| Updated: April 19, 2023 |
As each buffer becomes full, the instrumented kernel raises an _NTO_HOOK_TRACE synthetic interrupt to notify the data-capturing program to save the buffer. Because the buffer size is fixed, the kernel sends only the buffer index; the length is constant.
The instrumented kernel can't flush a buffer or change buffers within an interrupt. If the interrupt wasn't handled before the buffer became 100% full, some of the events may be lost. To ensure this never happens, the instrumented kernel requests a buffer flush at the high-water mark.
The high-water mark is set at an efficient, yet conservative, level:
Most interrupt routines require fewer than 300 event buffer slots (approximately 30% of 1024 event buffer slots), so there's virtually no chance that any events will be lost. (The few routines that use extremely long interrupts should include a manual buffer-flush request in their code.)
Therefore, in a normal system, the kernel logs about 715 events of the fixed maximum of 1024 events before notifying the capture program.