Modes of emission

Updated: October 26, 2022

Apart from applying the various filters to control the event stream, you can also specify one of two modes the kernel can use to emit events:

fast mode
Emits only the most pertinent information (e.g., only two kernel call arguments) about an event.
wide mode
Generates more information (e.g., all kernel call arguments) for the same event.

The trade-off here is one of speed vs knowledge: fast mode delivers less data, while wide mode packs much more information for each event. Either way, you can easily tune your system, because these modes work on a per-event basis.

As an example of the difference between the fast and wide emission modes, let's look at the kinds of information we might see for a MsgSendv() call entry:

Fast mode data Number of bytes for the event
Connection ID 4 bytes
Message data 4 bytes (the first 4 bytes usually comprise the header)
  Total emitted: 8 bytes
Wide mode data Number of bytes for the event
Connection ID 4 bytes
# of parts to send 4 bytes
# of parts to receive 4 bytes
Message data 4 bytes (the first 4 bytes usually comprise the header)
Message data 4 bytes
Message data 4 bytes
  Total emitted: 24 bytes