I am looking at an eBPF sample code it has this
SEC("kprobe/__x64_sys_tcp_connect") Now how does one know such a call exists?
I tried following
bpftrace -l & list all kprobes
list all events under this folder /sys/kernel/debug/tracing/events/syscalls
grep the kernel source code 4.look in /arch/x86/entry/syscalls/syscall_64.tbl
I do not see it In general how would one go about looking for such syscalls for use with eBPF
You can get the symbol names for the kprobe function via:
sudo bpftrace -l kprobe:*<keyword>*sudo cat /proc/kallsyms | grep <keyword> |grep TIf you don't see it, it means you should use another name in the SEC or when attaching the kprobe function:
$ sudo bpftrace -l kprobe:*tcp_connect
kprobe:tcp_connect
$ sudo cat /proc/kallsyms | grep tcp_connect |grep T
ffffffff8e9e47f0 T tcp_connect
SEC("kprobe/tcp_connect")