = { &hf_param_res_int64, &hf_param_img_bytes, &hf_param_length_uint64, &hf_param_uargs_string, NULL };
1836 #define syscall_finit_module_e_indexes no_indexes
1837 static int * const syscall_finit_module_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_uargs_string, &hf_param_flags_int32, NULL };
1838 #define syscall_mknod_e_indexes no_indexes
1839 static int * const syscall_mknod_x_indexes[] = { &hf_param_res_int64, &hf_param_path_string, &hf_param_mode_int32, &hf_param_dev_uint32, NULL };
1840 #define syscall_mknodat_e_indexes no_indexes
1841 static int * const syscall_mknodat_x_indexes[] = { &hf_param_res_int64, &hf_param_dirfd_int64, &hf_param_path_string, &hf_param_mode_int32, &hf_param_dev_uint32, NULL };
1842 #define syscall_newfstatat_e_indexes no_indexes
1843 static int * const syscall_newfstatat_x_indexes[] = { &hf_param_res_int64, &hf_param_dirfd_int64, &hf_param_path_string, &hf_param_flags_int32, NULL };
1844 #define syscall_process_vm_readv_e_indexes no_indexes
1845 static int * const syscall_process_vm_readv_x_indexes[] = { &hf_param_res_int64, &hf_param_pid_int64, &hf_param_data_bytes, NULL };
1846 #define syscall_process_vm_writev_e_indexes no_indexes
1847 #define syscall_process_vm_writev_x_indexes syscall_process_vm_readv_x_indexes
1848 #define syscall_delete_module_e_indexes no_indexes
1849 static int * const syscall_delete_module_x_indexes[] = { &hf_param_res_int64, &hf_param_name_string, &hf_param_flags_int32, NULL };
1850 #define syscall_setreuid_e_indexes no_indexes
1851 static int * const syscall_setreuid_x_indexes[] = { &hf_param_res_int64, &hf_param_ruid_int32, &hf_param_euid_int32, NULL };
1852 #define syscall_setregid_e_indexes no_indexes
1853 static int * const syscall_setregid_x_indexes[] = { &hf_param_res_int64, &hf_param_rgid_int32, &hf_param_egid_int32, NULL };
1854
1855 static const struct _event_tree_info event_tree_info[] = {
1856 /* Event tree. Automatically generated by tools/generate-sysdig-event.py */
1857 { EVT_GENERIC_E, generic_e_indexes },
1858 { EVT_GENERIC_X, generic_x_indexes },
1859 { EVT_SYSCALL_OPEN_E, syscall_open_e_indexes },
1860 { EVT_SYSCALL_OPEN_X, syscall_open_x_indexes },
1861 { EVT_SYSCALL_CLOSE_E, syscall_close_e_indexes },
1862 { EVT_SYSCALL_CLOSE_X, syscall_close_x_indexes },
1863 { EVT_SYSCALL_READ_E, syscall_read_e_indexes },
1864 { EVT_SYSCALL_READ_X, syscall_read_x_indexes },
1865 { EVT_SYSCALL_WRITE_E, syscall_write_e_indexes },
1866 { EVT_SYSCALL_WRITE_X, syscall_write_x_indexes },
1867 { EVT_SYSCALL_BRK_1_E, syscall_brk_1_e_indexes },
1868 { EVT_SYSCALL_BRK_1_X, syscall_brk_1_x_indexes },
1869 { EVT_SYSCALL_EXECVE_8_E, syscall_execve_8_e_indexes },
1870 { EVT_SYSCALL_EXECVE_8_X, syscall_execve_8_x_indexes },
1871 { EVT_SYSCALL_CLONE_11_E, syscall_clone_11_e_indexes },
1872 { EVT_SYSCALL_CLONE_11_X, syscall_clone_11_x_indexes },
1873 { EVT_PROCEXIT_E, procexit_e_indexes },
1874 { EVT_PROCEXIT_X, procexit_x_indexes },
1875 { EVT_SOCKET_SOCKET_E, socket_socket_e_indexes },
1876 { EVT_SOCKET_SOCKET_X, socket_socket_x_indexes },
1877 { EVT_SOCKET_BIND_E, socket_bind_e_indexes },
1878 { EVT_SOCKET_BIND_X, socket_bind_x_indexes },
1879 { EVT_SOCKET_CONNECT_E, socket_connect_e_indexes },
1880 { EVT_SOCKET_CONNECT_X, socket_connect_x_indexes },
1881 { EVT_SOCKET_LISTEN_E, socket_listen_e_indexes },
1882 { EVT_SOCKET_LISTEN_X, socket_listen_x_indexes },
1883 { EVT_SOCKET_ACCEPT_E, socket_accept_e_indexes },
1884 { EVT_SOCKET_ACCEPT_X, socket_accept_x_indexes },
1885 { EVT_SOCKET_SEND_E, socket_send_e_indexes },
1886 { EVT_SOCKET_SEND_X, socket_send_x_indexes },
1887 { EVT_SOCKET_SENDTO_E, socket_sendto_e_indexes },
1888 { EVT_SOCKET_SENDTO_X, socket_sendto_x_indexes },
1889 { EVT_SOCKET_RECV_E, socket_recv_e_indexes },
1890 { EVT_SOCKET_RECV_X, socket_recv_x_indexes },
1891 { EVT_SOCKET_RECVFROM_E, socket_recvfrom_e_indexes },
1892 { EVT_SOCKET_RECVFROM_X, socket_recvfrom_x_indexes },
1893 { EVT_SOCKET_SHUTDOWN_E, socket_shutdown_e_indexes },
1894 { EVT_SOCKET_SHUTDOWN_X, socket_shutdown_x_indexes },
1895 { EVT_SOCKET_GETSOCKNAME_E, socket_getsockname_e_indexes },
1896 { EVT_SOCKET_GETSOCKNAME_X, socket_getsockname_x_indexes },
1897 { EVT_SOCKET_GETPEERNAME_E, socket_getpeername_e_indexes },
1898 { EVT_SOCKET_GETPEERNAME_X, socket_getpeername_x_indexes },
1899 { EVT_SOCKET_SOCKETPAIR_E, socket_socketpair_e_indexes },
1900 { EVT_SOCKET_SOCKETPAIR_X, socket_socketpair_x_indexes },
1901 { EVT_SOCKET_SETSOCKOPT_E, socket_setsockopt_e_indexes },
1902 { EVT_SOCKET_SETSOCKOPT_X, socket_setsockopt_x_indexes },
1903 { EVT_SOCKET_GETSOCKOPT_E, socket_getsockopt_e_indexes },
1904 { EVT_SOCKET_GETSOCKOPT_X, socket_getsockopt_x_indexes },
1905 { EVT_SOCKET_SENDMSG_E, socket_sendmsg_e_indexes },
1906 { EVT_SOCKET_SENDMSG_X, socket_sendmsg_x_indexes },
1907 { EVT_SOCKET_SENDMMSG_E, socket_sendmmsg_e_indexes },
1908 { EVT_SOCKET_SENDMMSG_X, socket_sendmmsg_x_indexes },
1909 { EVT_SOCKET_RECVMSG_E, socket_recvmsg_e_indexes },
1910 { EVT_SOCKET_RECVMSG_X, socket_recvmsg_x_indexes },
1911 { EVT_SOCKET_RECVMMSG_E, socket_recvmmsg_e_indexes },
1912 { EVT_SOCKET_RECVMMSG_X, socket_recvmmsg_x_indexes },
1913 { EVT_SOCKET_ACCEPT4_E, socket_accept4_e_indexes },
1914 { EVT_SOCKET_ACCEPT4_X, socket_accept4_x_indexes },
1915 { EVT_SYSCALL_CREAT_E, syscall_creat_e_indexes },
1916 { EVT_SYSCALL_CREAT_X, syscall_creat_x_indexes },
1917 { EVT_SYSCALL_PIPE_E, syscall_pipe_e_indexes },
1918 { EVT_SYSCALL_PIPE_X, syscall_pipe_x_indexes },
1919 { EVT_SYSCALL_EVENTFD_E, syscall_eventfd_e_indexes },
1920 { EVT_SYSCALL_EVENTFD_X, syscall_eventfd_x_indexes },
1921 { EVT_SYSCALL_FUTEX_E, syscall_futex_e_indexes },
1922 { EVT_SYSCALL_FUTEX_X, syscall_futex_x_indexes },
1923 { EVT_SYSCALL_STAT_E, syscall_stat_e_indexes },
1924 { EVT_SYSCALL_STAT_X, syscall_stat_x_indexes },
1925 { EVT_SYSCALL_LSTAT_E, syscall_lstat_e_indexes },
1926 { EVT_SYSCALL_LSTAT_X, syscall_lstat_x_indexes },
1927 { EVT_SYSCALL_FSTAT_E, syscall_fstat_e_indexes },
1928 { EVT_SYSCALL_FSTAT_X, syscall_fstat_x_indexes },
1929 { EVT_SYSCALL_STAT64_E, syscall_stat64_e_indexes },
1930 { EVT_SYSCALL_STAT64_X, syscall_stat64_x_indexes },
1931 { EVT_SYSCALL_LSTAT64_E, syscall_lstat64_e_indexes },
1932 { EVT_SYSCALL_LSTAT64_X, syscall_lstat64_x_indexes },
1933 { EVT_SYSCALL_FSTAT64_E, syscall_fstat64_e_indexes },
1934 { EVT_SYSCALL_FSTAT64_X, syscall_fstat64_x_indexes },
1935 { EVT_SYSCALL_EPOLLWAIT_E, syscall_epollwait_e_indexes },
1936 { EVT_SYSCALL_EPOLLWAIT_X, syscall_epollwait_x_indexes },
1937 { EVT_SYSCALL_POLL_E, syscall_poll_e_indexes },
1938 { EVT_SYSCALL_POLL_X, syscall_poll_x_indexes },
1939 { EVT_SYSCALL_SELECT_E, syscall_select_e_indexes },
1940 { EVT_SYSCALL_SELECT_X, syscall_select_x_indexes },
1941 { EVT_SYSCALL_NEWSELECT_E, syscall_newselect_e_indexes },
1942 { EVT_SYSCALL_NEWSELECT_X, syscall_newselect_x_indexes },
1943 { EVT_SYSCALL_LSEEK_E, syscall_lseek_e_indexes },
1944 { EVT_SYSCALL_LSEEK_X, syscall_lseek_x_indexes },
1945 { EVT_SYSCALL_LLSEEK_E, syscall_llseek_e_indexes },
1946 { EVT_SYSCALL_LLSEEK_X, syscall_llseek_x_indexes },
1947 { EVT_SYSCALL_IOCTL_2_E, syscall_ioctl_2_e_indexes },
1948 { EVT_SYSCALL_IOCTL_2_X, syscall_ioctl_2_x_indexes },
1949 { EVT_SYSCALL_GETCWD_E, syscall_getcwd_e_indexes },
1950 { EVT_SYSCALL_GETCWD_X, syscall_getcwd_x_indexes },
1951 { EVT_SYSCALL_CHDIR_E, syscall_chdir_e_indexes },
1952 { EVT_SYSCALL_CHDIR_X, syscall_chdir_x_indexes },
1953 { EVT_SYSCALL_FCHDIR_E, syscall_fchdir_e_indexes },
1954 { EVT_SYSCALL_FCHDIR_X, syscall_fchdir_x_indexes },
1955 { EVT_SYSCALL_MKDIR_E, syscall_mkdir_e_indexes },
1956 { EVT_SYSCALL_MKDIR_X, syscall_mkdir_x_indexes },
1957 { EVT_SYSCALL_RMDIR_E, syscall_rmdir_e_indexes },
1958 { EVT_SYSCALL_RMDIR_X, syscall_rmdir_x_indexes },
1959 { EVT_SYSCALL_OPENAT_E, syscall_openat_e_indexes },
1960 { EVT_SYSCALL_OPENAT_X, syscall_openat_x_indexes },
1961 { EVT_SYSCALL_LINK_E, syscall_link_e_indexes },
1962 { EVT_SYSCALL_LINK_X, syscall_link_x_indexes },
1963 { EVT_SYSCALL_LINKAT_E, syscall_linkat_e_indexes },
1964 { EVT_SYSCALL_LINKAT_X, syscall_linkat_x_indexes },
1965 { EVT_SYSCALL_UNLINK_E, syscall_unlink_e_indexes },
1966 { EVT_SYSCALL_UNLINK_X, syscall_unlink_x_indexes },
1967 { EVT_SYSCALL_UNLINKAT_E, syscall_unlinkat_e_indexes },
1968 { EVT_SYSCALL_UNLINKAT_X, syscall_unlinkat_x_indexes },
1969 { EVT_SYSCALL_PREAD_E, syscall_pread_e_indexes },
1970 { EVT_SYSCALL_PREAD_X, syscall_pread_x_indexes },
1971 { EVT_SYSCALL_PWRITE_E, syscall_pwrite_e_indexes },
1972 { EVT_SYSCALL_PWRITE_X, syscall_pwrite_x_indexes },
1973 { EVT_SYSCALL_READV_E, syscall_readv_e_indexes },
1974 { EVT_SYSCALL_READV_X, syscall_readv_x_indexes },
1975 { EVT_SYSCALL_WRITEV_E, syscall_writev_e_indexes },
1976 { EVT_SYSCALL_WRITEV_X, syscall_writev_x_indexes },
1977 { EVT_SYSCALL_PREADV_E, syscall_preadv_e_indexes },
1978 { EVT_SYSCALL_PREADV_X, syscall_preadv_x_indexes },
1979 { EVT_SYSCALL_PWRITEV_E, syscall_pwritev_e_indexes },
1980 { EVT_SYSCALL_PWRITEV_X, syscall_pwritev_x_indexes },
1981 { EVT_SYSCALL_DUP_E, syscall_dup_e_indexes },
1982 { EVT_SYSCALL_DUP_X, syscall_dup_x_indexes },
