tracee - detailed behaviour tab doesn't contain any info

[6eh01der]

Hello!

Tracee cotainer version is 0.24.1. Everything that mentioned here and here was done. Detailed behaviour tab everytime looks like this:

Any file, malware, etc. - just column's names and nothing more. generic or bash analysis package, detect automatically - no difference. What am i doing wrong?

Guest OS detailes:

NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

kernel and headers:

linux ubuntu2004 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
linux-headers-5.4.0-216-generic is already the newest version (5.4.0-216.236).

aquasec/tracee:0.24.1 container logs (--tail 20):

; if (bpf_probe_read(
9083: (55) if r0 != 0x0 goto pc-246
 R0_w=inv0 R6=inv(id=0) R7_w=inv0 R8=inv(id=0) R9_w=invP(id=0,umax_value=27899,var_off=(0x0; 0x7fff)) R10=fp0 fp-8=???????m fp-16=mmmmmmmm fp-24=mmmmmmmm fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm fp-56=mmmmmmmm fp-64=mmmmmmmm fp-72=mmmmmmmm fp-80=mmmm???? fp-88_w=mmmmmmmm fp-96=mmmmmmmm fp-104=inv32481138822115181 fp-112=mmmm???? fp-120=map_value fp-128=mmmmmmmm fp-136=map_value fp-144=map_value fp-152=map_value fp-160=ctx fp-168=map_value fp-176=map_value fp-184=map_value fp-192=map_value fp-200=map_value fp-208=map_value fp-216=inv44 fp-224_w=mmmmmmmm fp-232=mmmmmmmm
; ENSURE_ARGS_BUFFER_SPACE(buf, max_size);
9084: (79) r1 = *(u64 *)(r10 -120)
9085: (69) r3 = *(u16 *)(r1 +0)
 R0_w=inv0 R1_w=map_value(id=0,off=32146,ks=4,vs=32528,imm=0) R6=inv(id=0) R7_w=inv0 R8=inv(id=0) R9_w=invP(id=0,umax_value=27899,var_off=(0x0; 0x7fff)) R10=fp0 fp-8=???????m fp-16=mmmmmmmm fp-24=mmmmmmmm fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm fp-56=mmmmmmmm fp-64=mmmmmmmm fp-72=mmmmmmmm fp-80=mmmm???? fp-88_w=mmmmmmmm fp-96=mmmmmmmm fp-104=inv32481138822115181 fp-112=mmmm???? fp-120=map_value fp-128=mmmmmmmm fp-136=map_value fp-144=map_value fp-152=map_value fp-160=ctx fp-168=map_value fp-176=map_value fp-184=map_value fp-192=map_value fp-200=map_value fp-208=map_value fp-216=inv44 fp-224_w=mmmmmmmm fp-232=mmmmmmmm
; ENSURE_ARGS_BUFFER_SPACE(buf, max_size);
9086: (25) if r3 > 0x6cfb goto pc-249
 R0_w=inv0 R1_w=map_value(id=0,off=32146,ks=4,vs=32528,imm=0) R3_w=inv(id=0,umax_value=27899,var_off=(0x0; 0x7fff)) R6=inv(id=0) R7_w=inv0 R8=inv(id=0) R9_w=invP(id=0,umax_value=27899,var_off=(0x0; 0x7fff)) R10=fp0 fp-8=???????m fp-16=mmmmmmmm fp-24=mmmmmmmm fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm fp-56=mmmmmmmm fp-64=mmmmmmmm fp-72=mmmmmmmm fp-80=mmmm???? fp-88_w=mmmmmmmm fp-96=mmmmmmmm fp-104=inv32481138822115181 fp-112=mmmm???? fp-120=map_value fp-128=mmmmmmmm fp-136=map_value fp-144=map_value fp-152=map_value fp-160=ctx fp-168=map_value fp-176=map_value fp-184=map_value fp-192=map_value fp-200=map_value fp-208=map_value fp-216=inv44 fp-224_w=mmmmmmmm fp-232=mmmmmmmm
; if (rsize >= max_size) {
9087: (61) r2 = *(u32 *)(r10 -72)
; if (rsize >= max_size) {
9088: (25) if r2 > 0xfff goto pc-251
The sequence of 8193 jumps is too complex.
processed 167315 insns (limit 1000000) max_states_per_insn 4 total_states 3525 peak_states 3525 mark_read 853
-- END PROG LOAD LOG --
{"level":"warn","ts":1777234022.7653298,"msg":"libbpf: prog 'lkm_seeker_proc_tail': failed to load: -14"}
{"level":"warn","ts":1777234022.7867274,"msg":"libbpf: failed to load object ''"}
{"level":"fatal","ts":1777234023.1592283,"msg":"Tracee runner failed","error":"cmd.Runner.Run: error initializing Tracee: ebpf.(*Tracee).Init: ebpf.(*Tracee).initBPF: failed to load BPF object: bad address"}

dmesg:

[   29.588220] bpfilter: Loaded bpfilter_umh pid 526
[   29.588220] Started bpfilter

[6eh01der]

aquasec/tracee container with --log debug:

9086: (25) if r3 > 0x6cfb goto pc-249
 R0_w=inv0 R1_w=map_value(id=0,off=32146,ks=4,vs=32528,imm=0) R3_w=inv(id=0,umax_value=27899,var_off=(0x0; 0x7fff)) R6=inv(id=0) R7_w=inv0 R8=inv(id=0) R9_w=invP(id=0,umax_value=27899,var_off=(0x0; 0x7fff)) R10=fp0 fp-8=???????m fp-16=mmmmmmmm fp-24=mmmmmmmm fp-32=mmmmmmmm fp-40=mmmmmmmm fp-48=mmmmmmmm fp-56=mmmmmmmm fp-64=mmmmmmmm fp-72=mmmmmmmm fp-80=mmmm???? fp-88_w=mmmmmmmm fp-96=mmmmmmmm fp-104=inv32481138822115181 fp-112=mmmm???? fp-120=map_value fp-128=mmmmmmmm fp-136=map_value fp-144=map_value fp-152=map_value fp-160=ctx fp-168=map_value fp-176=map_value fp-184=map_value fp-192=map_value fp-200=map_value fp-208=map_value fp-216=inv44 fp-224_w=mmmmmmmm fp-232=mmmmmmmm
; if (rsize >= max_size) {
9087: (61) r2 = *(u32 *)(r10 -72)
; if (rsize >= max_size) {
9088: (25) if r2 > 0xfff goto pc-251
The sequence of 8193 jumps is too complex.
processed 167315 insns (limit 1000000) max_states_per_insn 4 total_states 3525 peak_states 3525 mark_read 853
-- END PROG LOAD LOG --
{"L":"WARN","T":"2026-04-27T08:29:48.712Z","M":"libbpf: prog 'lkm_seeker_proc_tail': failed to load: -14"}
{"L":"WARN","T":"2026-04-27T08:29:48.720Z","M":"libbpf: failed to load object ''"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.721Z","M":"Capabilities change","origin":"capabilities:common/capabilities/capabilities.go:450","calls":"(*Capabilities).apply() < (*Capabilities).EBPF() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.721Z","M":"Enabling cap","cap":"cap_syslog","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).EBPF() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.722Z","M":"Enabling cap","cap":"cap_net_admin","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).EBPF() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.723Z","M":"Enabling cap","cap":"cap_sys_ptrace","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).EBPF() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.805Z","M":"Capabilities change","origin":"capabilities:common/capabilities/capabilities.go:450","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV1).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.806Z","M":"Enabling cap","cap":"cap_net_admin","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV1).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.806Z","M":"Enabling cap","cap":"cap_sys_admin","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV1).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.884Z","M":"Capabilities change","origin":"capabilities:common/capabilities/capabilities.go:450","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV1).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.884Z","M":"Enabling cap","cap":"cap_syslog","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV1).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.885Z","M":"Enabling cap","cap":"cap_net_admin","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV1).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.885Z","M":"Enabling cap","cap":"cap_sys_ptrace","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV1).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.944Z","M":"Capabilities change","origin":"capabilities:common/capabilities/capabilities.go:450","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV2).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.944Z","M":"Enabling cap","cap":"cap_net_admin","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV2).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.944Z","M":"Enabling cap","cap":"cap_sys_admin","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV2).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:48.998Z","M":"Capabilities change","origin":"capabilities:common/capabilities/capabilities.go:450","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV2).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:49.011Z","M":"Enabling cap","cap":"cap_sys_ptrace","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV2).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:49.011Z","M":"Enabling cap","cap":"cap_syslog","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV2).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"DEBUG","T":"2026-04-27T08:29:49.012Z","M":"Enabling cap","cap":"cap_net_admin","origin":"capabilities:common/capabilities/capabilities.go:454","calls":"(*Capabilities).apply() < (*Capabilities).Specific() < (*MountHostOnce).Umount() < (*CgroupV2).destroy() < (*Cgroups).Destroy() < (*Tracee).Close() < (*Tracee).Init() < Runner.Run() < init.func15() < (*Command).execute() < (*Command).ExecuteC() < (*Command).Execute() < Execute() < main()"}
{"L":"FATAL","T":"2026-04-27T08:29:49.175Z","M":"Tracee runner failed","error":"cmd.Runner.Run: error initializing Tracee: ebpf.(*Tracee).Init: ebpf.(*Tracee).initBPF: failed to load BPF object: bad address"}

I've got only one guess - kernel version in Ubuntu 20.04 does not fit tracee 0.24.1 requirements. Ubuntu 20.04 was chosen based on this.

[6eh01der]

Kernel version 5.15.0-139-generic - all the same.