@Tal Kapon Welcome! You might need to install

linux-libc-dev

so that the header is available

@Stefano Bonicatti thanks, that indeed helped. Maybe you can hint me on the next questions: 1. osquery throws those messages to logs: E0510 09:44:01.856688 3171 bpfeventpublisher.cpp:435] BPFEventPublisher has encountered 1 malformed events 2. In the actual results from bpf_socket_event, in most cases the remote/local address/port are empty or 0. I was expecting that when the familt is 1, I would see real values

for 1: we used to miss some events to a kernel bug with the execve/execveat tracepoints

thanks a lot. Much appreciate your helpful responses.