pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities.

Overview

pwru (packet, where are you?)

logo

pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.

The following example shows where the packets of a curl request are dropped after installing an IP tables rule:

demo

Running

Requirements

pwru requires >= 5.3 kernel to run. For --output-skb >= 5.9 kernel is required.

The following kernel configuration is required.

Option Note
CONFIG_DEBUG_INFO_BTF=y Available since >= 5.3
CONFIG_KPROBES=y
CONFIG_PERF_EVENTS=y
CONFIG_BPF=y
CONFIG_BPF_SYSCALLS=y

You can use zgrep $OPTION /proc/config.gz to validate whether option is enabled.

Downloading

You can download the statically linked executable for x86_64 arch which includes the eBPF bytecode from the release page.

Usage

Usage of ./pwru:
  -filter-dst-ip string
        filter destination IP addr
  -filter-dst-port string
        filter destination port
  -filter-mark int
        filter skb mark
  -filter-proto string
        filter L4 protocol (tcp, udp, icmp)
  -filter-src-ip string
        filter source IP addr
  -filter-src-port string
        filter source port
  -output-meta
        print skb metadata
  -output-relative-timestamp
        print relative timestamp per skb
  -output-skb
        print skb
  -output-tuple
        print L4 tuple

If multiple filters are specified, all of them have to match in order for a packet to be traced.

Developing

Dependencies

  • Go >= 1.16
  • LLVM/clang >= 1.12

Building

go generate .
go build .

Alternatively, you can build and run in the Docker container:

docker build -t pwru .
docker run --privileged -it pwru [filter1] [filtern]

Contributing

pwru is an open source project licensed under GPLv2. Everybody is welcome to contribute. Contributors are required to follow the Contributor Covenant Code of Conduct and must adhere to the Developer Certificate of Origin by adding a Signed-off-by line to their commit messages.

Logo Credits

The detective gopher is based on the Go gopher designed by Renee French.

Comments
  • Wrap `BPF_CORE_*` helper calls with kernel version checks

    Wrap `BPF_CORE_*` helper calls with kernel version checks

    Hi,

    I am trying to use pwru to trouble shoot issue https://github.com/cilium/cilium/issues/17528. this is on 5.4 kernel, I got error

    [root@centos-dev pwru]# ./pwru --filter-dst-ip=10.169.72.236 --filter-dst-port=8472 --filter-proto=udp --output-stack

    2021/10/20 13:24:35 Loading objects: field KprobeSkb1: program kprobe_skb_1: load program: invalid argument: ; int kprobe_skb_1(struct pt_regs *ctx) {
    0: (bf) r6 = r1
    ; struct sk_buff *skb = (struct sk_buff *) PT_REGS_PARM1(ctx);
    1: (79) r9 = *(u64 *)(r6 +112)
    2: (b7) r1 = 0
    ; struct event_t event = {};
    3: (7b) *(u64 *)(r10 -56) = r1
    last_idx 3 first_idx 0
    regs=2 stack=0 before 2: (b7) r1 = 0
    4: (7b) *(u64 *)(r10 -64) = r1
    5: (7b) *(u64 *)(r10 -72) = r1
    6: (7b) *(u64 *)(r10 -80) = r1
    7: (7b) *(u64 *)(r10 -88) = r1
    8: (7b) *(u64 *)(r10 -96) = r1
    9: (7b) *(u64 *)(r10 -104) = r1
    10: (7b) *(u64 *)(r10 -112) = r1
    11: (7b) *(u64 *)(r10 -120) = r1
    12: (7b) *(u64 *)(r10 -128) = r1
    13: (7b) *(u64 *)(r10 -136) = r1
    ; u32 index = 0;
    14: (63) *(u32 *)(r10 -140) = r1
    15: (bf) r2 = r10
    ; 
    16: (07) r2 += -140
    ; struct config *cfg = bpf_map_lookup_elem(&cfg_map, &index);
    17: (18) r1 = 0xffff9c67d9e55400
    19: (85) call bpf_map_lookup_elem#1
    20: (bf) r7 = r0
    ; if (cfg) {
    21: (15) if r7 == 0x0 goto pc+430
     R0_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9_w=inv(id=0) R10=fp0 fp-56_w=00000000 fp-64_w=00000000 fp-72_w=00000000 fp-80_w=00000000 fp-88_w=00000000 fp-96_w=00000000 fp-104_w=00000000 fp-112_w=00000000 fp-120_w=00000000 fp-128_w=00000000 fp-136_w=00000000 fp-144=mmmm????
    ; if (cfg->mark) {
    22: (71) r1 = *(u8 *)(r7 +1)
     R0_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9_w=inv(id=0) R10=fp0 fp-56_w=00000000 fp-64_w=00000000 fp-72_w=00000000 fp-80_w=00000000 fp-88_w=00000000 fp-96_w=00000000 fp-104_w=00000000 fp-112_w=00000000 fp-120_w=00000000 fp-128_w=00000000 fp-136_w=00000000 fp-144=mmmm????
    23: (67) r1 <<= 8
    24: (71) r2 = *(u8 *)(r7 +0)
     R0_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0,umax_value=65280,var_off=(0x0; 0xff00)) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9_w=inv(id=0) R10=fp0 fp-56_w=00000000 fp-64_w=00000000 fp-72_w=00000000 fp-80_w=00000000 fp-88_w=00000000 fp-96_w=00000000 fp-104_w=00000000 fp-112_w=00000000 fp-120_w=00000000 fp-128_w=00000000 fp-136_w=00000000 fp-144=mmmm????
    25: (4f) r1 |= r2
    26: (71) r2 = *(u8 *)(r7 +2)
     R0_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R2_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9_w=inv(id=0) R10=fp0 fp-56_w=00000000 fp-64_w=00000000 fp-72_w=00000000 fp-80_w=00000000 fp-88_w=00000000 fp-96_w=00000000 fp-104_w=00000000 fp-112_w=00000000 fp-120_w=00000000 fp-128_w=00000000 fp-136_w=00000000 fp-144=mmmm????
    27: (71) r3 = *(u8 *)(r7 +3)
     R0_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1_w=inv(id=0) R2_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R6_w=ctx(id=0,off=0,imm=0) R7_w=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9_w=inv(id=0) R10=fp0 fp-56_w=00000000 fp-64_w=00000000 fp-72_w=00000000 fp-80_w=00000000 fp-88_w=00000000 fp-96_w=00000000 fp-104_w=00000000 fp-112_w=00000000 fp-120_w=00000000 fp-128_w=00000000 fp-136_w=00000000 fp-144=mmmm????
    28: (67) r3 <<= 8
    29: (4f) r3 |= r2
    30: (67) r3 <<= 16
    31: (4f) r3 |= r1
    ; if (cfg->mark) {
    32: (15) if r3 == 0x0 goto pc+19
     R0=map_value(id=0,off=0,ks=4,vs=48,imm=0) R1=inv(id=0) R2=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R3=inv(id=0) R6=ctx(id=0,off=0,imm=0) R7=map_value(id=0,off=0,ks=4,vs=48,imm=0) R9=inv(id=0) R10=fp0 fp-56=00000000 fp-64=00000000 fp-72=00000000 fp-80=00000000 fp-88=00000000 fp-96=00000000 fp-104=00000000 fp-112=00000000 fp-120=00000000 fp-128=00000000 fp-136=00000000 fp-144=mmmm????
    33: (b7) r1 = 164
    34: (bf) r3 = r9
    35: (0f) r3 += r1
    36: (bf) r1 = r10
    ; 
    37: (07) r1 += -24
    ; mark = BPF_CORE_READ(skb, mark);
    38: (b7) r2 = 4
    39: (85) call unknown#113
    invalid func unknown#113
    processed 39 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1```
    enhancement help wanted 
    opened by vincentmli 19
  • Perf event ring buffer full, dropped 16 samples

