This line is where all the probe points we wish to register are specified. This (probe point) specification is for the action block that follows. It is possible to have more than one probe point specification (with accompanying action block). It is also possible to specify more than one probe point in a single probe point specification. Some providers allow for wild carding (The Ò*Ó here specifies that we want to look at ALL PIDs).

The probe point is defined by:

@@syscall:*:fork:exit Ê This specifies the syscall provider

@@syscall:*:fork:exit Ê (For the syscall provider) the PID of a process can be specified here

@@syscall:*:fork:exitÊ The specific syscall to probe. This may map to a slightly different syscall (find actual name with get_function()).

@@syscall:*:fork:exitÊ This can be entry or exit. fork() is more interesting to us on exit as we can then determine parent-child relationship. Ê