Installing and Using Sysdig on Debian 12 or 11 Linux

Sysdig is an open-source tool that can installed on Debian 12 (bookworm), 11 (bullseye) and other Linux systems easily to capture, filter, and analyze the state of a system including its activities. The key purpose of creating this tool is to provide information about the performance and behavior of applications and security monitoring across physical, virtual, and containerized environments.

It is an alternative tool to top, iotop, iftop, strace, tcpdump, htop, iftop, lsof and transaction tracing. It provides a complete overview of the usage of CPU, Memory, IO, users, and more directly on the command terminal in a well-structured interface. Sysdig can be installed on almost all operating systems, even on Windows and OS X.

Installing Sysdig on Debian 12 or 11

1. Add Darios Repository for Sysdig

Well, we don’t need to add any additional repository on Debian 12 or 11 to install the Sysdig. However, the version of this monitoring platform through the system repos of Debian will not be the latest one.

Therefore, those who have any problem adding any external repository can use the APT command given below which will fetch the packages from the system repository to install Sysdig:

sudo apt install sysdig

However, for the latest version use the given commands:

On the GitHub page of Sysdig, the developers of this tool have given the repository called Darios to get the latest version of this system monitoring software.

Using the terminal, first add the required GPG key :

curl -s | gpg --dearmor | sudo tee /usr/share/keyrings/DRAIOS-GPG-KEY.gpg

After that, add the official Draios repository for Sysdig:

echo 'deb [signed-by=/usr/share/keyrings/DRAIOS-GPG-KEY.gpg] stable-$(ARCH)/' | sudo tee /etc/apt/sources.list.d//draios.list

2. Execute the Debian Update command

After adding the repositories mentioned in the previous step, run the system update command, so that our Debian system can recognize the packages available to install through the added repos:

sudo apt update && sudo apt upgrade -y

3. Installing Sysdig on Debian 12 or 11

Well, the command to install the Sysdig will be the same that we have discussed in Step 1, however, after adding its official repository the version available through it will be the latest one. In the given command, we are also installing the kernel modules required by Sysdig.

sudo apt install linux-headers-$(uname -r) sysdig

Note: (optional) To install some specific version of Sysdig you can mention that in the above command. For example– to install older version 29 of Sysdig, the command will be like this, just replace the – “version-number” text with the exact version you want to install:

sudo apt install linux-headers-$(uname -r) sysdig=version-number
Install SYSdig on Debian 12

Note: if  don’t use the “Linux-headers-$(uname -r) in the above command to install Sysdig then later you may get an error while running it as given below:

“Unable to load the driver error opening device /dev/scap0. Make sure you have root credentials and that the scap module is loaded: No such file or directory”

Whereas, to check the available versions we can use the following:

sudo apt-cache policy sysdig

4. To Check Version

By following the above-given commands you will have the Sysdig already installed on your Debian system, however, to confirm the same we can check its version.

sysdig -version

5. A few examples of using Sysdig Commands

Sysdig can perform a wide range of system monitoring tasks. Here are some common use cases:

Capturing System Events

To capture all system events and save it to a file for later analysis, use:

sudo sysdig -w file.scap

You can stop the capture by pressing Ctrl+C.

Capture all the events from the live system and print them to screen

sudo sysdig

Capture all the events from the live system and save them to disk

sudo sysdig -w dumpfile.scap

Read events from a file and print them to screen

sudo sysdig -r dumpfile.scap

Print all the open system calls invoked by cat

sudo sysdig and evt.type=open

Print the name of the files opened by cat

sudo sysdig -p"" and evt.type=open

Register any found plugin and use dummy as input source passing to it open params

sudo sysdig -I dummy:10'

Load and register dummy source plugin passing to it init config and open params

sudo sysdig -H dummy:'{"jitter":50}' -I dummy:10

Captured Data from some particular process

You can filter the data based on various criteria. For example, to show all system calls made by the mysql process:

sudo sysdig

Monitoring File I/O

To monitor all file I/O activities:

sudo sysdig -c echo_fds

Viewing Network Connections

To see all network connections, you can use:

sudo sysdig -c netstat

List all processes by CPU:

To see the top processes by CPU usage using Sysdig:

sudo sysdig -c topprocs_cpu
List process using Sysdig

6. Explore more Chisels

Find out more Chisels commands to use:

sudo sysdig -cl

7. How to update Sysdig on Debian

Now, as we have used the Sysdig repository to install, therefore whenever, we want to get the updated version of it, just need to run the system update and upgrade command i.e:

sudo apt update && sudo apt upgrade -y

8. Uninstallation

Perhaps, after some time you will not require Sysdig anymore or you want to move to some other tool for monitoring your systems in that case those who want to remove Sysdig as well as its Repository from Debian can use the given commands:

sudo apt remove sysdig --purge

To remove repository:

sudo rm /usr/share/keyrings/DRAIOS-GPG-KEY.gpg
sudo rm /etc/apt/sources.list.d//draios.list
Uninstall SYSdig from Debian Linux

Key Features and Capabilities

  • Rich System Visibility: Sysdig can inspect everything happening on a Linux system, including system calls made by processes, file I/O, network I/O, and much more. This visibility is crucial for deep system analysis, troubleshooting, and monitoring.
  • Container and Kubernetes Support: It offers support for container technologies such as Docker and container orchestration tools like Kubernetes. Not only this, Sysdig can understand and inspect containerized environments which makes it an important tool for modern cloud-native applications.
  • Filtering and Analysis: Admins can use it to filter the captured data based on various criteria (e.g., process names, file paths, network ports) and perform in-depth analysis.
  • Chisels: Sysdig comes with a set of scripts, known as chisels. This script allows admins to analyze the captured data in real time or from trace files.
  • Security Monitoring and Forensics: Apart from monitoring the system performance, using Sysdig we can security monitoring and forensic analysis. Using it to capture detailed system events users can detect unauthorized access, track user activities, and investigate security incidents.

How Sysdig Works

Sysdig hooks into the Linux kernel and captures system calls and other events that occur in the system. This data can then be saved into trace files for later analysis or monitored in real-time. The tool leverages a kernel module, sysdig-probe, which it installs to perform its monitoring activities without requiring changes to the applications or containers running on the system.

Sysdig vs. Traditional Tools

While traditional tools like top, ps, netstat, and lsof provide snapshots of system activity, Sysdig offers more comprehensive, in-depth, and granular visibility into system behavior. It can trace system calls, which are the fundamental interfaces between programs and the Linux kernel, offering insights that are not possible with most other tools. Furthermore, its support for modern infrastructure components like containers and Kubernetes distinguishes it from many traditional Linux monitoring tools.


Sysdig is quite a powerful tool for system administrators, security professionals, and developers, for system-level exploration, monitoring, and troubleshooting, especially in complete or dynamic environments. Although we have just given a glimpse of the commands used to operate Sysdig, you can check out more and how to use them by visiting its GitHub Manual Page. However, if you are facing any problem in installing the Sysdig on Linux or any other system the comment section is all yours.



Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.