    Perf event ring buffer full, dropped 16 samples

    root@bpf2:~# ./pwru --filter-proto icmp  --output-tuple
    2022/01/21 04:44:15 Attaching kprobes...
    577 / 577 [---------------------------------------------------------------------------------------------------------------------------------] 100.00% 34 p/s
    2022/01/21 04:44:32 Attached (ignored 13)
    2022/01/21 04:44:32 Listening for events..
                   SKB         PROCESS                     FUNC        TIMESTAMP
    0xffff96f353734300          [ping]           __ip_local_out   52052971636335 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]                ip_output   52052971655120 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]             nf_hook_slow   52052971658827 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping] __cgroup_bpf_run_filter_skb   52052971662013 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]     neigh_resolve_output   52052971666902 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]       __neigh_event_send   52052971669217 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]               eth_header   52052971673094 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]                 skb_push   52052971676681 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]           dev_queue_xmit   52052971678785 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      netdev_core_pick_tx   52052971681881 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]       netif_skb_features   52052971684686 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]  passthru_features_check   52052971686700 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]     skb_network_protocol   52052971689855 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]       validate_xmit_xfrm   52052971693733 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      dev_hard_start_xmit   52052971695646 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]   skb_clone_tx_timestamp   52052971699343 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]        __dev_forward_skb   52052971701788 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]         skb_scrub_packet   52052971704002 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]           eth_type_trans   52052971706256 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]                 netif_rx   52052971708560 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]     tcf_classify_ingress   52052971727115 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      skb_ensure_writable   52052971788730 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      skb_ensure_writable   52052971790414 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      skb_ensure_writable   52052971791676 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      skb_ensure_writable   52052971792948 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]          skb_do_redirect   52052971820830 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]                   ip_rcv   52052971825740 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]               sock_wfree   52052971829246 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]     ip_route_input_noref   52052971832592 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]       ip_route_input_rcu   52052971834256 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]      fib_validate_source   52052971839766 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]         ip_local_deliver   52052971843844 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]  ip_protocol_deliver_rcu   52052971846338 10.0.1.30:0->10.0.1.23:0(icmp)
    0xffff96f353734300          [ping]        raw_local_deliver   52052971848362 10.0.1.30:0->10.0.1.23:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 3 samples
    0xffff96f353734300          [ping]     fib_compute_spec_dst   52052971858761 10.0.1.30:0->10.0.1.23:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 5 samples
    0xffff96f353734b00          [ping]     neigh_resolve_output   52052971871024 10.0.1.23:0->10.0.1.30:0(icmp)
    ### 2022/01/21 04:44:35 Perf event ring buffer full, dropped 16 samples
    0xffff96f353734300       [<empty>]   skb_release_head_state   52052971885111 10.0.1.30:0->10.0.1.23:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 1 samples
    0xffff96f353734b00       [<empty>]      skb_ensure_writable   52052971919565 10.0.1.23:0->10.0.1.30:0(icmp)
    0xffff96f353734b00       [<empty>]      skb_ensure_writable   52052971921188 10.0.1.23:0->10.0.1.30:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 2 samples
    0xffff96f353734b00       [<empty>]          skb_do_redirect   52052971938721 10.0.1.23:0->10.0.1.30:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 13 samples
    0xffff96f353734300       [<empty>]       sk_filter_trim_cap   52052971953108 10.0.1.23:0->10.0.1.30:0(icmp)
    2022/01/21 04:44:35 Perf event ring buffer full, dropped 9 samples
    0xffff96f353734300       [<empty>]        skb_free_datagram   52052971971122 10.0.1.23:0->10.0.1.30:0(icmp)
    ^C2022/01/21 04:44:43 Received signal, exiting program..
    root@bpf2:~#
    
