search

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers
http://www.sysdig.com/
Other
7.76k stars 728 forks source link

Cannot trace 32 bit apps running on 64 bit host with BPF #1937

Closed golovach closed 9 months ago

golovach commented 1 year ago

Hello

I am facing a problem of tracking 32 bit applications on 64 bit Ubuntu host when using BPF probe. Steps to reproduce:

  1. On Ubuntu 64 with gcc, install gcc-multilib package
  2. compile some simple app: gcc -m32 -static test_app.c -o test_app_32
  3. Run the app while sysdig is watching the the system using BPF probe (sysdig -B)

Here is an example of such an application:

#include <stdio.h>

int main(int argc, char* argv[])
{
    printf("Hello from test app. Sizeof(void*)=%u\n", sizeof(void*));
    printf("Process id: %u\n", getpid());
    return 0;
}

I can not see write and getpid sycalls. I will appreciate any comment on this

FedeDP commented 1 year ago

Hi! This is unfortunately a well known limitation of our eBPF probe: https://github.com/falcosecurity/libs/issues/279 I have yet to find the spare time to work on that :) Can't promise any ETA, sorry!

therealbobo commented 9 months ago

Hey @golovach! This feature is coming in the next sysdig release (0.35.0) :)