The situation where syscall events are lost when tracing programs with frequent system calls.

[ChrisLiCheng]

I captured system call events of a container using sysdig and saved the events to a file. In my subsequent analysis, I noticed that some events were missing. I'm wondering if this might be due to sysdig not being configured with an appropriate ring buffer size when it was started, resulting in event loss. Can sysdig be configured to modify the ring buffer size?

[therealbobo]

Hey @ChrisLiCheng! At the moment this feature is not supported but it could be great to have it! I don't think it's particularly difficult to implement but I don't know if we can make it for the 0.35.0. If you would like to help out, I can provide some guidance! 😄

[ChrisLiCheng]

Hey @therealbobo! Thank you for your offer and willingness to provide guidance. I am happy to help and contribute to this project. Please let me know what needs to be done and how I should get started. Looking forward to your further instructions.

[therealbobo]

Hey @ChrisLiCheng! Sorry for the delay! You could start taking a look at how it's done in falco userspace/falco/app/actions/helpers_inspector.cpp. At the end is just matter of changing the buffer size on the open of the engine (

sysdig/userspace/sysdig/utils/sinsp_opener.cpp

Line 109 in 73c07b9

inspector->open_kmod(DEFAULT_DRIVER_BUFFER_BYTES_DIM, sc_of_interest);

) but we should consider also the page size (as is done in falco). Please ping me if you need anything more :)