    
    root@bpf1:~# kubectl get pods -o wide
    NAME        READY   STATUS    RESTARTS   AGE   IP           NODE   NOMINATED NODE   READINESS GATES
    cni-bpz2q   1/1     Running   0          14h   10.0.1.23    bpf2   <none>           <none>
    cni-hx8gz   1/1     Running   0          14h   10.0.0.159   bpf1   <none>           <none>
    same        1/1     Running   0          79s   10.0.1.30    bpf2   <none>           <none>
    root@bpf1:~# kubectl exec -it same -- ping -c 1 10.0.1.23
    PING 10.0.1.23 (10.0.1.23): 56 data bytes
    64 bytes from 10.0.1.23: seq=0 ttl=63 time=0.269 ms
    
    --- 10.0.1.23 ping statistics ---
    1 packets transmitted, 1 packets received, 0% packet loss
    round-trip min/avg/max = 0.269/0.269/0.269 ms
    

    How about the issue when monitor the two pods communicate to each other on the same node.

    2022/01/21 04:44:35 Perf event ring buffer full, dropped 3 samples

    which is it means that the ring buffer is full? ENV:

    root@bpf2:~# uname -a
    Linux bpf2 5.10.0-051000-generic #202012132330 SMP Sun Dec 13 23:33:36 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
    root@bpf2:~#
    
    opened by BurlyLuo 14
  • Update cilium/ebpf library to 0.9.2

    Update cilium/ebpf library to 0.9.2

    cilium/ebpf 0.9.2 has link.K(ret)probeMulti() API added by @mmat11, bringing blazingly-fast bulk kprobe attachments to kernels 5.18 and newer

    this API should speed up pwru bulk skb function kprobe attachment

    Signed-off-by: Vincent Li [email protected]

    opened by vincentmli 10
  • failed to `--output-skb`

    failed to `--output-skb`

    # ./pwru --output-skb
    2021/11/25 16:47:00 Loading objects: field KprobeSkb1: program kprobe_skb_1: load program: invalid argument: BPF_STX uses reserved fields
    processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
    

    The running OS:

    # lsb_release -a
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description:    Ubuntu 21.04
    Release:        21.04
    Codename:       hirsute
    
    # uname -a
    Linux pagani 5.11.0-31-generic #33-Ubuntu SMP Wed Aug 11 13:19:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
    

    bpf:

    # cat /boot/config-$(uname -r) | grep BPF
    CONFIG_CGROUP_BPF=y
    CONFIG_BPF=y
    CONFIG_BPF_LSM=y
    CONFIG_BPF_SYSCALL=y
    CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
    CONFIG_BPF_JIT_ALWAYS_ON=y
    CONFIG_BPF_JIT_DEFAULT_ON=y
    # CONFIG_BPF_PRELOAD is not set
    CONFIG_IPV6_SEG6_BPF=y
    CONFIG_NETFILTER_XT_MATCH_BPF=m
    CONFIG_BPFILTER=y
    CONFIG_BPFILTER_UMH=m
    CONFIG_NET_CLS_BPF=m
    CONFIG_NET_ACT_BPF=m
    CONFIG_BPF_JIT=y
    CONFIG_BPF_STREAM_PARSER=y
    CONFIG_LWTUNNEL_BPF=y
    CONFIG_HAVE_EBPF_JIT=y
    CONFIG_BPF_EVENTS=y
    CONFIG_BPF_KPROBE_OVERRIDE=y
    CONFIG_TEST_BPF=m
    
    # cat /boot/config-$(uname -r) | grep BTF
    CONFIG_VIDEO_SONY_BTF_MPX=m
    CONFIG_DEBUG_INFO_BTF=y
    CONFIG_PAHOLE_HAS_SPLIT_BTF=y
    CONFIG_DEBUG_INFO_BTF_MODULES=y
    

    llvm:

    # llc --version
    LLVM (http://llvm.org/):
      LLVM version 12.0.0
    
      Optimized build.
      Default target: x86_64-pc-linux-gnu
      Host CPU: skylake
    
      Registered Targets:
        bpf        - BPF (host endian)
        bpfeb      - BPF (big endian)
        bpfel      - BPF (little endian)
    

    how error happens

    I run Ubuntu 21.04 as a VirtualBox VM. go generate, go build and ./pwru --output-skb, then the error comes.

    what I try

    check the kprobe_pwru.c:

    static __always_inline void
    set_skb_btf(struct sk_buff *skb, typeof(print_skb_id) *event_id) {
    #ifdef OUTPUT_SKB
    	static struct btf_ptr p = {};
    	typeof(print_skb_id) id;
    	char *str;
    
    	p.type_id = bpf_core_type_id_kernel(struct sk_buff);
    	p.ptr = skb;
    	id = __sync_fetch_and_add(&print_skb_id, 1) % 256;
    
    	str = bpf_map_lookup_elem(&print_skb_map, (u32 *) &id);
    	if (!str)
    		return;
    
    	if (bpf_snprintf_btf(str, PRINT_SKB_STR_SIZE, &p, sizeof(p), 0) < 0)
    		return;
    