1983 { EVT_SYSCALL_SIGNALFD_E, syscall_signalfd_e_indexes },
1984 { EVT_SYSCALL_SIGNALFD_X, syscall_signalfd_x_indexes },
1985 { EVT_SYSCALL_KILL_E, syscall_kill_e_indexes },
1986 { EVT_SYSCALL_KILL_X, syscall_kill_x_indexes },
1987 { EVT_SYSCALL_TKILL_E, syscall_tkill_e_indexes },
1988 { EVT_SYSCALL_TKILL_X, syscall_tkill_x_indexes },
1989 { EVT_SYSCALL_TGKILL_E, syscall_tgkill_e_indexes },
1990 { EVT_SYSCALL_TGKILL_X, syscall_tgkill_x_indexes },
1991 { EVT_SYSCALL_NANOSLEEP_E, syscall_nanosleep_e_indexes },
1992 { EVT_SYSCALL_NANOSLEEP_X, syscall_nanosleep_x_indexes },
1993 { EVT_SYSCALL_TIMERFD_CREATE_E, syscall_timerfd_create_e_indexes },
1994 { EVT_SYSCALL_TIMERFD_CREATE_X, syscall_timerfd_create_x_indexes },
1995 { EVT_SYSCALL_INOTIFY_INIT_E, syscall_inotify_init_e_indexes },
1996 { EVT_SYSCALL_INOTIFY_INIT_X, syscall_inotify_init_x_indexes },
1997 { EVT_SYSCALL_GETRLIMIT_E, syscall_getrlimit_e_indexes },
1998 { EVT_SYSCALL_GETRLIMIT_X, syscall_getrlimit_x_indexes },
1999 { EVT_SYSCALL_SETRLIMIT_E, syscall_setrlimit_e_indexes },
2000 { EVT_SYSCALL_SETRLIMIT_X, syscall_setrlimit_x_indexes },
2001 { EVT_SYSCALL_PRLIMIT_E, syscall_prlimit_e_indexes },
2002 { EVT_SYSCALL_PRLIMIT_X, syscall_prlimit_x_indexes },
2003 { EVT_SCHEDSWITCH_1_E, schedswitch_1_e_indexes },
2004 { EVT_SCHEDSWITCH_1_X, schedswitch_1_x_indexes },
2005 { EVT_DROP_E, drop_e_indexes },
2006 { EVT_DROP_X, drop_x_indexes },
2007 { EVT_SYSCALL_FCNTL_E, syscall_fcntl_e_indexes },
2008 { EVT_SYSCALL_FCNTL_X, syscall_fcntl_x_indexes },
2009 { EVT_SCHEDSWITCH_6_E, schedswitch_6_e_indexes },
2010 { EVT_SCHEDSWITCH_6_X, schedswitch_6_x_indexes },
2011 { EVT_SYSCALL_EXECVE_13_E, syscall_execve_13_e_indexes },
2012 { EVT_SYSCALL_EXECVE_13_X, syscall_execve_13_x_indexes },
2013 { EVT_SYSCALL_CLONE_16_E, syscall_clone_16_e_indexes },
2014 { EVT_SYSCALL_CLONE_16_X, syscall_clone_16_x_indexes },
2015 { EVT_SYSCALL_BRK_4_E, syscall_brk_4_e_indexes },
2016 { EVT_SYSCALL_BRK_4_X, syscall_brk_4_x_indexes },
2017 { EVT_SYSCALL_MMAP_E, syscall_mmap_e_indexes },
2018 { EVT_SYSCALL_MMAP_X, syscall_mmap_x_indexes },
2019 { EVT_SYSCALL_MMAP2_E, syscall_mmap2_e_indexes },
2020 { EVT_SYSCALL_MMAP2_X, syscall_mmap2_x_indexes },
2021 { EVT_SYSCALL_MUNMAP_E, syscall_munmap_e_indexes },
2022 { EVT_SYSCALL_MUNMAP_X, syscall_munmap_x_indexes },
2023 { EVT_SYSCALL_SPLICE_E, syscall_splice_e_indexes },
2024 { EVT_SYSCALL_SPLICE_X, syscall_splice_x_indexes },
2025 { EVT_SYSCALL_PTRACE_E, syscall_ptrace_e_indexes },
2026 { EVT_SYSCALL_PTRACE_X, syscall_ptrace_x_indexes },
2027 { EVT_SYSCALL_IOCTL_3_E, syscall_ioctl_3_e_indexes },
2028 { EVT_SYSCALL_IOCTL_3_X, syscall_ioctl_3_x_indexes },
2029 { EVT_SYSCALL_EXECVE_14_E, syscall_execve_14_e_indexes },
2030 { EVT_SYSCALL_EXECVE_14_X, syscall_execve_14_x_indexes },
2031 { EVT_SYSCALL_RENAME_E, syscall_rename_e_indexes },
2032 { EVT_SYSCALL_RENAME_X, syscall_rename_x_indexes },
2033 { EVT_SYSCALL_RENAMEAT_E, syscall_renameat_e_indexes },
2034 { EVT_SYSCALL_RENAMEAT_X, syscall_renameat_x_indexes },
2035 { EVT_SYSCALL_SYMLINK_E, syscall_symlink_e_indexes },
2036 { EVT_SYSCALL_SYMLINK_X, syscall_symlink_x_indexes },
2037 { EVT_SYSCALL_SYMLINKAT_E, syscall_symlinkat_e_indexes },
2038 { EVT_SYSCALL_SYMLINKAT_X, syscall_symlinkat_x_indexes },
2039 { EVT_SYSCALL_FORK_E, syscall_fork_e_indexes },
2040 { EVT_SYSCALL_FORK_X, syscall_fork_x_indexes },
2041 { EVT_SYSCALL_VFORK_E, syscall_vfork_e_indexes },
2042 { EVT_SYSCALL_VFORK_X, syscall_vfork_x_indexes },
2043 { EVT_PROCEXIT_1_E, procexit_1_e_indexes },
2044 { EVT_PROCEXIT_1_X, procexit_1_x_indexes },
2045 { EVT_SYSCALL_SENDFILE_E, syscall_sendfile_e_indexes },
2046 { EVT_SYSCALL_SENDFILE_X, syscall_sendfile_x_indexes },
2047 { EVT_SYSCALL_QUOTACTL_E, syscall_quotactl_e_indexes },
2048 { EVT_SYSCALL_QUOTACTL_X, syscall_quotactl_x_indexes },
2049 { EVT_SYSCALL_SETRESUID_E, syscall_setresuid_e_indexes },
2050 { EVT_SYSCALL_SETRESUID_X, syscall_setresuid_x_indexes },
2051 { EVT_SYSCALL_SETRESGID_E, syscall_setresgid_e_indexes },
2052 { EVT_SYSCALL_SETRESGID_X, syscall_setresgid_x_indexes },
2053 { EVT_SCAPEVENT_E, scapevent_e_indexes },
2054 { EVT_SCAPEVENT_X, scapevent_x_indexes },
2055 { EVT_SYSCALL_SETUID_E, syscall_setuid_e_indexes },
2056 { EVT_SYSCALL_SETUID_X, syscall_setuid_x_indexes },
2057 { EVT_SYSCALL_SETGID_E, syscall_setgid_e_indexes },
2058 { EVT_SYSCALL_SETGID_X, syscall_setgid_x_indexes },
2059 { EVT_SYSCALL_GETUID_E, syscall_getuid_e_indexes },
2060 { EVT_SYSCALL_GETUID_X, syscall_getuid_x_indexes },
2061 { EVT_SYSCALL_GETEUID_E, syscall_geteuid_e_indexes },
2062 { EVT_SYSCALL_GETEUID_X, syscall_geteuid_x_indexes },
2063 { EVT_SYSCALL_GETGID_E, syscall_getgid_e_indexes },
2064 { EVT_SYSCALL_GETGID_X, syscall_getgid_x_indexes },
2065 { EVT_SYSCALL_GETEGID_E, syscall_getegid_e_indexes },
2066 { EVT_SYSCALL_GETEGID_X, syscall_getegid_x_indexes },
2067 { EVT_SYSCALL_GETRESUID_E, syscall_getresuid_e_indexes },
2068 { EVT_SYSCALL_GETRESUID_X, syscall_getresuid_x_indexes },
2069 { EVT_SYSCALL_GETRESGID_E, syscall_getresgid_e_indexes },
2070 { EVT_SYSCALL_GETRESGID_X, syscall_getresgid_x_indexes },
2071 { EVT_SYSCALL_EXECVE_15_E, syscall_execve_15_e_indexes },
2072 { EVT_SYSCALL_EXECVE_15_X, syscall_execve_15_x_indexes },
2073 { EVT_SYSCALL_CLONE_17_E, syscall_clone_17_e_indexes },
2074 { EVT_SYSCALL_CLONE_17_X, syscall_clone_17_x_indexes },
2075 { EVT_SYSCALL_FORK_17_E, syscall_fork_17_e_indexes },
2076 { EVT_SYSCALL_FORK_17_X, syscall_fork_17_x_indexes },
2077 { EVT_SYSCALL_VFORK_17_E, syscall_vfork_17_e_indexes },
2078 { EVT_SYSCALL_VFORK_17_X, syscall_vfork_17_x_indexes },
2079 { EVT_SYSCALL_CLONE_20_E, syscall_clone_20_e_indexes },
2080 { EVT_SYSCALL_CLONE_20_X, syscall_clone_20_x_indexes },
2081 { EVT_SYSCALL_FORK_20_E, syscall_fork_20_e_indexes },
2082 { EVT_SYSCALL_FORK_20_X, syscall_fork_20_x_indexes },
2083 { EVT_SYSCALL_VFORK_20_E, syscall_vfork_20_e_indexes },
2084 { EVT_SYSCALL_VFORK_20_X, syscall_vfork_20_x_indexes },
2085 { EVT_CONTAINER_E, container_e_indexes },
2086 { EVT_CONTAINER_X, container_x_indexes },
2087 { EVT_SYSCALL_EXECVE_16_E, syscall_execve_16_e_indexes },
2088 { EVT_SYSCALL_EXECVE_16_X, syscall_execve_16_x_indexes },
2089 { EVT_SIGNALDELIVER_E, signaldeliver_e_indexes },
2090 { EVT_SIGNALDELIVER_X, signaldeliver_x_indexes },
2091 { EVT_PROCINFO_E, procinfo_e_indexes },
2092 { EVT_PROCINFO_X, procinfo_x_indexes },
2093 { EVT_SYSCALL_GETDENTS_E, syscall_getdents_e_indexes },
2094 { EVT_SYSCALL_GETDENTS_X, syscall_getdents_x_indexes },
2095 { EVT_SYSCALL_GETDENTS64_E, syscall_getdents64_e_indexes },
2096 { EVT_SYSCALL_GETDENTS64_X, syscall_getdents64_x_indexes },
2097 { EVT_SYSCALL_SETNS_E, syscall_setns_e_indexes },
2098 { EVT_SYSCALL_SETNS_X, syscall_setns_x_indexes },
2099 { EVT_SYSCALL_FLOCK_E, syscall_flock_e_indexes },
2100 { EVT_SYSCALL_FLOCK_X, syscall_flock_x_indexes },
2101 { EVT_CPU_HOTPLUG_E, cpu_hotplug_e_indexes },
2102 { EVT_CPU_HOTPLUG_X, cpu_hotplug_x_indexes },
2103 { EVT_SOCKET_ACCEPT_5_E, socket_accept_5_e_indexes },
2104 { EVT_SOCKET_ACCEPT_5_X, socket_accept_5_x_indexes },
2105 { EVT_SOCKET_ACCEPT4_5_E, socket_accept4_5_e_indexes },
2106 { EVT_SOCKET_ACCEPT4_5_X, socket_accept4_5_x_indexes },
2107 { EVT_SYSCALL_SEMOP_E, syscall_semop_e_indexes },
2108 { EVT_SYSCALL_SEMOP_X, syscall_semop_x_indexes },
2109 { EVT_SYSCALL_SEMCTL_E, syscall_semctl_e_indexes },
2110 { EVT_SYSCALL_SEMCTL_X, syscall_semctl_x_indexes },
2111 { EVT_SYSCALL_PPOLL_E, syscall_ppoll_e_indexes },
2112 { EVT_SYSCALL_PPOLL_X, syscall_ppoll_x_indexes },
2113 { EVT_SYSCALL_MOUNT_E, syscall_mount_e_indexes },
2114 { EVT_SYSCALL_MOUNT_X, syscall_mount_x_indexes },
2115 { EVT_SYSCALL_UMOUNT_E, syscall_umount_e_indexes },
2116 { EVT_SYSCALL_UMOUNT_X, syscall_umount_x_indexes },
2117 { EVT_K8S_E, k8s_e_indexes },
2118 { EVT_K8S_X, k8s_x_indexes },
2119 { EVT_SYSCALL_SEMGET_E, syscall_semget_e_indexes },
2120 { EVT_SYSCALL_SEMGET_X, syscall_semget_x_indexes },
2121 { EVT_SYSCALL_ACCESS_E, syscall_access_e_indexes },
2122 { EVT_SYSCALL_ACCESS_X, syscall_access_x_indexes },
2123 { EVT_SYSCALL_CHROOT_E, syscall_chroot_e_indexes },
2124 { EVT_SYSCALL_CHROOT_X, syscall_chroot_x_indexes },
2125 { EVT_TRACER_E, tracer_e_indexes },
2126 { EVT_TRACER_X, tracer_x_indexes },
2127 { EVT_MESOS_E, mesos_e_indexes },
2128 { EVT_MESOS_X, mesos_x_indexes },
2129 { EVT_CONTAINER_JSON_E, container_json_e_indexes },
2130 { EVT_CONTAINER_JSON_X, container_json_x_indexes },
2131 { EVT_SYSCALL_SETSID_E, syscall_setsid_e_indexes },
2132 { EVT_SYSCALL_SETSID_X, syscall_setsid_x_indexes },
2133 { EVT_SYSCALL_MKDIR_2_E, syscall_mkdir_2_e_indexes },
2134 { EVT_SYSCALL_MKDIR_2_X, syscall_mkdir_2_x_indexes },
2135 { EVT_SYSCALL_RMDIR_2_E, syscall_rmdir_2_e_indexes },
2136 { EVT_SYSCALL_RMDIR_2_X, syscall_rmdir_2_x_indexes },
2137 { EVT_NOTIFICATION_E, notification_e_indexes },
2138 { EVT_NOTIFICATION_X, notification_x_indexes },
2139 { EVT_SYSCALL_EXECVE_17_E, syscall_execve_17_e_indexes },
2140 { EVT_SYSCALL_EXECVE_17_X, syscall_execve_17_x_indexes },
2141 { EVT_SYSCALL_UNSHARE_E, syscall_unshare_e_indexes },
