Skip to main content
The kernel section provides information about kernel-space probe points where events are captured.

Fields

symbol
string
required
Name of the kernel function or tracepoint where the event was captured.Examples: "kfree_skb_reason", "__netif_receive_skb_core", "tcp_v4_rcv"
probe_type
string
required
Type of kernel probe that generated this event.Possible values:
  • "kprobe" - Kernel probe (function entry)
  • "kretprobe" - Kernel return probe (function exit)
  • "raw_tracepoint" - Raw kernel tracepoint
stack_trace
array<string>
Kernel call stack at the probe point, when stack trace collection is enabled.Contains an ordered list of kernel function names from the innermost frame (current function) to outermost frame (entry point).

Display Format

The kernel section is displayed with a probe type abbreviation: 
[tp] skb:kfree_skb
[k] __netif_receive_skb_core  
[kr] tcp_v4_rcv
Abbreviations:
  • [tp] = raw_tracepoint
  • [k] = kprobe
  • [kr] = kretprobe

Stack Traces

When stack traces are enabled (via probe configuration), the stack_trace field contains the kernel call stack: 
kfree_skb_reason
tcp_validate_incoming
tcp_rcv_established  
tcp_v4_do_rcv
tcp_v4_rcv
ip_protocol_deliver_rcu
ip_local_deliver_finish
ip_local_deliver
Stack traces are displayed:
  • Multi-line format: Each function on a new line (indented)
  • Single-line format: Comma-separated list in brackets

Example JSON

Basic Kernel Probe

{
  "kernel": {
    "symbol": "__netif_receive_skb_core",
    "probe_type": "kprobe"
  }
}

Kretprobe

{
  "kernel": {
    "symbol": "tcp_v4_rcv",
    "probe_type": "kretprobe"
  }
}

With Stack Trace

{
  "kernel": {
    "symbol": "kfree_skb_reason",
    "probe_type": "kprobe",
    "stack_trace": [
      "kfree_skb_reason",
      "tcp_validate_incoming",
      "tcp_rcv_established",
      "tcp_v4_do_rcv",
      "tcp_v4_rcv",
      "ip_protocol_deliver_rcu",
      "ip_local_deliver_finish",
      "ip_local_deliver",
      "__netif_receive_skb_one_core",
      "process_backlog",
      "__napi_poll",
      "net_rx_action"
    ]
  }
}

Raw Tracepoint

{
  "kernel": {
    "symbol": "skb:kfree_skb",
    "probe_type": "raw_tracepoint"
  }
}

When This Section Appears

The kernel section is present when:
  • Events are captured from kernel probes (not userspace)
  • Retis attaches to kernel functions or tracepoints
  • Any kernel-based collector is enabled
This is mutually exclusive with the userspace section - an event will have either kernel or userspace, never both.
Stack traces must be explicitly enabled in probe configuration. They add overhead but provide valuable debugging context for understanding execution paths.

Build docs developers (and LLMs) love

Get started for freeTalk to us