    	*event_id = id;
    #endif
    }
    

    check the kernel bpf verifier.c:

    		if (BPF_CLASS(insn->code) == BPF_STX &&
    		    ((BPF_MODE(insn->code) != BPF_MEM &&
    		      BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) {
    			verbose(env, "BPF_STX uses reserved fields\n");
    			return -EINVAL;
    		}
    

    and learn BPF and XDP Reference Guide:

    BPF_ST, BPF_STX: Both classes are for store operations. Similar to BPF_LDX the BPF_STX is the store counterpart and is used to 
    
    store the data from a register into memory, which, again, can be stack memory, map value, packet data, etc. BPF_STX also holds 
    
    special instructions for performing word and double-word based atomic add operations, which can be used for counters, for 
    
    example. The BPF_ST class is similar to BPF_STX by providing instructions for storing data into memory only that the source 
    
    operand is an immediate value.
    

    also to check its assembly code:

    # clang -I./bpf/headers -O2 -target bpf -c bpf/kprobe_pwru.c -o kprobe_pwru.elf -g -DOUTPUT_SKB
    # llvm-objdump -S ./kprobe_pwru.elf > kprobe_pwru.elf.txt
    

    But at the end, I don't know how to fix it.

    bug 
    opened by Asphaltt 8
  • Not able to run pwru with --filter-dst-port option due to OOM

    Not able to run pwru with --filter-dst-port option due to OOM

    [vagrant@fedora ~]$ sudo ./pwru --filter-dst-port=11211
    2022/01/07 03:50:20 Attaching kprobes...
    473 / 1333 [-----------------------------------------------   35.48% 17 p/s
    Killed
    

    i am able to run pwru just like sudo ./pwru but not able to apply any filters

    bug 
    opened by achilles-git 7
  • Build static binaries by default, various other improvements

    Build static binaries by default, various other improvements

    Make sure statically linked binaries are built for the release. Also drop the dependency on github.com/cilium/cilium to avoid pulling in lots of transitive dependencies.

    See individual commit messages for details.

    opened by tklauser 6
  • Can only probe kfree_skb?

    Can only probe kfree_skb?

    The kernel calls kfree_skb when the packet is finally dropped, and most of the time this is the first thing we look at, so we can print out the kernel stack and get a general idea of the problem. However, the current default is to probe all functions that contain skb, which is a bit time consuming.

    enhancement 
    opened by duanjiong 6
  • Allow pod names/labels as filters

    Allow pod names/labels as filters

    Currently, users are required to specify source/destination pod IP addresses as filters. Allow users to pass pod identifiers such as name or label along with the namespace as filters. The mapping from pod identifiers to their IPs can potentially be retrieved from Hubble.

    enhancement 
    opened by aditighag 5
  • build failure

    build failure

    [Sun Oct 17 21:42:38][#94# ] (master)$go build main.go

    command-line-arguments

    ./main.go:68:15: undefined: signal.NotifyContext ./main.go:85:11: undefined: KProbePWRUObjects ./main.go:86:13: undefined: LoadKProbePWRUObjects ./main.go:99:11: undefined: KProbePWRUWithoutOutputSKBObjects ./main.go:100:13: undefined: LoadKProbePWRUWithoutOutputSKBObjects note: module requires Go 1.17

    opened by zhangbo1882 5
  • pwru fails to start on kernel 6.0.8

    pwru fails to start on kernel 6.0.8

    Hi :wave:

    On ArchLinux running Kernel 6.0.8 I'm running into the following problem:

    $ sudo pwru
    2022/11/18 10:46:19 Failed to load BTF spec: can't read types: type id 2036: unknown kind: Unknown (19)
    

    I've verified that I meet all the requirements from the README.md.

    opened by shaneutt 4
  • Update docker/Kubernetes deployment instructions in README

    Update docker/Kubernetes deployment instructions in README

    Using the current Running pwru with Docker command throws the following error in Ubuntu 22.04/22.10

    $> docker run --privileged --rm -t --pid=host -v /sys/kernel/debug/tracing:/sys/kernel/debug/tracing cilium/pwru --filter-dst-ip=1.1.1.1
        docker: Error response from daemon: error while creating mount source path '/sys/kernel/debug/tracing': mkdir /sys/kernel/debug/tracing: no such file or directory.
    

    This is similar to the issue reported here: https://forums.docker.com/t/mount-subpath-of-debugfs/123525

    One way to resolve this would be to mount the entire /sys/kernel/debug to the pwru container.

    Similar error is surfaced when applying the Kubernetes spec mentioned in the README. I could get pwru running on Kubernetes node only after creating and attaching volume.

    Signed-off-by: Anubhab Majumdar [email protected]

    opened by anubhabMajumdar 4
  • Bump actions/cache from 3.2.0 to 3.2.2

    Bump actions/cache from 3.2.0 to 3.2.2

    Bumps actions/cache from 3.2.0 to 3.2.2.

    Release notes

    Sourced from actions/cache's releases.

    v3.2.2

    What's Changed

    New Contributors

    Full Changelog: https://github.com/actions/cache/compare/v3.2.1...v3.2.2

    v3.2.1

    What's Changed

    Full Changelog: https://github.com/actions/cache/compare/v3.2.0...v3.2.1

    Changelog

    Sourced from actions/cache's changelog.