2142 { EVT_SYSCALL_UNSHARE_X, syscall_unshare_x_indexes },
2143 { EVT_INFRASTRUCTURE_EVENT_E, infrastructure_event_e_indexes },
2144 { EVT_INFRASTRUCTURE_EVENT_X, infrastructure_event_x_indexes },
2145 { EVT_SYSCALL_EXECVE_18_E, syscall_execve_18_e_indexes },
2146 { EVT_SYSCALL_EXECVE_18_X, syscall_execve_18_x_indexes },
2147 { EVT_PAGE_FAULT_E, page_fault_e_indexes },
2148 { EVT_PAGE_FAULT_X, page_fault_x_indexes },
2149 { EVT_SYSCALL_EXECVE_19_E, syscall_execve_19_e_indexes },
2150 { EVT_SYSCALL_EXECVE_19_X, syscall_execve_19_x_indexes },
2151 { EVT_SYSCALL_SETPGID_E, syscall_setpgid_e_indexes },
2152 { EVT_SYSCALL_SETPGID_X, syscall_setpgid_x_indexes },
2153 { EVT_SYSCALL_BPF_E, syscall_bpf_e_indexes },
2154 { EVT_SYSCALL_BPF_X, syscall_bpf_x_indexes },
2155 { EVT_SYSCALL_SECCOMP_E, syscall_seccomp_e_indexes },
2156 { EVT_SYSCALL_SECCOMP_X, syscall_seccomp_x_indexes },
2157 { EVT_SYSCALL_UNLINK_2_E, syscall_unlink_2_e_indexes },
2158 { EVT_SYSCALL_UNLINK_2_X, syscall_unlink_2_x_indexes },
2159 { EVT_SYSCALL_UNLINKAT_2_E, syscall_unlinkat_2_e_indexes },
2160 { EVT_SYSCALL_UNLINKAT_2_X, syscall_unlinkat_2_x_indexes },
2161 { EVT_SYSCALL_MKDIRAT_E, syscall_mkdirat_e_indexes },
2162 { EVT_SYSCALL_MKDIRAT_X, syscall_mkdirat_x_indexes },
2163 { EVT_SYSCALL_OPENAT_2_E, syscall_openat_2_e_indexes },
2164 { EVT_SYSCALL_OPENAT_2_X, syscall_openat_2_x_indexes },
2165 { EVT_SYSCALL_LINK_2_E, syscall_link_2_e_indexes },
2166 { EVT_SYSCALL_LINK_2_X, syscall_link_2_x_indexes },
2167 { EVT_SYSCALL_LINKAT_2_E, syscall_linkat_2_e_indexes },
2168 { EVT_SYSCALL_LINKAT_2_X, syscall_linkat_2_x_indexes },
2169 { EVT_SYSCALL_FCHMODAT_E, syscall_fchmodat_e_indexes },
2170 { EVT_SYSCALL_FCHMODAT_X, syscall_fchmodat_x_indexes },
2171 { EVT_SYSCALL_CHMOD_E, syscall_chmod_e_indexes },
2172 { EVT_SYSCALL_CHMOD_X, syscall_chmod_x_indexes },
2173 { EVT_SYSCALL_FCHMOD_E, syscall_fchmod_e_indexes },
2174 { EVT_SYSCALL_FCHMOD_X, syscall_fchmod_x_indexes },
2175 { EVT_SYSCALL_RENAMEAT2_E, syscall_renameat2_e_indexes },
2176 { EVT_SYSCALL_RENAMEAT2_X, syscall_renameat2_x_indexes },
2177 { EVT_SYSCALL_USERFAULTFD_E, syscall_userfaultfd_e_indexes },
2178 { EVT_SYSCALL_USERFAULTFD_X, syscall_userfaultfd_x_indexes },
2179 { EVT_PLUGINEVENT_E, pluginevent_e_indexes },
2180 { EVT_PLUGINEVENT_X, pluginevent_x_indexes },
2181 { EVT_CONTAINER_JSON_2_E, container_json_2_e_indexes },
2182 { EVT_CONTAINER_JSON_2_X, container_json_2_x_indexes },
2183 { EVT_SYSCALL_OPENAT2_E, syscall_openat2_e_indexes },
2184 { EVT_SYSCALL_OPENAT2_X, syscall_openat2_x_indexes },
2185 { EVT_SYSCALL_MPROTECT_E, syscall_mprotect_e_indexes },
2186 { EVT_SYSCALL_MPROTECT_X, syscall_mprotect_x_indexes },
2187 { EVT_SYSCALL_EXECVEAT_E, syscall_execveat_e_indexes },
2188 { EVT_SYSCALL_EXECVEAT_X, syscall_execveat_x_indexes },
2189 { EVT_SYSCALL_COPY_FILE_RANGE_E, syscall_copy_file_range_e_indexes },
2190 { EVT_SYSCALL_COPY_FILE_RANGE_X, syscall_copy_file_range_x_indexes },
2191 { EVT_SYSCALL_CLONE3_E, syscall_clone3_e_indexes },
2192 { EVT_SYSCALL_CLONE3_X, syscall_clone3_x_indexes },
2193 { EVT_SYSCALL_OPEN_BY_HANDLE_AT_E, syscall_open_by_handle_at_e_indexes },
2194 { EVT_SYSCALL_OPEN_BY_HANDLE_AT_X, syscall_open_by_handle_at_x_indexes },
2195 { EVT_SYSCALL_IO_URING_SETUP_E, syscall_io_uring_setup_e_indexes },
2196 { EVT_SYSCALL_IO_URING_SETUP_X, syscall_io_uring_setup_x_indexes },
2197 { EVT_SYSCALL_IO_URING_ENTER_E, syscall_io_uring_enter_e_indexes },
2198 { EVT_SYSCALL_IO_URING_ENTER_X, syscall_io_uring_enter_x_indexes },
2199 { EVT_SYSCALL_IO_URING_REGISTER_E, syscall_io_uring_register_e_indexes },
2200 { EVT_SYSCALL_IO_URING_REGISTER_X, syscall_io_uring_register_x_indexes },
2201 { EVT_SYSCALL_MLOCK_E, syscall_mlock_e_indexes },
2202 { EVT_SYSCALL_MLOCK_X, syscall_mlock_x_indexes },
2203 { EVT_SYSCALL_MUNLOCK_E, syscall_munlock_e_indexes },
2204 { EVT_SYSCALL_MUNLOCK_X, syscall_munlock_x_indexes },
2205 { EVT_SYSCALL_MLOCKALL_E, syscall_mlockall_e_indexes },
2206 { EVT_SYSCALL_MLOCKALL_X, syscall_mlockall_x_indexes },
2207 { EVT_SYSCALL_MUNLOCKALL_E, syscall_munlockall_e_indexes },
2208 { EVT_SYSCALL_MUNLOCKALL_X, syscall_munlockall_x_indexes },
2209 { EVT_SYSCALL_CAPSET_E, syscall_capset_e_indexes },
2210 { EVT_SYSCALL_CAPSET_X, syscall_capset_x_indexes },
2211 { EVT_USER_ADDED_E, user_added_e_indexes },
2212 { EVT_USER_ADDED_X, user_added_x_indexes },
2213 { EVT_USER_DELETED_E, user_deleted_e_indexes },
2214 { EVT_USER_DELETED_X, user_deleted_x_indexes },
2215 { EVT_GROUP_ADDED_E, group_added_e_indexes },
2216 { EVT_GROUP_ADDED_X, group_added_x_indexes },
2217 { EVT_GROUP_DELETED_E, group_deleted_e_indexes },
2218 { EVT_GROUP_DELETED_X, group_deleted_x_indexes },
2219 { EVT_SYSCALL_DUP2_E, syscall_dup2_e_indexes },
2220 { EVT_SYSCALL_DUP2_X, syscall_dup2_x_indexes },
2221 { EVT_SYSCALL_DUP3_E, syscall_dup3_e_indexes },
2222 { EVT_SYSCALL_DUP3_X, syscall_dup3_x_indexes },
2223 { EVT_SYSCALL_DUP_1_E, syscall_dup_1_e_indexes },
2224 { EVT_SYSCALL_DUP_1_X, syscall_dup_1_x_indexes },
2225 { EVT_SYSCALL_BPF_2_E, syscall_bpf_2_e_indexes },
2226 { EVT_SYSCALL_BPF_2_X, syscall_bpf_2_x_indexes },
2227 { EVT_SYSCALL_MLOCK2_E, syscall_mlock2_e_indexes },
2228 { EVT_SYSCALL_MLOCK2_X, syscall_mlock2_x_indexes },
2229 { EVT_SYSCALL_FSCONFIG_E, syscall_fsconfig_e_indexes },
2230 { EVT_SYSCALL_FSCONFIG_X, syscall_fsconfig_x_indexes },
2231 { EVT_SYSCALL_EPOLL_CREATE_E, syscall_epoll_create_e_indexes },
2232 { EVT_SYSCALL_EPOLL_CREATE_X, syscall_epoll_create_x_indexes },
2233 { EVT_SYSCALL_EPOLL_CREATE1_E, syscall_epoll_create1_e_indexes },
2234 { EVT_SYSCALL_EPOLL_CREATE1_X, syscall_epoll_create1_x_indexes },
2235 { EVT_SYSCALL_CHOWN_E, syscall_chown_e_indexes },
2236 { EVT_SYSCALL_CHOWN_X, syscall_chown_x_indexes },
2237 { EVT_SYSCALL_LCHOWN_E, syscall_lchown_e_indexes },
2238 { EVT_SYSCALL_LCHOWN_X, syscall_lchown_x_indexes },
2239 { EVT_SYSCALL_FCHOWN_E, syscall_fchown_e_indexes },
2240 { EVT_SYSCALL_FCHOWN_X, syscall_fchown_x_indexes },
2241 { EVT_SYSCALL_FCHOWNAT_E, syscall_fchownat_e_indexes },
2242 { EVT_SYSCALL_FCHOWNAT_X, syscall_fchownat_x_indexes },
2243 { EVT_SYSCALL_UMOUNT_1_E, syscall_umount_1_e_indexes },
2244 { EVT_SYSCALL_UMOUNT_1_X, syscall_umount_1_x_indexes },
2245 { EVT_SOCKET_ACCEPT4_6_E, socket_accept4_6_e_indexes },
2246 { EVT_SOCKET_ACCEPT4_6_X, socket_accept4_6_x_indexes },
2247 { EVT_SYSCALL_UMOUNT2_E, syscall_umount2_e_indexes },
2248 { EVT_SYSCALL_UMOUNT2_X, syscall_umount2_x_indexes },
2249 { EVT_SYSCALL_PIPE2_E, syscall_pipe2_e_indexes },
2250 { EVT_SYSCALL_PIPE2_X, syscall_pipe2_x_indexes },
2251 { EVT_SYSCALL_INOTIFY_INIT1_E, syscall_inotify_init1_e_indexes },
2252 { EVT_SYSCALL_INOTIFY_INIT1_X, syscall_inotify_init1_x_indexes },
2253 { EVT_SYSCALL_EVENTFD2_E, syscall_eventfd2_e_indexes },
2254 { EVT_SYSCALL_EVENTFD2_X, syscall_eventfd2_x_indexes },
2255 { EVT_SYSCALL_SIGNALFD4_E, syscall_signalfd4_e_indexes },
2256 { EVT_SYSCALL_SIGNALFD4_X, syscall_signalfd4_x_indexes },
2257 { EVT_SYSCALL_PRCTL_E, syscall_prctl_e_indexes },
2258 { EVT_SYSCALL_PRCTL_X, syscall_prctl_x_indexes },
2259 { EVT_ASYNCEVENT_E, asyncevent_e_indexes },
2260 { EVT_ASYNCEVENT_X, asyncevent_x_indexes },
2261 { EVT_SYSCALL_MEMFD_CREATE_E, syscall_memfd_create_e_indexes },
2262 { EVT_SYSCALL_MEMFD_CREATE_X, syscall_memfd_create_x_indexes },
2263 { EVT_SYSCALL_PIDFD_GETFD_E, syscall_pidfd_getfd_e_indexes },
2264 { EVT_SYSCALL_PIDFD_GETFD_X, syscall_pidfd_getfd_x_indexes },
2265 { EVT_SYSCALL_PIDFD_OPEN_E, syscall_pidfd_open_e_indexes },
2266 { EVT_SYSCALL_PIDFD_OPEN_X, syscall_pidfd_open_x_indexes },
2267 { EVT_SYSCALL_INIT_MODULE_E, syscall_init_module_e_indexes },
2268 { EVT_SYSCALL_INIT_MODULE_X, syscall_init_module_x_indexes },
2269 { EVT_SYSCALL_FINIT_MODULE_E, syscall_finit_module_e_indexes },
2270 { EVT_SYSCALL_FINIT_MODULE_X, syscall_finit_module_x_indexes },
2271 { EVT_SYSCALL_MKNOD_E, syscall_mknod_e_indexes },
2272 { EVT_SYSCALL_MKNOD_X, syscall_mknod_x_indexes },
2273 { EVT_SYSCALL_MKNODAT_E, syscall_mknodat_e_indexes },
2274 { EVT_SYSCALL_MKNODAT_X, syscall_mknodat_x_indexes },
2275 { EVT_SYSCALL_NEWFSTATAT_E, syscall_newfstatat_e_indexes },
2276 { EVT_SYSCALL_NEWFSTATAT_X, syscall_newfstatat_x_indexes },
2277 { EVT_SYSCALL_PROCESS_VM_READV_E, syscall_process_vm_readv_e_indexes },
2278 { EVT_SYSCALL_PROCESS_VM_READV_X, syscall_process_vm_readv_x_indexes },
2279 { EVT_SYSCALL_PROCESS_VM_WRITEV_E, syscall_process_vm_writev_e_indexes },
2280 { EVT_SYSCALL_PROCESS_VM_WRITEV_X, syscall_process_vm_writev_x_indexes },
2281 { EVT_SYSCALL_DELETE_MODULE_E, syscall_delete_module_e_indexes },
2282 { EVT_SYSCALL_DELETE_MODULE_X, syscall_delete_module_x_indexes },
2283 { EVT_SYSCALL_SETREUID_E, syscall_setreuid_e_indexes },
2284 { EVT_SYSCALL_SETREUID_X, syscall_setreuid_x_indexes },
2285 { EVT_SYSCALL_SETREGID_E, syscall_setregid_e_indexes },
2286 { EVT_SYSCALL_SETREGID_X, syscall_setregid_x_indexes },
2287
2288 { 0, NULL }
2289 };
2290
2291 /*
2292 * Value strings.
2293 * If the X_Y_vals has a matching hf_param_X_Y it will be added as a
2294 * VALS field conversion below.
