Hi,

1) To have a less cryptic output you may add one function to your
program.
It is composed of an automatically built part from header (on my
system /usr/include/asm/unistd_32.h) sc.h file and
a C source file that includes the former.

a) Building the sc.h by :
awk 'NR==1 { printf("#include <%s>\n",FILENAME); } $1 == "#define" && $2
~ /__NR_.*/ { printf("{ %s, \"%s\"},\n",$3,substr($2,6)); } END
{ printf("{0,(char*)0}\n"); }' /usr/include/asm/unistd_32.h > sc.h

b) The sc.c file is :

        #include	<stdio.h>
        
        static struct {
        	int	syscall_no;
        	char	*syscall_name;
        } scor[] = {
        #include "sc.h"
        };
        
        char	*
        getcorr(int syscall_no)
        {
        static	char	noname[32];
        	int	i,maxi = sizeof(scor) / sizeof(scor[0]);
        
        	for(i=0;i<maxi;++i) {
        		if( syscall_no == scor[i].syscall_no ) {
        			return scor[i].syscall_name;
        		}
        	}
        	snprintf(noname,sizeof(noname),"?%d",syscall_no);
        	return noname;
        }
        
        #ifdef	Test_MAIN
        #include	<stdlib.h>
        
        int
        main(int argc,char *argv[]) {
        	int	i,no;
        
        	for(i=1;i<argc;++i) {
        		no = atoi(argv[i]);	// Hoping this will be a number !
        		printf("Syscall %d is \"%s\"\n",no,getcorr(no));
        	}
        	exit(0);
        }
        #endif

2) Some syscall use more than 2 arguments.
    It could be nice to have more than 2 arguments displayed.

3) I find strange this futex(addr,FUTEX_WAKE,...) on line 2.
    Could you find what is at the address -1210085564(0xffb7df8f44) (in
your name list and/or maps).

-Rogers


> Thanks for your quick answers!
> After poking a zero, I performed a little loop to get the system call number (orig_eax) and the next two arguments (ebx, ecx) of the next 20 system calls. This is how it looks:
> 
> syscall=240 (1st_arg=-1210085564 2nd_arg=0)
> syscall=240 (1st_arg=-1210085564 2nd_arg=1)
> syscall=240 (1st_arg=-1210085564 2nd_arg=1)
> syscall=13 (1st_arg=-1075451152 2nd_arg=135199597)
> syscall=13 (1st_arg=-1075451152 2nd_arg=135199597)
> syscall=102 (1st_arg=1 2nd_arg=-1075451340)
> syscall=102 (1st_arg=1 2nd_arg=-1075451340)
> syscall=221 (1st_arg=11 2nd_arg=2)
> syscall=221 (1st_arg=11 2nd_arg=2)
> syscall=102 (1st_arg=3 2nd_arg=-1075451340)
> syscall=102 (1st_arg=3 2nd_arg=-1075451340)
> syscall=102 (1st_arg=9 2nd_arg=-1075451304)
> syscall=102 (1st_arg=9 2nd_arg=-1075451304)
> syscall=6 (1st_arg=11 2nd_arg=1)
> syscall=6 (1st_arg=11 2nd_arg=1)
> syscall=174 (1st_arg=17 2nd_arg=0)
> syscall=174 (1st_arg=17 2nd_arg=0)
> syscall=4 (1st_arg=6 2nd_arg=134908385)
> syscall=4 (1st_arg=6 2nd_arg=134908385)
> syscall=13 (1st_arg=-1075451152 2nd_arg=135199597)
> syscall=13 (1st_arg=-1075451152 2nd_arg=135199597)
> syscall=102 (1st_arg=1 2nd_arg=-1075451340)
> syscall=102 (1st_arg=1 2nd_arg=-1075451340)
> syscall=221 (1st_arg=11 2nd_arg=2)
> syscall=221 (1st_arg=11 2nd_arg=2)
> syscall=102 (1st_arg=3 2nd_arg=-1075451340)
> syscall=102 (1st_arg=3 2nd_arg=-1075451340)
> syscall=102 (1st_arg=9 2nd_arg=-1075451304)
> syscall=102 (1st_arg=9 2nd_arg=-1075451304)
> syscall=6 (1st_arg=11 2nd_arg=1)
> syscall=6 (1st_arg=11 2nd_arg=1)
> syscall=119 (1st_arg=1 2nd_arg=-1210093580)
> syscall=-1 (1st_arg=1 2nd_arg=-1075448172)
> syscall=221 (1st_arg=9 2nd_arg=2)
> syscall=221 (1st_arg=9 2nd_arg=2)
> syscall=102 (1st_arg=3 2nd_arg=-1075448172)
> syscall=102 (1st_arg=3 2nd_arg=-1075448172)
> 
> This looks a little cryptic now, but you just need to have a look into
> /usr/include/asm-i486/unistd.h where all the numbers for the different
> system calls are defined. It seems each system call is represented by 2
> output lines. 240 stands for futex. 2nd arguent "0" means FUTEX_WAIT.
> "1" means FUTEX_WAKE. 119 stands for "sigreturn". This is where the
> signal handler is left and the process continues with the normal
> procedure. 221 is fcnt64 which is also part of the debug() call. 102 is
> socketcall which seems to be a synonym for "connect".
>