    Releases

    3.0.0

    • Updated minimum runner version support from node 12 -> node 16

    3.0.1

    • Added support for caching from GHES 3.5.
    • Fixed download issue for files > 2GB during restore.

    3.0.2

    • Added support for dynamic cache size cap on GHES.

    3.0.3

    • Fixed avoiding empty cache save when no files are available for caching. (issue)

    3.0.4

    • Fixed tar creation error while trying to create tar with path as ~/ home folder on ubuntu-latest. (issue)

    3.0.5

    • Removed error handling by consuming actions/cache 3.0 toolkit, Now cache server error handling will be done by toolkit. (PR)

    3.0.6

    • Fixed #809 - zstd -d: no such file or directory error
    • Fixed #833 - cache doesn't work with github workspace directory

    3.0.7

    • Fixed #810 - download stuck issue. A new timeout is introduced in the download process to abort the download if it gets stuck and doesn't finish within an hour.

    3.0.8

    • Fix zstd not working for windows on gnu tar in issues #888 and #891.
    • Allowing users to provide a custom timeout as input for aborting download of a cache segment using an environment variable SEGMENT_DOWNLOAD_TIMEOUT_MINS. Default is 60 minutes.

    3.0.9

    • Enhanced the warning message for cache unavailablity in case of GHES.

    3.0.10

    • Fix a bug with sorting inputs.
    • Update definition for restore-keys in README.md

    3.0.11

    • Update toolkit version to 3.0.5 to include @actions/core@^1.10.0
    • Update @actions/cache to use updated saveState and setOutput functions from @actions/core@^1.10.0

    3.1.0-beta.1

    • Update @actions/cache on windows to use gnu tar and zstd by default and fallback to bsdtar and zstd if gnu tar is not available. (issue)

    3.1.0-beta.2

    • Added support for fallback to gzip to restore old caches on windows.

    3.1.0-beta.3

    ... (truncated)

    Commits
    • 4723a57 Revert compression changes related to windows but keep version logging (#1049)
    • d1507cc Merge pull request #1042 from me-and/correct-readme-re-windows
    • 3337563 Merge branch 'main' into correct-readme-re-windows
    • 60c7666 save/README.md: Fix typo in example (#1040)
    • b053f2b Fix formatting error in restore/README.md (#1044)
    • 501277c README.md: remove outdated Windows cache tip link
    • c1a5de8 Upgrade codeql to v2 (#1023)
    • 9b0be58 Release compression related changes for windows (#1039)
    • See full diff in compare view

    Dependabot compatibility score

    You can trigger a rebase of this PR by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    enhancement 
    opened by dependabot[bot] 0
  • Package pwru for major distros

    Package pwru for major distros

    Each pwru release published in https://github.com/cilium/pwru/releases is statically linked, and it doesn't have any runtime dependencies. So, it should be trivial to package for major distros (Archlinux, Ubuntu, Debian, Fedora, etc).

    good first issue help wanted 
    opened by brb 3
  • support --filter-ip and --filter-port

    support --filter-ip and --filter-port

    Right now pwru only supports:

          --filter-dst-ip string        filter destination IP addr
          --filter-dst-port uint16      filter destination port
    [...]
          --filter-src-ip string        filter source IP addr
          --filter-src-port uint16      filter source port
    

    But when tracing packets through the stack, they can get DNAT'ed or SNAT'ed or both.

    Maybe libpcap-like expression could even be used here, and converted to eBPF insns (e.g. inline asm blob), at least basic primitives to define an expression with ips & ports combined with logical and/or.

    opened by borkmann 2
  • track skb pointer

    track skb pointer

    Would be great to track the pointer itself after the initial pkt classification match, and then keep following based on pointer value. Example was filtering on specific port:

    [...]
    0xffff8882262bf600    [ksoftirqd/1]             tcf_classify    4840296765444
    0xffff8882262bf600    [ksoftirqd/1]      skb_ensure_writable    4840296788712
    0xffff8882262bf600    [ksoftirqd/1] inet_proto_csum_replace4    4840296792231
    0xffff8882262bf600    [ksoftirqd/1]      skb_ensure_writable    4840296794062         <--- last occurrence before out of sight
    0xffff8882262bf900        [<empty>]             ip_local_out    4856424668947
    0xffff8882262bf900        [<empty>]           __ip_local_out    4856424679151
    0xffff8882262bf900        [<empty>]             nf_hook_slow    4856424682172
    [...]
    

    What can be seen, we lost track of pointer 0xffff8882262bf600 after skb_ensure_writable because in the tc BPF program we did NAT'ing of the packet.

    good first issue help wanted 
    opened by borkmann 3
  • Print packet drop reason collected from `kfree_skb_reason`

    Print packet drop reason collected from `kfree_skb_reason`

    Details are in the lwn article - https://lwn.net/Articles/885729/.

    This information is not actually useful to the kernel, but it has been added to the existing kfree_skb tracepoint, making it available to any program that connects to that tracepoint.

    It looks like the drop reasons are available with the existing trace point.

    enhancement 
    opened by aditighag 1
Releases(v0.0.7)
  • v0.0.7(Dec 14, 2022)

    We are pleased to release the 0.0.7 version of pwru.

    The major changes include:

    • Blazingly fast load time thanks to the multi-link kprobes #99.
    • Continuous integration tests #111.
    • Fix of the IPv6 filtering #121.