2295 */
2296
2297 static const value_string ID_uint16_vals[] = {
2298 /* Syscall codes. Automatically generated by tools/generate-sysdig-event.py */
2299 { 0, "unknown" }, // PPM_SC_UNKNOWN
2300 { 1, "restart_syscall" }, // PPM_SC_RESTART_SYSCALL
2301 { 2, "exit" }, // PPM_SC_EXIT
2302 { 3, "read" }, // PPM_SC_READ
2303 { 4, "write" }, // PPM_SC_WRITE
2304 { 5, "open" }, // PPM_SC_OPEN
2305 { 6, "close" }, // PPM_SC_CLOSE
2306 { 7, "creat" }, // PPM_SC_CREAT
2307 { 8, "link" }, // PPM_SC_LINK
2308 { 9, "unlink" }, // PPM_SC_UNLINK
2309 { 10, "chdir" }, // PPM_SC_CHDIR
2310 { 11, "time" }, // PPM_SC_TIME
2311 { 12, "mknod" }, // PPM_SC_MKNOD
2312 { 13, "chmod" }, // PPM_SC_CHMOD
2313 { 14, "stat" }, // PPM_SC_STAT
2314 { 15, "lseek" }, // PPM_SC_LSEEK
2315 { 16, "getpid" }, // PPM_SC_GETPID
2316 { 17, "mount" }, // PPM_SC_MOUNT
2317 { 18, "ptrace" }, // PPM_SC_PTRACE
2318 { 19, "alarm" }, // PPM_SC_ALARM
2319 { 20, "fstat" }, // PPM_SC_FSTAT
2320 { 21, "pause" }, // PPM_SC_PAUSE
2321 { 22, "utime" }, // PPM_SC_UTIME
2322 { 23, "access" }, // PPM_SC_ACCESS
2323 { 24, "sync" }, // PPM_SC_SYNC
2324 { 25, "kill" }, // PPM_SC_KILL
2325 { 26, "rename" }, // PPM_SC_RENAME
2326 { 27, "mkdir" }, // PPM_SC_MKDIR
2327 { 28, "rmdir" }, // PPM_SC_RMDIR
2328 { 29, "dup" }, // PPM_SC_DUP
2329 { 30, "pipe" }, // PPM_SC_PIPE
2330 { 31, "times" }, // PPM_SC_TIMES
2331 { 32, "brk" }, // PPM_SC_BRK
2332 { 33, "acct" }, // PPM_SC_ACCT
2333 { 34, "ioctl" }, // PPM_SC_IOCTL
2334 { 35, "fcntl" }, // PPM_SC_FCNTL
2335 { 36, "setpgid" }, // PPM_SC_SETPGID
2336 { 37, "umask" }, // PPM_SC_UMASK
2337 { 38, "chroot" }, // PPM_SC_CHROOT
2338 { 39, "ustat" }, // PPM_SC_USTAT
2339 { 40, "dup2" }, // PPM_SC_DUP2
2340 { 41, "getppid" }, // PPM_SC_GETPPID
2341 { 42, "getpgrp" }, // PPM_SC_GETPGRP
2342 { 43, "setsid" }, // PPM_SC_SETSID
2343 { 44, "sethostname" }, // PPM_SC_SETHOSTNAME
2344 { 45, "setrlimit" }, // PPM_SC_SETRLIMIT
2345 { 46, "getrusage" }, // PPM_SC_GETRUSAGE
2346 { 47, "gettimeofday" }, // PPM_SC_GETTIMEOFDAY
2347 { 48, "settimeofday" }, // PPM_SC_SETTIMEOFDAY
2348 { 49, "symlink" }, // PPM_SC_SYMLINK
2349 { 50, "lstat" }, // PPM_SC_LSTAT
2350 { 51, "readlink" }, // PPM_SC_READLINK
2351 { 52, "uselib" }, // PPM_SC_USELIB
2352 { 53, "swapon" }, // PPM_SC_SWAPON
2353 { 54, "reboot" }, // PPM_SC_REBOOT
2354 { 55, "mmap" }, // PPM_SC_MMAP
2355 { 56, "munmap" }, // PPM_SC_MUNMAP
2356 { 57, "truncate" }, // PPM_SC_TRUNCATE
2357 { 58, "ftruncate" }, // PPM_SC_FTRUNCATE
2358 { 59, "fchmod" }, // PPM_SC_FCHMOD
2359 { 60, "getpriority" }, // PPM_SC_GETPRIORITY
2360 { 61, "setpriority" }, // PPM_SC_SETPRIORITY
2361 { 62, "statfs" }, // PPM_SC_STATFS
2362 { 63, "fstatfs" }, // PPM_SC_FSTATFS
2363 { 64, "syslog" }, // PPM_SC_SYSLOG
2364 { 65, "setitimer" }, // PPM_SC_SETITIMER
2365 { 66, "getitimer" }, // PPM_SC_GETITIMER
2366 { 67, "uname" }, // PPM_SC_UNAME
2367 { 68, "vhangup" }, // PPM_SC_VHANGUP
2368 { 69, "wait4" }, // PPM_SC_WAIT4
2369 { 70, "swapoff" }, // PPM_SC_SWAPOFF
2370 { 71, "sysinfo" }, // PPM_SC_SYSINFO
2371 { 72, "fsync" }, // PPM_SC_FSYNC
2372 { 73, "setdomainname" }, // PPM_SC_SETDOMAINNAME
2373 { 74, "adjtimex" }, // PPM_SC_ADJTIMEX
2374 { 75, "mprotect" }, // PPM_SC_MPROTECT
2375 { 76, "init_module" }, // PPM_SC_INIT_MODULE
2376 { 77, "delete_module" }, // PPM_SC_DELETE_MODULE
2377 { 78, "quotactl" }, // PPM_SC_QUOTACTL
2378 { 79, "getpgid" }, // PPM_SC_GETPGID
2379 { 80, "fchdir" }, // PPM_SC_FCHDIR
2380 { 81, "sysfs" }, // PPM_SC_SYSFS
2381 { 82, "personality" }, // PPM_SC_PERSONALITY
2382 { 83, "getdents" }, // PPM_SC_GETDENTS
2383 { 84, "select" }, // PPM_SC_SELECT
2384 { 85, "flock" }, // PPM_SC_FLOCK
2385 { 86, "msync" }, // PPM_SC_MSYNC
2386 { 87, "readv" }, // PPM_SC_READV
2387 { 88, "writev" }, // PPM_SC_WRITEV
2388 { 89, "getsid" }, // PPM_SC_GETSID
2389 { 90, "fdatasync" }, // PPM_SC_FDATASYNC
2390 { 91, "mlock" }, // PPM_SC_MLOCK
2391 { 92, "munlock" }, // PPM_SC_MUNLOCK
2392 { 93, "mlockall" }, // PPM_SC_MLOCKALL
2393 { 94, "munlockall" }, // PPM_SC_MUNLOCKALL
2394 { 95, "sched_setparam" }, // PPM_SC_SCHED_SETPARAM
2395 { 96, "sched_getparam" }, // PPM_SC_SCHED_GETPARAM
2396 { 97, "sched_setscheduler" }, // PPM_SC_SCHED_SETSCHEDULER
2397 { 98, "sched_getscheduler" }, // PPM_SC_SCHED_GETSCHEDULER
2398 { 99, "sched_yield" }, // PPM_SC_SCHED_YIELD
2399 { 100, "sched_get_priority_max" }, // PPM_SC_SCHED_GET_PRIORITY_MAX
2400 { 101, "sched_get_priority_min" }, // PPM_SC_SCHED_GET_PRIORITY_MIN
2401 { 102, "sched_rr_get_interval" }, // PPM_SC_SCHED_RR_GET_INTERVAL
2402 { 103, "nanosleep" }, // PPM_SC_NANOSLEEP
2403 { 104, "mremap" }, // PPM_SC_MREMAP
2404 { 105, "poll" }, // PPM_SC_POLL
2405 { 106, "prctl" }, // PPM_SC_PRCTL
2406 { 107, "rt_sigaction" }, // PPM_SC_RT_SIGACTION
2407 { 108, "rt_sigprocmask" }, // PPM_SC_RT_SIGPROCMASK
2408 { 109, "rt_sigpending" }, // PPM_SC_RT_SIGPENDING
2409 { 110, "rt_sigtimedwait" }, // PPM_SC_RT_SIGTIMEDWAIT
2410 { 111, "rt_sigqueueinfo" }, // PPM_SC_RT_SIGQUEUEINFO
2411 { 112, "rt_sigsuspend" }, // PPM_SC_RT_SIGSUSPEND
2412 { 113, "getcwd" }, // PPM_SC_GETCWD
2413 { 114, "capget" }, // PPM_SC_CAPGET
2414 { 115, "capset" }, // PPM_SC_CAPSET
2415 { 116, "sendfile" }, // PPM_SC_SENDFILE
2416 { 117, "getrlimit" }, // PPM_SC_GETRLIMIT
2417 { 118, "lchown" }, // PPM_SC_LCHOWN
2418 { 119, "getuid" }, // PPM_SC_GETUID
2419 { 120, "getgid" }, // PPM_SC_GETGID
2420 { 121, "geteuid" }, // PPM_SC_GETEUID
2421 { 122, "getegid" }, // PPM_SC_GETEGID
2422 { 123, "setreuid" }, // PPM_SC_SETREUID
2423 { 124, "setregid" }, // PPM_SC_SETREGID
2424 { 125, "getgroups" }, // PPM_SC_GETGROUPS
2425 { 126, "setgroups" }, // PPM_SC_SETGROUPS
2426 { 127, "fchown" }, // PPM_SC_FCHOWN
2427 { 128, "setresuid" }, // PPM_SC_SETRESUID
2428 { 129, "getresuid" }, // PPM_SC_GETRESUID
2429 { 130, "setresgid" }, // PPM_SC_SETRESGID
2430 { 131, "getresgid" }, // PPM_SC_GETRESGID
2431 { 132, "chown" }, // PPM_SC_CHOWN
2432 { 133, "setuid" }, // PPM_SC_SETUID
2433 { 134, "setgid" }, // PPM_SC_SETGID
2434 { 135, "setfsuid" }, // PPM_SC_SETFSUID
2435 { 136, "setfsgid" }, // PPM_SC_SETFSGID
2436 { 137, "pivot_root" }, // PPM_SC_PIVOT_ROOT
2437 { 138, "mincore" }, // PPM_SC_MINCORE
2438 { 139, "madvise" }, // PPM_SC_MADVISE
2439 { 140, "gettid" }, // PPM_SC_GETTID
2440 { 141, "setxattr" }, // PPM_SC_SETXATTR
2441 { 142, "lsetxattr" }, // PPM_SC_LSETXATTR
2442 { 143, "fsetxattr" }, // PPM_SC_FSETXATTR
2443 { 144, "getxattr" }, // PPM_SC_GETXATTR
2444 { 145, "lgetxattr" }, // PPM_SC_LGETXATTR
2445 { 146, "fgetxattr" }, // PPM_SC_FGETXATTR
2446 { 147, "listxattr" }, // PPM_SC_LISTXATTR
2447 { 148, "llistxattr" }, // PPM_SC_LLISTXATTR
2448 { 149, "flistxattr" }, // PPM_SC_FLISTXATTR
2449 { 150, "removexattr" }, // PPM_SC_REMOVEXATTR
2450 { 151, "lremovexattr" }, // PPM_SC_LREMOVEXATTR
2451 { 152, "fremovexattr" }, // PPM_SC_FREMOVEXATTR
2452 { 153, "tkill" }, // PPM_SC_TKILL
2453 { 154, "futex" }, // PPM_SC_FUTEX
2454 { 155, "sched_setaffinity" }, // PPM_SC_SCHED_SETAFFINITY
2455 { 156, "sched_getaffinity" }, // PPM_SC_SCHED_GETAFFINITY
2456 { 157, "set_thread_area" }, // PPM_SC_SET_THREAD_AREA
2457 { 158, "get_thread_area" }, // PPM_SC_GET_THREAD_AREA
2458 { 159, "io_setup" }, // PPM_SC_IO_SETUP
2459 { 160, "io_destroy" }, // PPM_SC_IO_DESTROY
2460 { 161, "io_getevents" }, // PPM_SC_IO_GETEVENTS
2461 { 162, "io_submit" }, // PPM_SC_IO_SUBMIT
2462 { 163, "io_cancel" }, // PPM_SC_IO_CANCEL
2463 { 164, "exit_group" }, // PPM_SC_EXIT_GROUP
2464 { 165, "epoll_create" }, // PPM_SC_EPOLL_CREATE
2465 { 166, "epoll_ctl" }, // PPM_SC_EPOLL_CTL
2466 { 167, "epoll_wait" }, // PPM_SC_EPOLL_WAIT
2467 { 168, "remap_file_pages" }, // PPM_SC_REMAP_FILE_PAGES
2468 { 169, "set_tid_address" }, // PPM_SC_SET_TID_ADDRESS
2469 { 170, "timer_create" }, // PPM_SC_TIMER_CREATE
2470 { 171, "timer_settime" }, // PPM_SC_TIMER_SETTIME
2471 { 172, "timer_gettime" }, // PPM_SC_TIMER_GETTIME
2472 { 173, "timer_getoverrun" }, // PPM_SC_TIMER_GETOVERRUN
2473 { 174, "timer_delete" }, // PPM_SC_TIMER_DELETE
2474 { 175, "clock_settime" }, // PPM_SC_CLOCK_SETTIME
2475 { 176, "clock_gettime" }, // PPM_SC_CLOCK_GETTIME
2476 { 177, "clock_getres" }, // PPM_SC_CLOCK_GETRES
2477 { 178, "clock_nanosleep" }, // PPM_SC_CLOCK_NANOSLEEP
2478 { 179, "tgkill" }, // PPM_SC_TGKILL
2479 { 180, "utimes" }, // PPM_SC_UTIMES
2480 { 181, "mq_open" }, // PPM_SC_MQ_OPEN
2481 { 182, "mq_unlink" }, // PPM_SC_MQ_UNLINK
2482 { 183, "mq_timedsend" }, // PPM_SC_MQ_TIMEDSEND
2483 { 184, "mq_timedreceive" }, // PPM_SC_MQ_TIMEDRECEIVE
2484 { 185, "mq_notify" }, // PPM_SC_MQ_NOTIFY
2485 { 186, "mq_getsetattr" }, // PPM_SC_MQ_GETSETATTR
2486 { 187, "kexec_load" }, // PPM_SC_KEXEC_LOAD
2487 { 188, "waitid" }, // PPM_SC_WAITID
2488 { 189, "add_key" }, // PPM_SC_ADD_KEY
2489 { 190, "request_key" }, // PPM_SC_REQUEST_KEY
2490 { 191, "keyctl" }, // PPM_SC_KEYCTL
2491 { 192, "ioprio_set" }, // PPM_SC_IOPRIO_SET
2492 { 193, "ioprio_get" }, // PPM_SC_IOPRIO_GET
2493 { 194, "inotify_init" }, // PPM_SC_INOTIFY_INIT
2494 { 195, "inotify_add_watch" }, // PPM_SC_INOTIFY_ADD_WATCH
2495 { 196, "inotify_rm_watch" }, // PPM_SC_INOTIFY_RM_WATCH
2496 { 197, "openat" }, // PPM_SC_OPENAT
2497 { 198, "mkdirat" }, // PPM_SC_MKDIRAT
2498 { 199, "mknodat" }, // PPM_SC_MKNODAT
2499 { 200, "fchownat" }, // PPM_SC_FCHOWNAT
2500 { 201, "futimesat" }, // PPM_SC_FUTIMESAT
2501 { 202, "unlinkat" }, // PPM_SC_UNLINKAT
2502 { 203, "renameat" }, // PPM_SC_RENAMEAT
2503 { 204, "linkat" }, // PPM_SC_LINKAT
2504 { 205, "symlinkat" }, // PPM_SC_SYMLINKAT
2505 { 206, "readlinkat" }, // PPM_SC_READLINKAT
2506 { 207, "fchmodat" }, // PPM_SC_FCHMODAT
2507 { 208, "faccessat" }, // PPM_SC_FACCESSAT
2508 { 209, "pselect6" }, // PPM_SC_PSELECT6
