Hello, We are using ebpf hooks to get the process and its arguments when it is calling exec. We are using ebpf execsnoop open source utility to track all exec. Most of the time it works correctly, but in certain cases (very less) it fails to get the argv[0] and argv[1]. E.g. in below case, we are opening a new session into existing tmux session which forks/exec a new process like this "/usr/lib/x86_64-linux-gnu/utempter/utempter add tmux(1852218).%8". However execsnopp is unable to get all the arguments which a userland utility is able to get based on the cmdline for thar process. We have used proc_connector as well to track all the processes which is able to get the command line properly. proc_connector process FORK:parent(pid,tgid)=1852218,1852218 child(pid,tgid)=1935154,1935154 [tmux ] FORK:parent(pid,tgid)=1852218,1852218 child(pid,tgid)=1935155,1935155 [tmux ] EXEC:pid=1935154,tgid=1935154 [Uid: 0 0 0 0] [-bash ] EXEC:pid=1935155,tgid=1935155 [Uid: 0 0 0 0] [/usr/lib/x86_64-linux-gnu/utempter/utempter add tmux(1852218).%8 ] /usr/sbin/execsnoop-bpfcc bash 1935154 1852218 0 /bin/bash utempter 1935155 1852218 0 tmux(1852218).%8 Upon debugging this further, we are suspecting if there is anything related to how the parent process is forking/execing and updating its arguments. As most of the times execsnoop is working perfectly fine but only for few processes it fails to get the argv[0] and argv[1]. We inspected the syscall__execve and found that argv[0], argv[1] is empty and argv[2] is having correct value as tmux(1852218).%8. We have seen this issue on kernel version on 5.15 on ubuntu20. Any pointer would be very helpful on this. Regards, Sunil
