<@UE86SU9UP> Welcome! You might need to install `l...
# ebpf
@Tal Kapon Welcome! You might need to install
so that the header is available
@Stefano Bonicatti thanks, that indeed helped. Maybe you can hint me on the next questions: 1. osquery throws those messages to logs: E0510 094401.856688 3171 bpfeventpublisher.cpp:435] BPFEventPublisher has encountered 1 malformed events 2. In the actual results from bpf_socket_event, in most cases the remote/local address/port are empty or 0. I was expecting that when the familt is 1, I would see real values
for 1: we used to miss some events to a kernel bug with the execve/execveat tracepoints
for 2: we won't get all the ports unless we also see the process calling the bind() system call
thanks a lot. Much appreciate your helpful responses.