2509 { 210, "ppoll" }, // PPM_SC_PPOLL
2510 { 211, "unshare" }, // PPM_SC_UNSHARE
2511 { 212, "set_robust_list" }, // PPM_SC_SET_ROBUST_LIST
2512 { 213, "get_robust_list" }, // PPM_SC_GET_ROBUST_LIST
2513 { 214, "splice" }, // PPM_SC_SPLICE
2514 { 215, "tee" }, // PPM_SC_TEE
2515 { 216, "vmsplice" }, // PPM_SC_VMSPLICE
2516 { 217, "getcpu" }, // PPM_SC_GETCPU
2517 { 218, "epoll_pwait" }, // PPM_SC_EPOLL_PWAIT
2518 { 219, "utimensat" }, // PPM_SC_UTIMENSAT
2519 { 220, "signalfd" }, // PPM_SC_SIGNALFD
2520 { 221, "timerfd_create" }, // PPM_SC_TIMERFD_CREATE
2521 { 222, "eventfd" }, // PPM_SC_EVENTFD
2522 { 223, "timerfd_settime" }, // PPM_SC_TIMERFD_SETTIME
2523 { 224, "timerfd_gettime" }, // PPM_SC_TIMERFD_GETTIME
2524 { 225, "signalfd4" }, // PPM_SC_SIGNALFD4
2525 { 226, "eventfd2" }, // PPM_SC_EVENTFD2
2526 { 227, "epoll_create1" }, // PPM_SC_EPOLL_CREATE1
2527 { 228, "dup3" }, // PPM_SC_DUP3
2528 { 229, "pipe2" }, // PPM_SC_PIPE2
2529 { 230, "inotify_init1" }, // PPM_SC_INOTIFY_INIT1
2530 { 231, "preadv" }, // PPM_SC_PREADV
2531 { 232, "pwritev" }, // PPM_SC_PWRITEV
2532 { 233, "rt_tgsigqueueinfo" }, // PPM_SC_RT_TGSIGQUEUEINFO
2533 { 234, "perf_event_open" }, // PPM_SC_PERF_EVENT_OPEN
2534 { 235, "fanotify_init" }, // PPM_SC_FANOTIFY_INIT
2535 { 236, "prlimit64" }, // PPM_SC_PRLIMIT64
2536 { 237, "clock_adjtime" }, // PPM_SC_CLOCK_ADJTIME
2537 { 238, "syncfs" }, // PPM_SC_SYNCFS
2538 { 239, "setns" }, // PPM_SC_SETNS
2539 { 240, "getdents64" }, // PPM_SC_GETDENTS64
2540 { 241, "socket" }, // PPM_SC_SOCKET
2541 { 242, "bind" }, // PPM_SC_BIND
2542 { 243, "connect" }, // PPM_SC_CONNECT
2543 { 244, "listen" }, // PPM_SC_LISTEN
2544 { 245, "accept" }, // PPM_SC_ACCEPT
2545 { 246, "getsockname" }, // PPM_SC_GETSOCKNAME
2546 { 247, "getpeername" }, // PPM_SC_GETPEERNAME
2547 { 248, "socketpair" }, // PPM_SC_SOCKETPAIR
2548 { 249, "sendto" }, // PPM_SC_SENDTO
2549 { 250, "recvfrom" }, // PPM_SC_RECVFROM
2550 { 251, "shutdown" }, // PPM_SC_SHUTDOWN
2551 { 252, "setsockopt" }, // PPM_SC_SETSOCKOPT
2552 { 253, "getsockopt" }, // PPM_SC_GETSOCKOPT
2553 { 254, "sendmsg" }, // PPM_SC_SENDMSG
2554 { 255, "sendmmsg" }, // PPM_SC_SENDMMSG
2555 { 256, "recvmsg" }, // PPM_SC_RECVMSG
2556 { 257, "recvmmsg" }, // PPM_SC_RECVMMSG
2557 { 258, "accept4" }, // PPM_SC_ACCEPT4
2558 { 259, "semop" }, // PPM_SC_SEMOP
2559 { 260, "semget" }, // PPM_SC_SEMGET
2560 { 261, "semctl" }, // PPM_SC_SEMCTL
2561 { 262, "msgsnd" }, // PPM_SC_MSGSND
2562 { 263, "msgrcv" }, // PPM_SC_MSGRCV
2563 { 264, "msgget" }, // PPM_SC_MSGGET
2564 { 265, "msgctl" }, // PPM_SC_MSGCTL
2565 { 266, "shmdt" }, // PPM_SC_SHMDT
2566 { 267, "shmget" }, // PPM_SC_SHMGET
2567 { 268, "shmctl" }, // PPM_SC_SHMCTL
2568 { 269, "statfs64" }, // PPM_SC_STATFS64
2569 { 270, "fstatfs64" }, // PPM_SC_FSTATFS64
2570 { 271, "fstatat64" }, // PPM_SC_FSTATAT64
2571 { 272, "sendfile64" }, // PPM_SC_SENDFILE64
2572 { 273, "ugetrlimit" }, // PPM_SC_UGETRLIMIT
2573 { 274, "bdflush" }, // PPM_SC_BDFLUSH
2574 { 275, "sigprocmask" }, // PPM_SC_SIGPROCMASK
2575 { 276, "ipc" }, // PPM_SC_IPC
2576 { 277, "socketcall" }, // PPM_SC_SOCKETCALL
2577 { 278, "stat64" }, // PPM_SC_STAT64
2578 { 279, "lstat64" }, // PPM_SC_LSTAT64
2579 { 280, "fstat64" }, // PPM_SC_FSTAT64
2580 { 281, "fcntl64" }, // PPM_SC_FCNTL64
2581 { 282, "mmap2" }, // PPM_SC_MMAP2
2582 { 283, "_newselect" }, // PPM_SC__NEWSELECT
2583 { 284, "sgetmask" }, // PPM_SC_SGETMASK
2584 { 285, "ssetmask" }, // PPM_SC_SSETMASK
2585 { 286, "sigpending" }, // PPM_SC_SIGPENDING
2586 { 287, "olduname" }, // PPM_SC_OLDUNAME
2587 { 288, "umount" }, // PPM_SC_UMOUNT
2588 { 289, "signal" }, // PPM_SC_SIGNAL
2589 { 290, "nice" }, // PPM_SC_NICE
2590 { 291, "stime" }, // PPM_SC_STIME
2591 { 292, "_llseek" }, // PPM_SC__LLSEEK
2592 { 293, "waitpid" }, // PPM_SC_WAITPID
2593 { 294, "pread64" }, // PPM_SC_PREAD64
2594 { 295, "pwrite64" }, // PPM_SC_PWRITE64
2595 { 296, "arch_prctl" }, // PPM_SC_ARCH_PRCTL
2596 { 297, "shmat" }, // PPM_SC_SHMAT
2597 { 298, "rt_sigreturn" }, // PPM_SC_RT_SIGRETURN
2598 { 299, "fallocate" }, // PPM_SC_FALLOCATE
2599 { 300, "newfstatat" }, // PPM_SC_NEWFSTATAT
2600 { 301, "process_vm_readv" }, // PPM_SC_PROCESS_VM_READV
2601 { 302, "process_vm_writev" }, // PPM_SC_PROCESS_VM_WRITEV
2602 { 303, "fork" }, // PPM_SC_FORK
2603 { 304, "vfork" }, // PPM_SC_VFORK
2604 { 305, "setuid32" }, // PPM_SC_SETUID32
2605 { 306, "getuid32" }, // PPM_SC_GETUID32
2606 { 307, "setgid32" }, // PPM_SC_SETGID32
2607 { 308, "geteuid32" }, // PPM_SC_GETEUID32
2608 { 309, "getgid32" }, // PPM_SC_GETGID32
2609 { 310, "setresuid32" }, // PPM_SC_SETRESUID32
2610 { 311, "setresgid32" }, // PPM_SC_SETRESGID32
2611 { 312, "getresuid32" }, // PPM_SC_GETRESUID32
2612 { 313, "getresgid32" }, // PPM_SC_GETRESGID32
2613 { 314, "finit_module" }, // PPM_SC_FINIT_MODULE
2614 { 315, "bpf" }, // PPM_SC_BPF
2615 { 316, "seccomp" }, // PPM_SC_SECCOMP
2616 { 317, "sigaltstack" }, // PPM_SC_SIGALTSTACK
2617 { 318, "getrandom" }, // PPM_SC_GETRANDOM
2618 { 319, "fadvise64" }, // PPM_SC_FADVISE64
2619 { 320, "renameat2" }, // PPM_SC_RENAMEAT2
2620 { 321, "userfaultfd" }, // PPM_SC_USERFAULTFD
2621 { 322, "openat2" }, // PPM_SC_OPENAT2
2622 { 323, "umount2" }, // PPM_SC_UMOUNT2
2623 { 324, "execve" }, // PPM_SC_EXECVE
2624 { 325, "execveat" }, // PPM_SC_EXECVEAT
2625 { 326, "copy_file_range" }, // PPM_SC_COPY_FILE_RANGE
2626 { 327, "clone" }, // PPM_SC_CLONE
2627 { 328, "clone3" }, // PPM_SC_CLONE3
2628 { 329, "open_by_handle_at" }, // PPM_SC_OPEN_BY_HANDLE_AT
2629 { 330, "io_uring_setup" }, // PPM_SC_IO_URING_SETUP
2630 { 331, "io_uring_enter" }, // PPM_SC_IO_URING_ENTER
2631 { 332, "io_uring_register" }, // PPM_SC_IO_URING_REGISTER
2632 { 333, "mlock2" }, // PPM_SC_MLOCK2
2633 { 334, "getegid32" }, // PPM_SC_GETEGID32
2634 { 335, "fsconfig" }, // PPM_SC_FSCONFIG
2635 { 336, "fspick" }, // PPM_SC_FSPICK
2636 { 337, "fsmount" }, // PPM_SC_FSMOUNT
2637 { 338, "fsopen" }, // PPM_SC_FSOPEN
2638 { 339, "open_tree" }, // PPM_SC_OPEN_TREE
2639 { 340, "move_mount" }, // PPM_SC_MOVE_MOUNT
2640 { 341, "mount_setattr" }, // PPM_SC_MOUNT_SETATTR
2641 { 342, "memfd_create" }, // PPM_SC_MEMFD_CREATE
2642 { 343, "memfd_secret" }, // PPM_SC_MEMFD_SECRET
2643 { 344, "ioperm" }, // PPM_SC_IOPERM
2644 { 345, "kexec_file_load" }, // PPM_SC_KEXEC_FILE_LOAD
2645 { 346, "pidfd_getfd" }, // PPM_SC_PIDFD_GETFD
2646 { 347, "pidfd_open" }, // PPM_SC_PIDFD_OPEN
2647 { 348, "pidfd_send_signal" }, // PPM_SC_PIDFD_SEND_SIGNAL
2648 { 349, "pkey_alloc" }, // PPM_SC_PKEY_ALLOC
2649 { 350, "pkey_mprotect" }, // PPM_SC_PKEY_MPROTECT
2650 { 351, "pkey_free" }, // PPM_SC_PKEY_FREE
2651 { 352, "landlock_create_ruleset" }, // PPM_SC_LANDLOCK_CREATE_RULESET
2652 { 353, "quotactl_fd" }, // PPM_SC_QUOTACTL_FD
2653 { 354, "landlock_restrict_self" }, // PPM_SC_LANDLOCK_RESTRICT_SELF
2654 { 355, "landlock_add_rule" }, // PPM_SC_LANDLOCK_ADD_RULE
2655 { 356, "epoll_pwait2" }, // PPM_SC_EPOLL_PWAIT2
2656 { 357, "migrate_pages" }, // PPM_SC_MIGRATE_PAGES
2657 { 358, "move_pages" }, // PPM_SC_MOVE_PAGES
2658 { 359, "preadv2" }, // PPM_SC_PREADV2
2659 { 360, "pwritev2" }, // PPM_SC_PWRITEV2
2660 { 361, "kcmp" }, // PPM_SC_KCMP
2661 { 362, "sched_setattr" }, // PPM_SC_SCHED_SETATTR
2662 { 363, "mbind" }, // PPM_SC_MBIND
2663 { 364, "epoll_ctl_old" }, // PPM_SC_EPOLL_CTL_OLD
2664 { 365, "lookup_dcookie" }, // PPM_SC_LOOKUP_DCOOKIE
2665 { 366, "modify_ldt" }, // PPM_SC_MODIFY_LDT
2666 { 367, "statx" }, // PPM_SC_STATX
2667 { 368, "set_mempolicy" }, // PPM_SC_SET_MEMPOLICY
2668 { 369, "io_pgetevents" }, // PPM_SC_IO_PGETEVENTS
2669 { 370, "set_mempolicy_home_node" }, // PPM_SC_SET_MEMPOLICY_HOME_NODE
2670 { 371, "semtimedop" }, // PPM_SC_SEMTIMEDOP
2671 { 372, "get_kernel_syms" }, // PPM_SC_GET_KERNEL_SYMS
2672 { 373, "readahead" }, // PPM_SC_READAHEAD
2673 { 374, "futex_waitv" }, // PPM_SC_FUTEX_WAITV
2674 { 375, "getpmsg" }, // PPM_SC_GETPMSG
2675 { 376, "name_to_handle_at" }, // PPM_SC_NAME_TO_HANDLE_AT
2676 { 377, "process_mrelease" }, // PPM_SC_PROCESS_MRELEASE
2677 { 378, "nfsservctl" }, // PPM_SC_NFSSERVCTL
2678 { 379, "epoll_wait_old" }, // PPM_SC_EPOLL_WAIT_OLD
2679 { 380, "rseq" }, // PPM_SC_RSEQ
2680 { 381, "create_module" }, // PPM_SC_CREATE_MODULE
2681 { 383, "sched_getattr" }, // PPM_SC_SCHED_GETATTR
2682 { 384, "faccessat2" }, // PPM_SC_FACCESSAT2
2683 { 385, "_sysctl" }, // PPM_SC__SYSCTL
2684 { 386, "query_module" }, // PPM_SC_QUERY_MODULE
2685 { 387, "get_mempolicy" }, // PPM_SC_GET_MEMPOLICY
2686 { 388, "sync_file_range" }, // PPM_SC_SYNC_FILE_RANGE
2687 { 389, "process_madvise" }, // PPM_SC_PROCESS_MADVISE
2688 { 390, "membarrier" }, // PPM_SC_MEMBARRIER
2689 { 391, "iopl" }, // PPM_SC_IOPL
2690 { 392, "close_range" }, // PPM_SC_CLOSE_RANGE
2691 { 393, "fanotify_mark" }, // PPM_SC_FANOTIFY_MARK
2692 { 394, "recv" }, // PPM_SC_RECV
2693 { 395, "send" }, // PPM_SC_SEND
2694 { 396, "sched_process_exit" }, // PPM_SC_SCHED_PROCESS_EXIT
2695 { 397, "sched_switch" }, // PPM_SC_SCHED_SWITCH
2696 { 398, "page_fault_user" }, // PPM_SC_PAGE_FAULT_USER
2697 { 399, "page_fault_kernel" }, // PPM_SC_PAGE_FAULT_KERNEL
2698 { 400, "signal_deliver" }, // PPM_SC_SIGNAL_DELIVER
2699 { 401, "timerfd" }, // PPM_SC_TIMERFD
2700 { 402, "s390_pci_mmio_read" }, // PPM_SC_S390_PCI_MMIO_READ
2701 { 403, "sigaction" }, // PPM_SC_SIGACTION
2702 { 404, "s390_pci_mmio_write" }, // PPM_SC_S390_PCI_MMIO_WRITE
2703 { 405, "readdir" }, // PPM_SC_READDIR
2704 { 406, "s390_sthyi" }, // PPM_SC_S390_STHYI
2705 { 407, "sigsuspend" }, // PPM_SC_SIGSUSPEND
2706 { 408, "idle" }, // PPM_SC_IDLE
2707 { 409, "s390_runtime_instr" }, // PPM_SC_S390_RUNTIME_INSTR
2708 { 410, "sigreturn" }, // PPM_SC_SIGRETURN
2709 { 411, "s390_guarded_storage" }, // PPM_SC_S390_GUARDED_STORAGE