    12fcaef - make: Use git safe.directory instead of mangling uid/gid (@brb) 120e969 - Add IPv6 test case (@brb) 6b118cf - Fix ipv6 filtering (@brb) fe62d2c - Small vars declaration cleanup (@brb) ee7e5e7 - Add type shim for kprobes representation in Go (@brb) 820fbb2 - Add multi-link kprobe support (@brb) feba59a - Add HaveBPFLinkKprobeMulti (@brb) 5bd118a - bpf: Add kprobe.multi (@brb) 19ca0ed - bpf: Prepare for bpf_get_func_ip() (@brb) 93cf26f - Bump actions/setup-go from 3.4.0 to 3.5.0 (dependabot) f37867b - Bump KyleMayes/install-llvm-action from 1.6.0 to 1.6.1 (dependabot) f4bb669 - Bump actions/setup-go from 3.3.1 to 3.4.0 (dependabot) 32cf9dd - Bump actions/upload-artifact from 3.1.0 to 3.1.1 (dependabot) fbdd809 - Bump cilium/little-vm-helper (dependabot) b8de3be - Bump cilium/little-vm-helper (dependabot) 3d205fe - Add CI tests (@brb) 0a23f88 - Add hidden --ready-file (@brb) 0a62618 - Add --output-file to log traces (@brb) 2692f2e - Update after renaming to main branch (@tklauser)

    Source code(tar.gz)
    Source code(zip)
    pwru-linux-amd64.tar.gz(1.63 MB)
    pwru-linux-amd64.tar.gz.sha256sum(90 bytes)
    pwru-linux-arm64.tar.gz(1.50 MB)
    pwru-linux-arm64.tar.gz.sha256sum(90 bytes)
  • v0.0.6(Nov 22, 2022)

    We are pleased to release the 0.0.6 version of pwru.

    The major changes include:

    • Fix for a failure when running on the 6.0.8 kernel.

    286623e - Bump cilium/ebpf to latest (@brb) 7afe5d8 - Simplify README wrt to debugfs mount (@brb) 9b0acba - Add flag to attach to all available kernel modules (@varunkumare99) ccdcad9 - Update docker/Kubernetes deployment instructions in README (@anubhabMajumdar) d7e5de9 - Bump actions/setup-go from 3.3.0 to 3.3.1 (dependabot) e35c400 - Bump KyleMayes/install-llvm-action from 1.5.5 to 1.6.0 (dependabot) 4dca6ab - [StepSecurity] ci: Harden GitHub Actions (StepSecurity Bot) 4451809 - Bump actions/cache from 3.0.10 to 3.0.11 (dependabot) 43d5841 - Bump github.com/cilium/ebpf from 0.9.2 to 0.9.3 (dependabot) 3a5c32e - Bump actions/cache from 3.0.9 to 3.0.10 (dependabot) ff8c2d0 - Bump actions/cache from 3.0.8 to 3.0.9 (dependabot) 63c5838 - Filter out non-available_filter_functions (@brb) 4c42375 - Add example how to run on K8s (@brb) e8ce718 - Update Dockerfile to use llvm 14 and Go 1.19.1 (@jauderho) 5ded771 - Bump cilium/ebpf to v0.9.2 (@brb) 634b700 - Bump KyleMayes/install-llvm-action from 1.5.4 to 1.5.5 (dependabot) 84f82d5 - gh/workflows: Remove slack notification (@brb)

    Source code(tar.gz)
    Source code(zip)
    pwru-linux-amd64.tar.gz(1.57 MB)
    pwru-linux-amd64.tar.gz.sha256sum(90 bytes)
    pwru-linux-arm64.tar.gz(1.44 MB)
    pwru-linux-arm64.tar.gz.sha256sum(90 bytes)
  • v0.0.5(Sep 22, 2022)

    We are pleased to release the 0.0.5 version of pwru.

    The major changes include:

    • pwru is published in a Docker image, and can be run with docker run --privileged --rm -t --pid=host cilium/pwru [args].
    • Changes to the output format (added CPU, made Timestamp optional).
    • Fix function offsets to handle endbr64 in the kernel code.

    f9c08d7 - Update README.md (@brb) 93fee0a - Make timestamp optional (@brb) 5c28bfc - Add CPU ID to output (@brb) f166870 - Try to fix endbr64 kprobe mess (@brb) 73eaf6e - Bump 8398a7/action-slack from 3.13.1 to 3.13.2 (dependabot) d01a490 - Bump actions/cache from 3.0.7 to 3.0.8 (dependabot) fb370b6 - Bump 8398a7/action-slack from 3.13.0 to 3.13.1 (dependabot) 8a36dc0 - add multi-stage builds to minimize docker image size (@voldemorte) bb24e94 - Bump actions/cache from 3.0.6 to 3.0.7 (dependabot) c4aea7d - Bump actions/cache from 3.0.5 to 3.0.6 (dependabot)

    Source code(tar.gz)
    Source code(zip)
    pwru-linux-amd64.tar.gz(1.53 MB)
    pwru-linux-amd64.tar.gz.sha256sum(90 bytes)
    pwru-linux-arm64.tar.gz(1.41 MB)
    pwru-linux-arm64.tar.gz.sha256sum(90 bytes)
  • v0.0.4(Jul 21, 2022)

    We are pleased to release the 0.0.4 version of pwru.

