Skip to content



splice - combines two file descriptors into a single file


The splice() system call first appeared in Linux 2.6.17; it moves data between two file descriptors without copying between kernel address space and user address space. It can relate any two file objects that support the splice file operation.

It is an ideal operation if an application needs to move data directly from one file descriptor to another, for example to write data directly to disk or to read data directly from disk within a single process.


  • fd_in:int[K] - an input file descriptor from which data is read.
  • off_in:off_t*[K] - a pointer to an offset into fd_in.
  • fd_out:int[K] - an output file descriptor to which data is written.
  • off_out:off_t*[K] - a pointer to an offset into fd_out.
  • len:size_t[K] - the number of bytes to copy between file descriptors.
  • flags:unsigned int[K] - one or more of the SPLICE_F_MOVE, SPLICE_F_NONBLOCK, SPLICE_F_MORE, and/or SPLICE_F_GIFT options can be specified in flags.

Available Tags

  • K - Originated from kernel-space.






Detect when a splice is executed, regardless of parameters.

Example Use Case

An application that writes data directly to a file from another file in the same process can use the splice() system call.


On Linux systems with SELinux, the splice() system call can fail due to SELinux policies restricting access to certain resources, such as network sockets.

  • writev
  • readv

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.