2710 { 412, "cachestat" }, // PPM_SC_CACHESTAT
2711 { 413, "fchmodat2" }, // PPM_SC_FCHMODAT2
2712 { 414, "map_shadow_stack" }, // PPM_SC_MAP_SHADOW_STACK
2713 { 415, "riscv_flush_icache" }, // PPM_SC_RISCV_FLUSH_ICACHE
2714 { 416, "riscv_hwprobe" }, // PPM_SC_RISCV_HWPROBE
2715 { 417, "futex_wake" }, // PPM_SC_FUTEX_WAKE
2716 { 418, "futex_requeue" }, // PPM_SC_FUTEX_REQUEUE
2717 { 419, "futex_wait" }, // PPM_SC_FUTEX_WAIT
2718 { 420, "oldstat" }, // PPM_SC_OLDSTAT
2719 { 421, "switch_endian" }, // PPM_SC_SWITCH_ENDIAN
2720 { 422, "multiplexer" }, // PPM_SC_MULTIPLEXER
2721 { 423, "oldlstat" }, // PPM_SC_OLDLSTAT
2722 { 424, "spu_create" }, // PPM_SC_SPU_CREATE
2723 { 425, "sync_file_range2" }, // PPM_SC_SYNC_FILE_RANGE2
2724 { 426, "oldfstat" }, // PPM_SC_OLDFSTAT
2725 { 427, "spu_run" }, // PPM_SC_SPU_RUN
2726 { 428, "swapcontext" }, // PPM_SC_SWAPCONTEXT
2727 { 429, "pciconfig_write" }, // PPM_SC_PCICONFIG_WRITE
2728 { 430, "rtas" }, // PPM_SC_RTAS
2729 { 431, "pciconfig_read" }, // PPM_SC_PCICONFIG_READ
2730 { 432, "sys_debug_setcontext" }, // PPM_SC_SYS_DEBUG_SETCONTEXT
2731 { 433, "vm86" }, // PPM_SC_VM86
2732 { 434, "oldolduname" }, // PPM_SC_OLDOLDUNAME
2733 { 435, "subpage_prot" }, // PPM_SC_SUBPAGE_PROT
2734 { 436, "pciconfig_iobase" }, // PPM_SC_PCICONFIG_IOBASE
2735 { 437, "listmount" }, // PPM_SC_LISTMOUNT
2736 { 438, "statmount" }, // PPM_SC_STATMOUNT
2737 { 439, "lsm_get_self_attr" }, // PPM_SC_LSM_GET_SELF_ATTR
2738 { 440, "lsm_set_self_attr" }, // PPM_SC_LSM_SET_SELF_ATTR
2739 { 441, "lsm_list_modules" }, // PPM_SC_LSM_LIST_MODULES
2740 { 442, "mseal" }, // PPM_SC_MSEAL
2741
2742 { 0, NULL }
2743 };
2744
2745 /*
2746 static const value_string param_category_vals[] = {
2747 { 1, "Other"},
2748 { 2, "File"},
2749 { 3, "Network operation"},
2750 { 4, "IPC operation"},
2751 { 5, "Memory operation"},
2752 { 6, "Process operation"},
2753 { 7, "Plain sleep"},
2754 { 8, "System operation"},
2755 { 9, "Signal operation"},
2756 { 10, "User operation"},
2757 { 11, "Time"},
2758 { 12, "User-level processing"},
2759 { 32, "I/O read"},
2760 { 33, "I/O write"},
2761 { 34, "I/O other"},
2762 { 64, "General wait"},
2763 {128, "Scheduler event"},
2764 {256, "Internal event"},
2765 {0, NULL}
2766 };
2767 */
2768
2769 /*
2770 static const value_string param_flag_vals[] = {
2771 { 0, "None"},
2772 {1 << 0, "Creates FD"},
2773 {1 << 1, "Destroys FD"},
2774 {1 << 2, "Uses FD"},
2775 {1 << 3, "Reads from FD"},
2776 {1 << 4, "Writes to FD"},
2777 {1 << 5, "Modifies state"},
2778 {1 << 6, "Unused"},
2779 {1 << 7, "Waits"},
2780 {1 << 8, "Skip parse reset"},
2781 {1 << 9, "Old version"},
2782 {0, NULL}
2783 };
2784 */
2785
2786 /*
2787 static const value_string param_subcategory_vals[] = {
2788 { 0, "Unknown"},
2789 { 1, "None"},
2790 { 2, "Other"},
2791 { 3, "File"},
2792 { 4, "Net"},
2793 { 5, "IPC"},
2794 {0, NULL}
2795 };
2796 */
2797
2798 static inline const char *format_param_str(wmem_allocator_t *scope, tvbuff_t *tvb, int offset, int len) {
2799 char *param_str;
2800
2801 param_str = tvb_get_string_enc(scope, tvb, offset, len, ENC_UTF_8|ENC_NA);
2802
2803 if (len < 2) {
2804 return param_str;
2805 }
2806 return format_text_chr(scope, param_str, len - 1, ' '); /* Leave terminating NULLs alone. */
2807 }
2808
2809 /* Code to actually dissect the packets */
2810
2811 static int
2812 dissect_header_lens_v1(tvbuff_t *tvb, proto_tree *tree, unsigned encoding, int * const *hf_indexes)
2813 {
2814 int param_count;
2815 proto_item *ti;
2816 proto_tree *len_tree;
2817
2818 for (param_count = 0; hf_indexes[param_count]; param_count++);
2819
2820 ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, 0, param_count * SYSDIG_PARAM_SIZE, ENC_NA);
2821 len_tree = proto_item_add_subtree(ti, ett_sysdig_parm_lens);
2822
2823 for (param_count = 0; hf_indexes[param_count]; param_count++) {
2824 proto_tree_add_item(len_tree, hf_se_param_len, tvb, param_count * SYSDIG_PARAM_SIZE, SYSDIG_PARAM_SIZE, encoding);
2825 }
2826
2827 proto_item_set_len(ti, param_count * SYSDIG_PARAM_SIZE);
2828 return param_count * SYSDIG_PARAM_SIZE;
2829 }
2830
2831 static int
2832 dissect_header_lens_v2(tvbuff_t *tvb, wtap_syscall_header* syscall_header, proto_tree *tree, unsigned encoding)
2833 {
2834 uint32_t param_count;
2835 proto_item *ti;
2836 proto_tree *len_tree;
2837
2838 ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, 0, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2, ENC_NA);
2839 len_tree = proto_item_add_subtree(ti, ett_sysdig_parm_lens);
2840
2841 for (param_count = 0; param_count < syscall_header->nparams; param_count++) {
2842 proto_tree_add_item(len_tree, hf_se_param_len, tvb, param_count * SYSDIG_PARAM_SIZE_V2, SYSDIG_PARAM_SIZE_V2, encoding);
2843 }
2844
2845 proto_item_set_len(ti, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2);
2846 return syscall_header->nparams * SYSDIG_PARAM_SIZE_V2;
2847 }
2848
2849 static int
2850 dissect_header_lens_v2_large(tvbuff_t *tvb, wtap_syscall_header* syscall_header, proto_tree *tree, unsigned encoding)
2851 {
2852 uint32_t param_count;
2853 proto_item *ti;
2854 proto_tree *len_tree;
2855
2856 ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, 0, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2_LARGE, ENC_NA);
2857 len_tree = proto_item_add_subtree(ti, ett_sysdig_parm_lens);
2858
2859 for (param_count = 0; param_count < syscall_header->nparams; param_count++) {
2860 proto_tree_add_item(len_tree, hf_se_param_len, tvb, param_count * SYSDIG_PARAM_SIZE_V2_LARGE, SYSDIG_PARAM_SIZE_V2_LARGE, encoding);
2861 }
2862
2863 proto_item_set_len(ti, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2_LARGE);
2864 return syscall_header->nparams * SYSDIG_PARAM_SIZE_V2_LARGE;
2865 }
2866
2867 /* Dissect events */
2868
2869 static int
2870 dissect_event_params(tvbuff_t *tvb, packet_info *pinfo, const char **event_name, wtap_syscall_header* syscall_header, proto_tree *tree, unsigned encoding, int * const *hf_indexes, sysdig_event_param_data *event_param_data)
2871 {
2872 int len_offset = 0;
2873 int param_offset;
2874 int len_size;
2875 uint32_t cur_param;
2876
2877 switch (syscall_header->record_type) {
2878 case BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE:
2879 param_offset = dissect_header_lens_v2_large(tvb, syscall_header, tree, encoding);
2880 len_size = SYSDIG_PARAM_SIZE_V2_LARGE;
2881 break;
2882 case BLOCK_TYPE_SYSDIG_EVENT_V2:
2883 param_offset = dissect_header_lens_v2(tvb, syscall_header, tree, encoding);
2884 len_size = SYSDIG_PARAM_SIZE_V2;
2885 break;
2886 default:
2887 param_offset = dissect_header_lens_v1(tvb, tree, encoding, hf_indexes);
2888 len_size = SYSDIG_PARAM_SIZE;
2889 break;
2890 }
2891
2892 for (cur_param = 0; cur_param < syscall_header->nparams; cur_param++) {
2893 if (!hf_indexes[cur_param]) {
2894 // This happens when new params are added to existent events in sysdig,
2895 // if the event is already mapped in wireshark with a lower number of params.
2896 // hf_indexes array size would be < than event being dissected, leading to SIGSEGV.
2897 break;
2898 }
2899
2900 uint32_t param_len;
2901 if (syscall_header->record_type == BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE) {
2902 param_len = tvb_get_uint32(tvb, len_offset, encoding);
2903 } else {
2904 param_len = tvb_get_uint16(tvb, len_offset, encoding);
2905 }
2906 const int hf_index = *hf_indexes[cur_param];
2907 if (proto_registrar_get_ftype(hf_index) == FT_STRING) {
2908 proto_tree_add_string(tree, hf_index, tvb, param_offset, param_len,
2909 format_param_str(pinfo->pool, tvb, param_offset, param_len));
2910 } else {
2911 proto_tree_add_item(tree, hf_index, tvb, param_offset, param_len, encoding);
2912 if (hf_index == hf_param_data_bytes) {
2913 event_param_data->data_bytes_offset = param_offset;
2914 event_param_data->data_bytes_length = param_len;
2915 }
2916 }
2917
2918 if (hf_index == hf_param_ID_uint16) {
2919 uint16_t id = tvb_get_uint16(tvb, param_offset, encoding);
2920 *event_name = val_to_str(id, ID_uint16_vals, "Unknown ID %u");
2921 col_add_str(pinfo->cinfo, COL_INFO, *event_name);
2922 }
2923 param_offset += param_len;
2924 len_offset += len_size;
2925 }
2926 return param_offset;
2927 }
2928
2929 static int
2930 dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
2931 void *data _U_)
2932 {
2933 proto_item *ti;
2934 proto_tree *se_tree, *syscall_tree;
2935 unsigned event_type = pinfo->rec->rec_header.syscall_header.event_type;
2936 unsigned encoding = pinfo->rec->rec_header.syscall_header.byte_order == G_BIG_ENDIAN ? ENC_BIG_ENDIAN : ENC_LITTLE_ENDIAN;
2937 const struct _event_col_info *cur_col_info;
2938 const struct _event_tree_info *cur_tree_info;
2939
2940 /*** HEURISTICS ***/
2941
2942 /* Check that the packet is long enough for it to belong to us. */
2943 if (tvb_reported_length(tvb) < SYSDIG_EVENT_MIN_LENGTH)
2944 return 0;
2945
2946 /*** COLUMN DATA ***/
2947
2948 /*
2949 * If this is a plugin event, handle it appropriately and return
2950 */
2951 if (event_type == EVT_PLUGINEVENT_E && sinsp_dissector_handle) {
2952 return call_dissector(sinsp_dissector_handle, tvb, pinfo, tree);
2953 }
2954
2955 const char *event_name = val_to_str(event_type, event_type_vals, "Unknown syscall %u");
2956 sysdig_event_param_data event_param_data = {0};
2957
2958 /*
2959 * Sysdig uses the term "event" internally. So far every event has been
2960 * a syscall.
2961 */
2962 col_clear(pinfo->cinfo, COL_INFO);
2963 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Sysdig Event");
2964 col_add_str(pinfo->cinfo, COL_INFO, event_name);
2965
2966 /*
2967 * XXX We can ditch this in favor of a simple index when event_col_info
2968 * is contiguous and in the correct order.
