Display Filter Reference: Sysdig System Call

Protocol field name: sysdig

Versions: 2.0.0 to 2.6.1

Back to Display Filter Reference

Field name Description Type Versions
sysdig.cpu_id CPU ID Unsigned integer, 2 bytes 2.0.0 to 2.6.1
sysdig.event_len Event length Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.event_type Event type Unsigned integer, 2 bytes 2.0.0 to 2.6.1
sysdig.param.accept.fd fd Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.accept.flags flags Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.accept.queuelen queuelen Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.accept.queuemax queuemax Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.accept.queuepct Accept queue per connection Unsigned integer, 1 byte 2.0.0 to 2.6.1
sysdig.param.accept.tuple tuple Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.container.id id Character string 2.0.0 to 2.6.1
sysdig.param.container.image image Character string 2.0.0 to 2.6.1
sysdig.param.container.type type Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.cpu_hotplug.action action Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.cpu_hotplug.cpu cpu Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.drop.ratio ratio Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.epoll_wait.maxevents maxevents Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.eventfd.initval initval Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.execve.args Program arguments Character string 2.0.0 to 2.6.1
sysdig.param.execve.cgroups cgroups Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.execve.comm Command Character string 2.0.0 to 2.6.1
sysdig.param.execve.cwd Current working directory Character string 2.0.0 to 2.6.1
sysdig.param.execve.env env Character string 2.0.0 to 2.6.1
sysdig.param.execve.exe exe Character string 2.0.0 to 2.6.1
sysdig.param.execve.fdlimit fdlimit Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.execve.pgft_maj pgft_maj Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.execve.pgft_min pgft_min Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.execve.pid pid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.execve.ptid ptid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.execve.tid tid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.execve.vm_rss vm_rss Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.execve.vm_size vm_size Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.execve.vm_swap vm_swap Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.fcntl.res res Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.flock.operation operation Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.futex.op op Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.futex.val val Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.getgid.gid gid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.getresgid.egid egid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.getresgid.rgid rgid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.getresgid.sgid sgid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.getresuid.euid euid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.getresuid.ruid ruid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.getresuid.suid suid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.getuid.uid uid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.ioctl.argument I/O control: argument Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.ioctl.request I/O control: request Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.len Parameter length Unsigned integer, 2 bytes 2.0.0 to 2.6.1
sysdig.param.lens Parameter lengths Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.linkat.newdir newdir Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.linkat.olddir olddir Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.listen.backlog backlog Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.llseek.whence whence Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.mmap2.pgoffset pgoffset Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.mmap2.prot prot Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.mmap2.res res Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.mount.dev dev Character string 2.0.0 to 2.6.1
sysdig.param.mount.dir dir Character string 2.0.0 to 2.6.1
sysdig.param.mount.type type Character string 2.0.0 to 2.6.1
sysdig.param.munmap.addr addr Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.munmap.length length Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.nanosleep.interval interval Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.openat.mode mode Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.pipe.fd1 fd1 Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.pipe.fd2 fd2 Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.pipe.ino ino Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.poll.timeout timeout Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.ppoll.fds fds Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.ppoll.sigmask sigmask Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.ppoll.timeout timeout Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.prlimit.newcur newcur Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.prlimit.newmax newmax Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.prlimit.oldcur oldcur Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.prlimit.oldmax oldmax Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.prlimit.resource resource Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.procexit.status status Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.procinfo.cpu_sys cpu_sys Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.procinfo.cpu_usr cpu_usr Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.ptrace.addr addr Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.ptrace.data data Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.ptrace.request request Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.pwritev.pos pos Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.pwritev.size size Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.dqb_bhardlimit dqb_bhardlimit Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.dqb_bsoftlimit dqb_bsoftlimit Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.dqb_btime dqb_btime Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.dqb_curspace dqb_curspace Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.dqb_ihardlimit dqb_ihardlimit Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.dqb_isoftlimit dqb_isoftlimit Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.dqb_itime dqb_itime Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.dqi_bgrace dqi_bgrace Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.dqi_flags dqi_flags Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.dqi_igrace dqi_igrace Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.id id Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.quota_fmt quota_fmt Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.quota_fmt_out quota_fmt_out Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.quotactl.quotafilepath quotafilepath Character string 2.0.0 to 2.6.1
sysdig.param.quotactl.special special Character string 2.0.0 to 2.6.1
sysdig.param.quotactl.type type Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.renameat.newdirfd newdirfd Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.renameat.newpath newpath Character string 2.0.0 to 2.6.1
sysdig.param.renameat.olddirfd olddirfd Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.renameat.oldpath oldpath Character string 2.0.0 to 2.6.1
sysdig.param.semctl.cmd cmd Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.semctl.semid semid Signed integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.semctl.semnum semnum Signed integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.semctl.val val Signed integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.semop.nsops nsops Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.semop.sem_flg_0 sem_flg_0 Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.semop.sem_flg_1 sem_flg_1 Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.semop.sem_num_0 sem_num_0 Unsigned integer, 2 bytes 2.0.0 to 2.6.1
sysdig.param.semop.sem_num_1 sem_num_1 Unsigned integer, 2 bytes 2.0.0 to 2.6.1
sysdig.param.semop.sem_op_0 sem_op_0 Signed integer, 2 bytes 2.0.0 to 2.6.1
sysdig.param.semop.sem_op_1 sem_op_1 Signed integer, 2 bytes 2.0.0 to 2.6.1
sysdig.param.sendfile.in_fd in_fd Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.sendfile.offset offset Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.sendfile.out_fd out_fd Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.sendfile.size size Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.setns.nstype nstype Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.setrlimit.cur cur Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.setrlimit.max max Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.shutdown.how how Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.signaldeliver.dpid dpid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.signaldeliver.sig sig Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.signaldeliver.spid spid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.signalfd.mask mask Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.socketpair.domain domain Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.socketpair.peer peer Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.socketpair.proto proto Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.socketpair.source source Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.splice.fd_in fd_in Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.splice.fd_out fd_out Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.switch.next next Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.symlinkat.linkdirfd linkdirfd Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.symlinkat.linkpath linkpath Character string 2.0.0 to 2.6.1
sysdig.param.symlinkat.target target Character string 2.0.0 to 2.6.1
sysdig.param.syscall.ID ID Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.syscall.nativeID nativeID Unsigned integer, 2 bytes 2.0.0 to 2.6.1
sysdig.param.sysdigevent.event_data event_data Unsigned integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.sysdigevent.event_type event_type Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.timerfd_create.clockid clockid Unsigned integer, 1 byte 2.0.0 to 2.6.1
sysdig.param.umount.flags flags Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.umount.name name Character string 2.0.0 to 2.6.1
sysdig.param.umount.res res Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.unlink.path path Character string 2.0.0 to 2.6.1
sysdig.param.unlinkat.dirfd dirfd Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.vfork.fdlimit fdlimit Signed integer, 8 bytes 2.0.0 to 2.6.1
sysdig.param.vfork.gid gid Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.vfork.uid uid Unsigned integer, 4 bytes 2.0.0 to 2.6.1
sysdig.param.vfork.vpid vpid Sequence of bytes 2.0.0 to 2.6.1
sysdig.param.vfork.vtid vtid Sequence of bytes 2.0.0 to 2.6.1
sysdig.thread_id Thread ID Unsigned integer, 8 bytes 2.0.0 to 2.6.1
Go Beyond with Riverbed Technology

Riverbed is Wireshark's primary sponsor and provides our funding. They also make great products that fully integrate with Wireshark.

I have a lot of traffic...

ANSWER: SteelCentral™ Packet Analyzer PE
  • • Visually rich, powerful LAN analyzer
  • • Quickly access very large pcap files
  • • Professional, customizable reports
  • • Advanced triggers and alerts
Learn More

Buy Now

No, really, I have a LOT of traffic…

ANSWER: SteelCentral™ NetShark appliance
  • • Troubleshoot problems faster
  • • Quickly identify the applications running on your network
  • • Monitor your virtual machine traffic
Learn More