    The major changes include:

    • Kernel modules support #64 (@brb)
    • Support kernels w/o BTF #71 (@Asphaltt)

    Full changelog:

    • 2625e36 - Bump KyleMayes/install-llvm-action from 1.5.3 to 1.5.4 (dependabot)
    • 4a04b90 - Bump actions/cache from 3.0.4 to 3.0.5 (dependabot)
    • 61a3d0a - Bump github.com/cheggaaa/pb/v3 from 3.0.8 to 3.1.0 (dependabot)
    • 13ed259 - Update README.md (@brb)
    • bed215a - Add --kmods (@brb)
    • 3e2aa32 - Update cilium/ebpf (@brb)
    • c8620f9 - Run with specified kernel BTF file (@Asphaltt)
    • 4044993 - make: run release build as regular user (@tklauser)
    • 7396d9d - .gitignore: ignore release directory (@tklauser)
    • 3e7141c - Update Go to 1.18.3, alpine to 3.16 (@tklauser)
    • db7466b - Silence clang build warnings complaining address-of-packed-member (@chendotjs)
    • c18ec7b - Makefile: fix release target (@chendotjs)
    • 482c349 - Fix again min kernel vsn in README.md (@brb)
    • 4a066b0 - Bump actions/cache from 3.0.3 to 3.0.4 (dependabot)
    • c9fba89 - Bump actions/cache from 3.0.2 to 3.0.3 (dependabot)
    • ebaab02 - go.mod, vendor: update github.com/cilium/ebpf to v0.9.0 (@tklauser)
    • c8f45af - Bump KyleMayes/install-llvm-action from 1.4.1 to 1.5.3 (dependabot)
    • 91a539a - .github: un-ignore cilium/ebpf in dependabot config (@tklauser)
    • 8a2bb78 - go.mod: update to Go 1.18 (@tklauser)
    • 932cd15 - .github/workflows: build release with Go 1.18 (@tklauser)
    • f81d64e - Switch to gh/cilium/ebpf (@brb)
    • 20c3741 - Bump actions/checkout from 2 to 3 (dependabot)
    • 5ec925b - Bump actions/setup-go from 2 to 3 (dependabot)
    • 0abfd13 - .github: fix label for dependabot PRs (@tklauser)
    • e51fbd1 - Bump actions/cache from 2.1.6 to 3.0.2 (dependabot)
    • 1d42d3f - make: allow running git status during release build (@tklauser)
    • 17c6410 - Update Go to 1.18.2 (@tklauser)
    • 077fd49 - .github: add dependabot configuration (@tklauser)
    • 4c25bb1 - Better defaults for per-cpu-buffer (@dezmodue)
    • 0597bc4 - Add argument per-cpu-buffer and fix Vagrant setup (@dezmodue)
    • f9f48c0 - Bump cilium/bpf dependency (@brb)
    • fb02554 - doc: Add a known issue doc with OOM issue description (@YutaroHayakawa)
    • 45d5182 - install make to build binary inside VM (@Shikugawa)
    Source code(tar.gz)
    Source code(zip)
    pwru-linux-amd64.tar.gz(1.53 MB)
    pwru-linux-amd64.tar.gz.sha256sum(90 bytes)
    pwru-linux-arm64.tar.gz(1.41 MB)
    pwru-linux-arm64.tar.gz.sha256sum(90 bytes)
  • v0.0.3(Jan 25, 2022)

    We are pleased to release the 0.0.3 version of pwru.

    The major changes include:

    • ARM64 support (@tklauser)
    • Various improvements to output such as limiting output size (@Asphaltt)
    • Filtering network namespace (@Asphaltt)
    • Automating release process (@tklauser)

    Full changelog:

    • ad9a560 - Makefile: fix arm64 cross release build @tklauser
    • d3da8d9 - Dockerfile, README.md: consistently use make to build pwru @tklauser
    • 18e1063 - Makefile: set CGO_ENABLED=0 to build statically linked binaries @tklauser
    • a799086 - Drop dependency on github.com/cilium/cilium @tklauser
    • 722d306 - .github/workflows: check Go module vendoring @tklauser
    • d672722 - Revert "support output cpu" @brb
    • 8c3ac7f - Makefile: fix release target @tklauser
    • b59d564 - RELEASE.md: document release process @tklauser
    • cfce136 - .github/workflows: add release workflow @tklauser
    • eb02934 - README.md: use make in build instructions @tklauser
    • ce9cb04 - Add minimal Makefile @tklauser
    • 6ae255d - Add --version flag to report pwru version @tklauser
    • ea2dca0 - internal/pwru: Match entire string for --filter-func @ypl-coffee
    • ec75700 - internal/pwru: fix printing of function names on arm64 @tklauser
    • 9f9e33b - bpf/headers: add separate vmlinux.h for arm64 @tklauser
    • 303ea8d - Include bpf_tracing.h for PT_REGS_* macros @tklauser
    • d4006b5 - go.mod, vendor: update cilium to v1.11.0 @tklauser
    • 12b7ed8 - tools: add dummy package for bpf2go vendoring @tklauser
    • a992490 - bpf/headers: add script to update headers from libbpf @tklauser
    • 015a734 - support output cpu (8 weeks ago) @Asphaltt
    • 35f8017 - add option --output-limit-lines (8 weeks ago) @Asphaltt
    • 534118d - Update README.md (9 weeks ago) @szuecs
    • e9dda50 - add option --filter-netns (9 weeks ago) @Asphaltt
    Source code(tar.gz)
    Source code(zip)
    pwru-linux-amd64.tar.gz(1.91 MB)
    pwru-linux-amd64.tar.gz.sha256sum(90 bytes)
    pwru-linux-arm64.tar.gz(1.74 MB)
    pwru-linux-arm64.tar.gz.sha256sum(90 bytes)
  • v0.0.2(Oct 25, 2021)

    We are pleased to release the 0.0.2 version of pwru.

