Cannot trace 32 bit apps running on 64 bit host with BPF

[golovach]

Hello

I am facing a problem of tracking 32 bit applications on 64 bit Ubuntu host when using BPF probe. Steps to reproduce:

1. On Ubuntu 64 with gcc, install gcc-multilib package
2. compile some simple app: gcc -m32 -static test_app.c -o test_app_32
3. Run the app while sysdig is watching the the system using BPF probe (sysdig -B)

Here is an example of such an application:

#include <stdio.h>

int main(int argc, char* argv[])
{
    printf("Hello from test app. Sizeof(void*)=%u\n", sizeof(void*));
    printf("Process id: %u\n", getpid());
    return 0;
}

I can not see write and getpid sycalls. I will appreciate any comment on this

[FedeDP]

Hi! This is unfortunately a well known limitation of our eBPF probe: https://github.com/falcosecurity/libs/issues/279 I have yet to find the spare time to work on that :) Can't promise any ETA, sorry!

[therealbobo]

Hey @golovach! This feature is coming in the next sysdig release (0.35.0) :)