@Tor Houghton I did not answer the second part of the question. The -1 value is there when the event is missing that information. To construct those rows we have to do some state tracking because not all data is available at each event. An event here is a syscall call among connect, bind, listen and accept; this is what BPF is tracing. Would be useful to see the

syscall

column too. So sometimes it's because we haven't seen the needed syscalls to have all the data, otherwise it could also be an issue that has been improved in osquery 5.1.0 if you're not already using that. Finally it could just be a bug, but one would need to see the code in action.

Thanks for taking the time to explain this. I will continue to look at it.