This is the syscall provider.

Field 1 is always ÒsyscallÓ (There is a syscallx version).

Field 2 can be wildcarded for this provider. Here it is set to the first parameter to the script. If the parameter is not passed or is invalid (no explicit checking is done in the script) then the probes will fail to register as being of invalid format. So there is an ÒimplicitÓ checking of this value.

Field 3 is the syscall name. As noted elsewhere (in this presentation) this cannot be wildcarded (the syscallx version supports a wildcard (*)) and is NOT the libc API but the kernel API.

Field 4 is the entry or exit point of the syscall. The return value is only available on the exit. The parameters are only available on the entry.