2969 */
2970 for (cur_col_info = event_col_info; cur_col_info->params; cur_col_info++) {
2971 if (cur_col_info->event_type == event_type) {
2972 const struct _event_col_info_param *cur_param = cur_col_info->params;
2973 int param_offset = cur_col_info->num_len_fields * 2;
2974
2975 /* Find the data offset */
2976 int cur_len_field;
2977 for (cur_len_field = 0;
2978 cur_len_field < cur_col_info->num_len_fields && cur_param->param_name;
2979 cur_len_field++) {
2980 unsigned param_len = tvb_get_uint16(tvb, cur_len_field * 2, encoding);
2981 if (cur_param->param_num == cur_len_field) {
2982 col_append_fstr(pinfo->cinfo, COL_INFO, ", %s=", cur_param->param_name);
2983 switch (cur_param->param_ftype) {
2984 case FT_STRING:
2985 col_append_str(pinfo->cinfo, COL_INFO, format_param_str(pinfo->pool, tvb, param_offset, param_len));
2986 break;
2987 case FT_UINT64:
2988 col_append_fstr(pinfo->cinfo, COL_INFO, "%" PRIu64, tvb_get_uint64(tvb, param_offset, encoding));
2989 default:
2990 break;
2991 }
2992 cur_param++;
2993 }
2994 param_offset += param_len;
2995 }
2996 }
2997 }
2998
2999 /*** PROTOCOL TREE ***/
3000
3001 /* create display subtree for the protocol */
3002 ti = proto_tree_add_item(tree, proto_sysdig_event, tvb, 0, -1, ENC_NA);
3003
3004 se_tree = proto_item_add_subtree(ti, ett_sysdig_event);
3005
3006 proto_tree_add_uint(se_tree, hf_se_cpu_id, tvb, 0, 0, pinfo->rec->rec_header.syscall_header.cpu_id);
3007 proto_tree_add_uint64(se_tree, hf_se_thread_id, tvb, 0, 0, pinfo->rec->rec_header.syscall_header.thread_id);
3008 proto_tree_add_uint(se_tree, hf_se_event_length, tvb, 0, 0, pinfo->rec->rec_header.syscall_header.event_len);
3009 if (pinfo->rec->rec_header.syscall_header.nparams != 0) {
3010 proto_tree_add_uint(se_tree, hf_se_nparams, tvb, 0, 0, pinfo->rec->rec_header.syscall_header.nparams);
3011 }
3012 ti = proto_tree_add_uint(se_tree, hf_se_event_type, tvb, 0, 0, event_type);
3013
3014 syscall_tree = proto_item_add_subtree(ti, ett_sysdig_syscall);
3015
3016 if (pinfo->rec->rec_header.syscall_header.nparams > 0) {
3017 for (cur_tree_info = event_tree_info; cur_tree_info->hf_indexes; cur_tree_info++) {
3018 if (cur_tree_info->event_type == event_type) {
3019 dissect_event_params(tvb, pinfo, &event_name, &pinfo->rec->rec_header.syscall_header, syscall_tree, encoding, cur_tree_info->hf_indexes, &event_param_data);
3020 break;
3021 }
3022 }
3023 }
3024
3025 proto_tree_add_string(se_tree, hf_se_event_name, tvb, 0, 0, event_name);
3026
3027 if (!sinsp_dissector_handle) {
3028 return tvb_reported_length(tvb);
3029 }
3030
3031 int ret = call_dissector_with_data(sinsp_dissector_handle, tvb, pinfo, tree, &event_param_data);
3032
3033 if (event_param_data.data_bytes_offset > 0 && event_param_data.data_bytes_length > 0) {
3034 #define ELF_MAGIC 0x7f454c46 // 7f 'E' 'L' 'F'
3035 if (tvb_get_uint32(tvb, event_param_data.data_bytes_offset, ENC_BIG_ENDIAN) == ELF_MAGIC) {
3036 tvbuff_t *elf_tvb = tvb_new_subset_length(tvb, event_param_data.data_bytes_offset, event_param_data.data_bytes_length);
3037 TRY {
3038 call_dissector(elf_dissector_handle, elf_tvb, pinfo, tree);
3039 } CATCH_NONFATAL_ERRORS {
3040 // Partial dissection is OK.
3041 } ENDTRY;
3042 }
3043 }
3044
3045 return ret;
3046 }
3047
3048 /* Register the protocol with Wireshark.
3049 *
3050 * This format is required because a script is used to build the C function that
3051 * calls all the protocol registration.
3052 */
3053 void
3054 proto_register_sysdig_event(void)
3055 {
3056 /* XXX Match up with Sysdig's names. */
3057 static hf_register_info hf[] = {
3058 { &hf_se_cpu_id,
3059 { "CPU ID", "sysdig.cpu_id",
3060 FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }
3061 },
3062 { &hf_se_thread_id,
3063 { "Thread ID", "sysdig.thread_id",
3064 FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL }
3065 },
3066 { &hf_se_event_length,
3067 { "Event length", "sysdig.event_len",
3068 FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }
3069 },
3070 { &hf_se_nparams,
3071 { "Number of parameters", "sysdig.nparams",
3072 FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }
3073 },
3074 { &hf_se_event_type,
3075 { "Event type", "sysdig.event_type",
3076 FT_UINT16, BASE_DEC, VALS(event_type_vals), 0, NULL, HFILL }
3077 },
3078 { &hf_se_event_name,
3079 { "Event name", "sysdig.event_name",
3080 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
3081 },
3082 { &hf_se_param_lens,
3083 { "Parameter lengths", "sysdig.param.lens",
3084 FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }
3085 },
3086 { &hf_se_param_len,
3087 { "Parameter length", "sysdig.param.len",
3088 FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }
3089 },
3090
3091 /* Header field registration. Automatically generated by tools/generate-sysdig-event.py */
3092 { &hf_param_ID_uint16, { "ID", "sysdig.param.syscall.ID", FT_UINT16, BASE_DEC, VALS(ID_uint16_vals), 0, NULL, HFILL } },
3093 { &hf_param_action_uint32, { "action", "sysdig.param.cpu_hotplug.action", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3094 { &hf_param_addr_bytes, { "addr", "sysdig.param.ptrace.addr", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3095 { &hf_param_addr_uint64, { "addr", "sysdig.param.mlock2.addr", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3096 { &hf_param_arg2_int_int64, { "arg2_int", "sysdig.param.prctl.arg2_int", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3097 { &hf_param_arg2_str_string, { "arg2_str", "sysdig.param.prctl.arg2_str", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3098 { &hf_param_arg_uint64, { "arg", "sysdig.param.io_uring_register.arg", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3099 { &hf_param_args_string, { "args", "sysdig.param.clone3.args", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3100 { &hf_param_argument_uint64, { "I/O control: argument", "sysdig.param.ioctl.argument", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3101 { &hf_param_aux_int32, { "aux", "sysdig.param.fsconfig.aux", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3102 { &hf_param_backlog_int32, { "backlog", "sysdig.param.listen.backlog", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3103 { &hf_param_cap_effective_uint64, { "cap_effective", "sysdig.param.capset.cap_effective", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3104 { &hf_param_cap_inheritable_uint64, { "cap_inheritable", "sysdig.param.capset.cap_inheritable", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3105 { &hf_param_cap_permitted_uint64, { "cap_permitted", "sysdig.param.capset.cap_permitted", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3106 { &hf_param_cgroups_bytes, { "cgroups", "sysdig.param.clone3.cgroups", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3107 { &hf_param_clockid_uint8, { "clockid", "sysdig.param.timerfd_create.clockid", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL } },
3108 { &hf_param_cmd_bytes, { "cmd", "sysdig.param.fsconfig.cmd", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3109 { &hf_param_cmd_int16, { "cmd", "sysdig.param.semctl.cmd", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } },
3110 { &hf_param_cmd_int64, { "cmd", "sysdig.param.bpf.cmd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3111 { &hf_param_comm_string, { "comm", "sysdig.param.clone3.comm", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3112 { &hf_param_container_id_string, { "container_id", "sysdig.param.groupdeleted.container_id", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3113 { &hf_param_core_uint8, { "core", "sysdig.param.procexit.core", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL } },
3114 { &hf_param_cpu_sys_uint64, { "cpu_sys", "sysdig.param.procinfo.cpu_sys", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3115 { &hf_param_cpu_uint32, { "cpu", "sysdig.param.cpu_hotplug.cpu", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3116 { &hf_param_cpu_usr_uint64, { "cpu_usr", "sysdig.param.procinfo.cpu_usr", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3117 { &hf_param_cq_entries_uint32, { "cq_entries", "sysdig.param.io_uring_setup.cq_entries", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3118 { &hf_param_cur_int64, { "cur", "sysdig.param.setrlimit.cur", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3119 { &hf_param_cwd_string, { "cwd", "sysdig.param.clone3.cwd", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3120 { &hf_param_data_bytes, { "data", "sysdig.param.process_vm_writev.data", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3121 { &hf_param_desc_string, { "desc", "sysdig.param.notification.desc", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3122 { &hf_param_description_string, { "description", "sysdig.param.infra.description", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3123 { &hf_param_dev_string, { "dev", "sysdig.param.mount.dev", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3124 { &hf_param_dev_uint32, { "dev", "sysdig.param.mknodat.dev", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3125 { &hf_param_dir_string, { "dir", "sysdig.param.mount.dir", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3126 { &hf_param_dirfd_int64, { "dirfd", "sysdig.param.newfstatat.dirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3127 { &hf_param_domain_bytes, { "domain", "sysdig.param.socketpair.domain", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3128 { &hf_param_dpid_int64, { "dpid", "sysdig.param.signaldeliver.dpid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3129 { &hf_param_dqb_bhardlimit_uint64, { "dqb_bhardlimit", "sysdig.param.quotactl.dqb_bhardlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3130 { &hf_param_dqb_bsoftlimit_uint64, { "dqb_bsoftlimit", "sysdig.param.quotactl.dqb_bsoftlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3131 { &hf_param_dqb_btime_bytes, { "dqb_btime", "sysdig.param.quotactl.dqb_btime", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3132 { &hf_param_dqb_curspace_uint64, { "dqb_curspace", "sysdig.param.quotactl.dqb_curspace", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3133 { &hf_param_dqb_ihardlimit_uint64, { "dqb_ihardlimit", "sysdig.param.quotactl.dqb_ihardlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3134 { &hf_param_dqb_isoftlimit_uint64, { "dqb_isoftlimit", "sysdig.param.quotactl.dqb_isoftlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3135 { &hf_param_dqb_itime_bytes, { "dqb_itime", "sysdig.param.quotactl.dqb_itime", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3136 { &hf_param_dqi_bgrace_bytes, { "dqi_bgrace", "sysdig.param.quotactl.dqi_bgrace", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3137 { &hf_param_dqi_flags_int8, { "dqi_flags", "sysdig.param.quotactl.dqi_flags", FT_INT8, BASE_DEC, NULL, 0, NULL, HFILL } },
3138 { &hf_param_dqi_igrace_bytes, { "dqi_igrace", "sysdig.param.quotactl.dqi_igrace", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3139 { &hf_param_egid_int32, { "egid", "sysdig.param.setregid.egid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3140 { &hf_param_entries_uint32, { "entries", "sysdig.param.io_uring_setup.entries", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3141 { &hf_param_env_string, { "env", "sysdig.param.execveat.env", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3142 { &hf_param_error_int32, { "error", "sysdig.param.page_fault.error", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3143 { &hf_param_euid_int32, { "euid", "sysdig.param.setreuid.euid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3144 { &hf_param_event_data_bytes, { "event_data", "sysdig.param.pluginevent.event_data", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3145 { &hf_param_event_data_uint64, { "event_data", "sysdig.param.scapevent.event_data", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3146 { &hf_param_event_type_uint32, { "event_type", "sysdig.param.scapevent.event_type", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3147 { &hf_param_exe_ino_ctime_bytes, { "exe_ino_ctime", "sysdig.param.execveat.exe_ino_ctime", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3148 { &hf_param_exe_ino_mtime_bytes, { "exe_ino_mtime", "sysdig.param.execveat.exe_ino_mtime", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3149 { &hf_param_exe_ino_uint64, { "exe_ino", "sysdig.param.execveat.exe_ino", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3150 { &hf_param_exe_string, { "exe", "sysdig.param.clone3.exe", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3151 { &hf_param_fd1_int64, { "fd1", "sysdig.param.pipe2.fd1", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3152 { &hf_param_fd2_int64, { "fd2", "sysdig.param.pipe2.fd2", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3153 { &hf_param_fd_in_int64, { "fd_in", "sysdig.param.splice.fd_in", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3154 { &hf_param_fd_int64, { "fd", "sysdig.param.finit_module.fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3155 { &hf_param_fd_out_int64, { "fd_out", "sysdig.param.splice.fd_out", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3156 { &hf_param_fdin_int64, { "fdin", "sysdig.param.copy_file_range.fdin", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3157 { &hf_param_fdlimit_int64, { "fdlimit", "sysdig.param.clone3.fdlimit", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3158 { &hf_param_fdlimit_uint64, { "fdlimit", "sysdig.param.execveat.fdlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3159 { &hf_param_fdout_int64, { "fdout", "sysdig.param.copy_file_range.fdout", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3160 { &hf_param_fds_bytes, { "fds", "sysdig.param.ppoll.fds", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3161 { &hf_param_features_int32, { "features", "sysdig.param.io_uring_setup.features", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3162 { &hf_param_filename_string, { "filename", "sysdig.param.chmod.filename", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3163 { &hf_param_flags_int16, { "flags", "sysdig.param.signalfd4.flags", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } },
3164 { &hf_param_flags_int32, { "flags", "sysdig.param.delete_module.flags", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3165 { &hf_param_flags_uint32, { "flags", "sysdig.param.pidfd_getfd.flags", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL } },
3166 { &hf_param_flags_uint64, { "flags", "sysdig.param.seccomp.flags", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3167 { &hf_param_flags_uint8, { "flags", "sysdig.param.inotify_init.flags", FT_UINT8, BASE_HEX, NULL, 0, NULL, HFILL } },
3168 { &hf_param_gid_int32, { "gid", "sysdig.param.getgid.gid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3169 { &hf_param_gid_uint32, { "gid", "sysdig.param.fchownat.gid", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3170 { &hf_param_home_string, { "home", "sysdig.param.userdeleted.home", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3171 { &hf_param_how_bytes, { "how", "sysdig.param.shutdown.how", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3172 { &hf_param_id_int64, { "id", "sysdig.param.tracer.id", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3173 { &hf_param_id_string, { "id", "sysdig.param.notification.id", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3174 { &hf_param_id_uint32, { "id", "sysdig.param.quotactl.id", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3175 { &hf_param_image_string, { "image", "sysdig.param.container.image", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3176 { &hf_param_img_bytes, { "img", "sysdig.param.init_module.img", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3177 { &hf_param_in_fd_int64, { "in_fd", "sysdig.param.sendfile.in_fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3178 { &hf_param_initval_uint64, { "initval", "sysdig.param.eventfd2.initval", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3179 { &hf_param_ino_uint64, { "ino", "sysdig.param.pipe2.ino", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3180 { &hf_param_interval_bytes, { "interval", "sysdig.param.nanosleep.interval", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3181 { &hf_param_ip_uint64, { "ip", "sysdig.param.page_fault.ip", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3182 { &hf_param_json_string, { "json", "sysdig.param.container.json", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3183 { &hf_param_key_int32, { "key", "sysdig.param.semget.key", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3184 { &hf_param_key_string, { "key", "sysdig.param.fsconfig.key", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3185 { &hf_param_len_uint64, { "len", "sysdig.param.mlock2.len", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3186 { &hf_param_length_uint64, { "length", "sysdig.param.init_module.length", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3187 { &hf_param_level_bytes, { "level", "sysdig.param.getsockopt.level", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3188 { &hf_param_linkdirfd_int64, { "linkdirfd", "sysdig.param.symlinkat.linkdirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3189 { &hf_param_linkpath_string, { "linkpath", "sysdig.param.symlinkat.linkpath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3190 { &hf_param_loginuid_int32, { "loginuid", "sysdig.param.execveat.loginuid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3191 { &hf_param_mask_uint32, { "mask", "sysdig.param.signalfd4.mask", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL } },
3192 { &hf_param_max_int64, { "max", "sysdig.param.setrlimit.max", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3193 { &hf_param_maxevents_int64, { "maxevents", "sysdig.param.epoll_wait.maxevents", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3194 { &hf_param_min_complete_uint32, { "min_complete", "sysdig.param.io_uring_enter.min_complete", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3195 { &hf_param_mode_int32, { "mode", "sysdig.param.mknodat.mode", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3196 { &hf_param_mode_uint32, { "mode", "sysdig.param.openat2.mode", FT_UINT32, BASE_OCT, NULL, 0, NULL, HFILL } },
3197 { &hf_param_mountfd_int64, { "mountfd", "sysdig.param.open_by_handle_at.mountfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3198 { &hf_param_msgcontrol_bytes, { "msgcontrol", "sysdig.param.recvmsg.msgcontrol", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3199 { &hf_param_name_string, { "name", "sysdig.param.delete_module.name", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3200 { &hf_param_nativeID_uint16, { "nativeID", "sysdig.param.syscall.nativeID", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL } },
3201 { &hf_param_newcur_int64, { "newcur", "sysdig.param.prlimit.newcur", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3202 { &hf_param_newdir_int64, { "newdir", "sysdig.param.linkat.newdir", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3203 { &hf_param_newdirfd_int64, { "newdirfd", "sysdig.param.renameat2.newdirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3204 { &hf_param_newfd_int64, { "newfd", "sysdig.param.dup3.newfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3205 { &hf_param_newmax_int64, { "newmax", "sysdig.param.prlimit.newmax", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3206 { &hf_param_newpath_string, { "newpath", "sysdig.param.renameat2.newpath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3207 { &hf_param_next_int64, { "next", "sysdig.param.switch.next", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3208 { &hf_param_nr_args_uint32, { "nr_args", "sysdig.param.io_uring_register.nr_args", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3209 { &hf_param_nsems_int32, { "nsems", "sysdig.param.semget.nsems", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3210 { &hf_param_nsops_uint32, { "nsops", "sysdig.param.semop.nsops", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3211 { &hf_param_nstype_int32, { "nstype", "sysdig.param.setns.nstype", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3212 { &hf_param_offin_uint64, { "offin", "sysdig.param.copy_file_range.offin", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3213 { &hf_param_offout_uint64, { "offout", "sysdig.param.copy_file_range.offout", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3214 { &hf_param_offset_uint64, { "offset", "sysdig.param.sendfile.offset", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3215 { &hf_param_oldcur_int64, { "oldcur", "sysdig.param.prlimit.oldcur", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3216 { &hf_param_olddir_int64, { "olddir", "sysdig.param.linkat.olddir", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3217 { &hf_param_olddirfd_int64, { "olddirfd", "sysdig.param.renameat2.olddirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3218 { &hf_param_oldfd_int64, { "oldfd", "sysdig.param.dup.oldfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3219 { &hf_param_oldmax_int64, { "oldmax", "sysdig.param.prlimit.oldmax", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3220 { &hf_param_oldpath_string, { "oldpath", "sysdig.param.renameat2.oldpath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3221 { &hf_param_op_bytes, { "op", "sysdig.param.futex.op", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3222 { &hf_param_op_uint64, { "op", "sysdig.param.seccomp.op", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3223 { &hf_param_opcode_bytes, { "opcode", "sysdig.param.io_uring_register.opcode", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3224 { &hf_param_operation_int32, { "operation", "sysdig.param.flock.operation", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3225 { &hf_param_option_bytes, { "option", "sysdig.param.prctl.option", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3226 { &hf_param_optlen_uint32, { "optlen", "sysdig.param.getsockopt.optlen", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3227 { &hf_param_optname_bytes, { "optname", "sysdig.param.getsockopt.optname", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3228 { &hf_param_out_fd_int64, { "out_fd", "sysdig.param.sendfile.out_fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3229 { &hf_param_path_string, { "path", "sysdig.param.newfstatat.path", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3230 { &hf_param_pathname_string, { "pathname", "sysdig.param.fchownat.pathname", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3231 { &hf_param_peer_uint64, { "peer", "sysdig.param.socketpair.peer", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3232 { &hf_param_pgft_maj_uint64, { "pgft_maj", "sysdig.param.clone3.pgft_maj", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3233 { &hf_param_pgft_min_uint64, { "pgft_min", "sysdig.param.clone3.pgft_min", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3234 { &hf_param_pgid_int64, { "pgid", "sysdig.param.execveat.pgid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3235 { &hf_param_pgoffset_uint64, { "pgoffset", "sysdig.param.mmap2.pgoffset", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3236 { &hf_param_pid_fd_int64, { "pid_fd", "sysdig.param.pidfd_getfd.pid_fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3237 { &hf_param_pid_int64, { "pid", "sysdig.param.process_vm_writev.pid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3238 { &hf_param_pidns_init_start_ts_uint64, { "pidns_init_start_ts", "sysdig.param.clone3.pidns_init_start_ts", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3239 { &hf_param_plugin_id_uint32, { "plugin_id", "sysdig.param.asyncevent.plugin_id", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3240 { &hf_param_pos_uint64, { "pos", "sysdig.param.pwritev.pos", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3241 { &hf_param_prot_int32, { "prot", "sysdig.param.mprotect.prot", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3242 { &hf_param_proto_uint32, { "proto", "sysdig.param.socketpair.proto", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3243 { &hf_param_ptid_int64, { "ptid", "sysdig.param.clone3.ptid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3244 { &hf_param_queuelen_uint32, { "queuelen", "sysdig.param.accept4.queuelen", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3245 { &hf_param_queuemax_uint32, { "queuemax", "sysdig.param.accept4.queuemax", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3246 { &hf_param_queuepct_uint8, { "queuepct", "sysdig.param.accept4.queuepct", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL } },
3247 { &hf_param_quota_fmt_int8, { "quota_fmt", "sysdig.param.quotactl.quota_fmt", FT_INT8, BASE_DEC, NULL, 0, NULL, HFILL } },
3248 { &hf_param_quota_fmt_out_int8, { "quota_fmt_out", "sysdig.param.quotactl.quota_fmt_out", FT_INT8, BASE_DEC, NULL, 0, NULL, HFILL } },
3249 { &hf_param_quotafilepath_string, { "quotafilepath", "sysdig.param.quotactl.quotafilepath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3250 { &hf_param_ratio_uint32, { "ratio", "sysdig.param.drop.ratio", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3251 { &hf_param_reaper_tid_int64, { "reaper_tid", "sysdig.param.procexit.reaper_tid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3252 { &hf_param_request_bytes, { "request", "sysdig.param.ptrace.request", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3253 { &hf_param_request_uint64, { "I/O control: request", "sysdig.param.ioctl.request", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3254 { &hf_param_res_int64, { "res", "sysdig.param.setregid.res", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3255 { &hf_param_res_or_fd_bytes, { "res_or_fd", "sysdig.param.bpf.res_or_fd", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3256 { &hf_param_res_uint64, { "res", "sysdig.param.brk.res", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3257 { &hf_param_resolve_int32, { "resolve", "sysdig.param.openat2.resolve", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3258 { &hf_param_resource_bytes, { "resource", "sysdig.param.prlimit.resource", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3259 { &hf_param_ret_int64, { "ret", "sysdig.param.procexit.ret", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3260 { &hf_param_rgid_int32, { "rgid", "sysdig.param.setregid.rgid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3261 { &hf_param_ruid_int32, { "ruid", "sysdig.param.setreuid.ruid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3262 { &hf_param_scope_string, { "scope", "sysdig.param.infra.scope", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3263 { &hf_param_sem_flg_0_int16, { "sem_flg_0", "sysdig.param.semop.sem_flg_0", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } },
3264 { &hf_param_sem_flg_1_int16, { "sem_flg_1", "sysdig.param.semop.sem_flg_1", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } },
3265 { &hf_param_sem_num_0_uint16, { "sem_num_0", "sysdig.param.semop.sem_num_0", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL } },
3266 { &hf_param_sem_num_1_uint16, { "sem_num_1", "sysdig.param.semop.sem_num_1", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL } },
3267 { &hf_param_sem_op_0_int16, { "sem_op_0", "sysdig.param.semop.sem_op_0", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } },
3268 { &hf_param_sem_op_1_int16, { "sem_op_1", "sysdig.param.semop.sem_op_1", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } },
3269 { &hf_param_semflg_int32, { "semflg", "sysdig.param.semget.semflg", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3270 { &hf_param_semid_int32, { "semid", "sysdig.param.semctl.semid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3271 { &hf_param_semnum_int32, { "semnum", "sysdig.param.semctl.semnum", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3272 { &hf_param_sgid_int32, { "sgid", "sysdig.param.getresgid.sgid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3273 { &hf_param_shell_string, { "shell", "sysdig.param.userdeleted.shell", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3274 { &hf_param_sig_bytes, { "sig", "sysdig.param.io_uring_enter.sig", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3275 { &hf_param_sigmask_bytes, { "sigmask", "sysdig.param.ppoll.sigmask", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3276 { &hf_param_size_int32, { "size", "sysdig.param.epoll_create.size", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3277 { &hf_param_size_uint32, { "size", "sysdig.param.pwritev.size", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3278 { &hf_param_size_uint64, { "size", "sysdig.param.sendfile.size", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3279 { &hf_param_source_string, { "source", "sysdig.param.infra.source", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3280 { &hf_param_source_uint64, { "source", "sysdig.param.socketpair.source", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
3281 { &hf_param_special_string, { "special", "sysdig.param.quotactl.special", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3282 { &hf_param_spid_int64, { "spid", "sysdig.param.signaldeliver.spid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3283 { &hf_param_sq_entries_uint32, { "sq_entries", "sysdig.param.io_uring_setup.sq_entries", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3284 { &hf_param_sq_thread_cpu_uint32, { "sq_thread_cpu", "sysdig.param.io_uring_setup.sq_thread_cpu", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3285 { &hf_param_sq_thread_idle_uint32, { "sq_thread_idle", "sysdig.param.io_uring_setup.sq_thread_idle", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3286 { &hf_param_status_int64, { "status", "sysdig.param.procexit.status", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3287 { &hf_param_suid_int32, { "suid", "sysdig.param.getresuid.suid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3288 { &hf_param_tags_bytes, { "tags", "sysdig.param.tracer.tags", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3289 { &hf_param_target_fd_int64, { "target_fd", "sysdig.param.pidfd_getfd.target_fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3290 { &hf_param_target_string, { "target", "sysdig.param.symlinkat.target", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3291 { &hf_param_tid_int64, { "tid", "sysdig.param.clone3.tid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3292 { &hf_param_timeout_bytes, { "timeout", "sysdig.param.ppoll.timeout", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3293 { &hf_param_timeout_int64, { "timeout", "sysdig.param.poll.timeout", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3294 { &hf_param_to_submit_uint32, { "to_submit", "sysdig.param.io_uring_enter.to_submit", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3295 { &hf_param_trusted_exepath_string, { "trusted_exepath", "sysdig.param.execveat.trusted_exepath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3296 { &hf_param_tty_int32, { "tty", "sysdig.param.execve.tty", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3297 { &hf_param_tty_uint32, { "tty", "sysdig.param.execveat.tty", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3298 { &hf_param_tuple_bytes, { "tuple", "sysdig.param.accept4.tuple", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3299 { &hf_param_type_int8, { "type", "sysdig.param.quotactl.type", FT_INT8, BASE_DEC, NULL, 0, NULL, HFILL } },
3300 { &hf_param_type_string, { "type", "sysdig.param.mount.type", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3301 { &hf_param_type_uint32, { "type", "sysdig.param.container.type", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3302 { &hf_param_uargs_string, { "uargs", "sysdig.param.finit_module.uargs", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3303 { &hf_param_uid_int32, { "uid", "sysdig.param.execveat.uid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3304 { &hf_param_uid_uint32, { "uid", "sysdig.param.fchownat.uid", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3305 { &hf_param_val_bytes, { "val", "sysdig.param.getsockopt.val", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3306 { &hf_param_val_int32, { "val", "sysdig.param.semctl.val", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3307 { &hf_param_val_uint64, { "val", "sysdig.param.futex.val", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3308 { &hf_param_value_bytebuf_bytes, { "value_bytebuf", "sysdig.param.fsconfig.value_bytebuf", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3309 { &hf_param_value_charbuf_string, { "value_charbuf", "sysdig.param.fsconfig.value_charbuf", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
3310 { &hf_param_vm_rss_uint32, { "vm_rss", "sysdig.param.clone3.vm_rss", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3311 { &hf_param_vm_size_uint32, { "vm_size", "sysdig.param.clone3.vm_size", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3312 { &hf_param_vm_swap_uint32, { "vm_swap", "sysdig.param.clone3.vm_swap", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
3313 { &hf_param_vpid_int64, { "vpid", "sysdig.param.clone3.vpid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3314 { &hf_param_vtid_int64, { "vtid", "sysdig.param.clone3.vtid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
3315 { &hf_param_whence_bytes, { "whence", "sysdig.param.llseek.whence", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
3316 };
3317
3318 /* Setup protocol subtree array */
3319 static int *ett[] = {
3320 &ett_sysdig_event,
3321 &ett_sysdig_parm_lens,
3322 &ett_sysdig_syscall
3323 };
3324
3325 /* Register the protocol name and description */
3326 proto_sysdig_event = proto_register_protocol("Sysdig Event", "Sysdig Event", "sysdig");
3327
3328 /* Required function calls to register the header fields and subtrees */
3329 proto_register_field_array(proto_sysdig_event, hf, array_length(hf));
3330 proto_register_subtree_array(ett, array_length(ett));
3331
3332 sysdig_event_handle = register_dissector("sysdig", dissect_sysdig_event, proto_sysdig_event);
3333 }
3334
3335 void
3336 proto_reg_handoff_sysdig_event(void)
3337 {
3338 dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT, sysdig_event_handle);
3339 dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2, sysdig_event_handle);
3340 dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE, sysdig_event_handle);
3341
3342 sinsp_dissector_handle = find_dissector("falcobridge");
3343 elf_dissector_handle = find_dissector("elf");
3344 }
3345
3346 /*
3347 * Editor modelines - https://www.wireshark.org/tools/modelines.html
3348 *
3349 * Local variables:
3350 * c-basic-offset: 4
3351 * tab-width: 8
3352 * indent-tabs-mode: nil
3353 * End:
3354 *
3355 * vi: set shiftwidth=4 tabstop=8 expandtab:
3356 * :indentSize=4:tabSize=8:noTabs=true:
3357 */
Metzes wireshark repo