Title
#ebpf
Stefano Bonicatti

Stefano Bonicatti

05/09/2021, 10:11 AM
@Tal Kapon Welcome! You might need to install
linux-libc-dev
so that the header is available
t

Tal Kapon

05/10/2021, 10:23 AM
@Stefano Bonicatti thanks, that indeed helped. Maybe you can hint me on the next questions: 1. osquery throws those messages to logs: E0510 09:44:01.856688 3171 bpfeventpublisher.cpp:435] BPFEventPublisher has encountered 1 malformed events 2. In the actual results from bpf_socket_event, in most cases the remote/local address/port are empty or 0. I was expecting that when the familt is 1, I would see real values
a

alessandrogario

05/11/2021, 5:51 PM
for 1: we used to miss some events to a kernel bug with the execve/execveat tracepoints
5:52 PM
for 2: we won't get all the ports unless we also see the process calling the bind() system call
t

Tal Kapon

05/15/2021, 6:28 PM
thanks a lot. Much appreciate your helpful responses.