    The major changes include:

    • The new filter param --filter-func which selects to which functions pwru should attach the BPF tracing programs. It accepts regexp syntax (RE2). This can be used to drastically reduce the load time (@duanjiong).
    • IPv6 support both in filtering and outputting tuples (@duanjiong).
    • Optimize the configuration retrieval in the BPF programs (@duanjiong).

    The pwru asset includes the statically linked binary for x86_64 arch (amd64) which includes the eBPF bytecode.

    Contributors:

    • @brb
    • @duanjiong
    • @mfrw
    • @twpayne
    Source code(tar.gz)
    Source code(zip)
    pwru(6.68 MB)
  • v0.0.1(Oct 15, 2021)

    We are pleased to release the very first version of pwru.

    The first version includes the basic filtering based on the following filters:

    • --filter-mark (skb mark)
    • --filter-proto (L4 protocol; udp, tcp, icmp)
    • --filter-{src,dst}-ip (IPv4 addr)
    • --filter-{src,dst}-port (TCP/UDP port)

    The output can be enhanced by the following options:

    • --output-tuple (prints L3/L4 tuple)
    • --output-skb (prints skb with BTF)
    • --output-meta (prints some skb's metadata)
    • --output-relative-timestamp (prints relative timestamp; useful for identifying performance issues)

    The pwru asset includes the statically linked binary for x86_64 arch (amd64) which includes the eBPF bytecode.

    Contributors:

    • @aditighag
    • @brb
    • @gandro
    Source code(tar.gz)
    Source code(zip)
    pwru(6.59 MB)
Owner
Cilium
eBPF-based Networking, Security, and Observability
Cilium
A software C library designed to extract data attributes from network packets, server logs, and from structured events in general, in order to make them available for analysis

MMT-DPI A software C library desinged to extract data attributes from network packets, server logs, and from structured events in general, in odrder t

Montimage 3 Nov 9, 2022
The BNG Blaster is a test tool to simulate thousands of PPPoE or IPoE subscribers including IPTV, traffic verification and convergence testing capabilities.

RtBrick BNG Blaster The BNG Blaster is a test tool to simulate thousands of PPPoE or IPoE subscribers including IPTV, traffic verification and converg

RtBrick 97 Dec 22, 2022
A Linux Host-based Intrusion Detection System based on eBPF.

eHIDS 介绍 eBPF内核技术实现的HIDS demo. 功能实现: TCP网络数据捕获 UDP网络数据捕获 uprobe方式的DNS信息捕获 进程数据捕获 uprobe方式实现JAVA的RASP命令执行场景事件捕获 eBPF的go框架实现,针对kprobe\uprobe挂载方式,多类型even

CFC4N 291 Dec 30, 2022
A list of network measurement sketch algorithms implemented in eBPF

eBPF Sketches This repository contains a list of the most famous sketches implemented within the eBPF/XDP subsystem. In particular, we have: Count Ske

null 15 Dec 21, 2022
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 665 Dec 29, 2022
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 15 Nov 9, 2022
Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Oct 17, 2022
Netif - Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Oct 17, 2022
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 133 Dec 29, 2022
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

Robert David Graham 20.4k Jan 4, 2023
XDP programs that increment stat counters for packets/bytes.

XDP Stats Description This is a program that calculates stats inside of an XDP program (support for both XDP_DROP and XDP_TX). As of right now, the st

Christian Deacon 10 Oct 30, 2022
A program that implements the forwading of packets from a router.

Nume: Dragne Lavinia-Stefana Grupa: 324 CA PROTOCOALE DE COMUNICATIE Tema #1 - Router Continutul proiectului este urmatorul: - dir

null 1 Jun 22, 2022
This repository contains a set of InternalBlue patches for the BCM4375B1 Bluetooth controller, allowing to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets from a Samsung Galaxy S20 smartphone.

RadioSploit 1.0 - Patches This repository contains a set of InternalBlue patches for the BCM4375B1 Bluetooth controller, allowing to sniff and inject

Romain Cayre 12 Nov 1, 2022
TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

MASSCAN-NG: Mass IP port scanner This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million p

BI.ZONE 62 Jan 3, 2023
bpflock - eBPF driven security for locking and auditing Linux machines

bpflock - Lock Linux machines bpflock - eBPF driven security for locking and auditing Linux machines. This is a Work In Progress: bpflock is currently

The Linux lock machine projects 113 Nov 28, 2022
ebpfkit-monitor is a tool that detects and protects against eBPF powered rootkits

ebpfkit-monitor ebpfkit-monitor is an utility that you can use to statically analyse eBPF bytecode or monitor suspicious eBPF activity at runtime. It

Guillaume Fournier 79 Dec 18, 2022
Tool for Preventing Data Exfiltration with eBPF

bouheki: Tool for Preventing Data Exfiltration with eBPF bouheki is a KSRI implementation using LSM Hook by eBPF. Flexibility to apply restricted netw

mrtc0 54 Jan 3, 2023
Parca-agent - eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!

Parca Agent Parca Agent is an always-on sampling profiler that uses eBPF to capture raw profiling data with very low overhead. It observes user-space

Parca 254 Jan 1, 2023