{"id":15056976,"url":"https://github.com/asphaltt/vista","last_synced_at":"2025-04-10T05:06:44.203Z","repository":{"id":239448876,"uuid":"799516595","full_name":"Asphaltt/vista","owner":"Asphaltt","description":"An eBPF enhanced Linux kernel skb and socket tracing tool.","archived":false,"fork":false,"pushed_at":"2025-03-13T13:39:38.000Z","size":6003,"stargazers_count":20,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-10T05:06:31.971Z","etag":null,"topics":["ebpf","gopacket-pcap","linux","skb-tracing","socket-tracing","tcpdump","vista"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Asphaltt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-12T11:43:03.000Z","updated_at":"2025-03-13T13:39:38.000Z","dependencies_parsed_at":"2025-01-28T14:28:26.113Z","dependency_job_id":"8141d791-98dd-45ea-884a-5105924abf4d","html_url":"https://github.com/Asphaltt/vista","commit_stats":null,"previous_names":["asphaltt/vista"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Asphaltt%2Fvista","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Asphaltt%2Fvista/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Asphaltt%2Fvista/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Asphaltt%2Fvista/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Asphaltt","download_url":"https://codeload.github.com/Asphaltt/vista/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248161274,"owners_count":21057555,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf","gopacket-pcap","linux","skb-tracing","socket-tracing","tcpdump","vista"],"created_at":"2024-09-24T21:59:42.309Z","updated_at":"2025-04-10T05:06:44.170Z","avatar_url":"https://github.com/Asphaltt.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vista: skb and socket tracing tool\n\n`vista` is a `bpf-(2)` based tool for tracing network skbs and sockets.\n\n## Running\n\n### Requirements\n\n`vista` requires \u003e= 5.3 kernel to run. For `--output-skb` \u003e= 5.9 kernel is required. For `--backend=kprobe-multi` \u003e= 5.18 kernel is required.\n\n`debugfs` has to be mounted in `/sys/kernel/debug`. In case the folder is empty, it can be mounted with:\n\n```bash\nmount -t debugfs none /sys/kernel/debug\n```\n\nThe following kernel configuration is required.\n\n| Option | Backend | Note |\n| ------------------------ | -------------|----------------------------------------------------- |\n| CONFIG_DEBUG_INFO_BTF=y | both | available since \u003e= 5.3 |\n| CONFIG_KPROBES=y | both | |\n| CONFIG_PERF_EVENTS=y | both | |\n| CONFIG_BPF=y | both | |\n| CONFIG_BPF_SYSCALL=y | both | |\n| CONFIG_FUNCTION_TRACER=y | kprobe-multi | /sys/kernel/debug/tracing/available_filter_functions |\n| CONFIG_FPROBE=y | kprobe-multi | available since \u003e= 5.18 |\n\nYou can use `zgrep $OPTION /proc/config.gz` to validate whether option is enabled.\n\n### Usage\n\n```bash\n$ ./vista --help\nUsage: ./vista [options] [pcap-filter]\n Available pcap-filter: see \"man 7 pcap-filter\"\n Available options:\n --all-kmods attach to all available kernel modules\n --filter-addr string filter IP address\n --filter-ifname string filter skb ifname in --filter-netns (if not specified, use current netns)\n --filter-kprobe-batch uint batch size for kprobe attaching/detaching (default 10)\n --filter-netns string filter netns (\"/proc/\u003cpid\u003e/ns/net\", \"inode:\u003cinode\u003e\")\n --filter-port uint16 filter port\n --filter-protocol string filter protocol, tcp, udp, icmp, empty for any\n --filter-sk-func string filter kernel sk functions to be probed by name (exact match, supports RE2 regular expression)\n --filter-sk-mark uint32 filter sk mark\n --filter-skb-drop-stack trace kfree_skb and print skb drop stack\n --filter-skb-func string filter kernel skb functions to be probed by name (exact match, supports RE2 regular expression)\n --filter-skb-mark uint32 filter skb mark\n --filter-tcp-lifetime duration filter TCP lifetime greater than or equal to the given duration (e.g., 100ms, 1s, 1m)\n --filter-trace-iptables trace iptables\n --filter-trace-sk trace sock\n --filter-trace-skb trace skb\n --filter-trace-tc trace TC bpf progs\n --filter-trace-tcp trace tcp socket lifetime\n --filter-trace-xdp trace XDP bpf progs\n --filter-track-skb trace a packet even if it does not match given filters (e.g., after NAT or tunnel decapsulation)\n -h, --help display this message and exit\n --kernel-btf string specify kernel BTF file\n --kmods strings list of kernel modules names to attach to\n --kprobe-backend string Tracing backend('kprobe', 'kprobe-multi'). Will auto-detect if not specified.\n --output-file string write traces to file\n --output-iptables print iptables\n --output-limit-lines int exit the program after the number of events has been received/printed\n --output-meta print skb metadata\n --output-sk print sock\n --output-skb print skb\n --output-stack print stack\n --output-tcp print TCP\n --output-tuple print L4 tuple\n --pcap-file string write packets to pcap file, only work with --filter-trace-xdp/--filter-trace-tc\n --pcap-mode strings pcap mode, can be 'entry' and/or 'exit', only work with --pcap-file. Default is 'entry' and 'exit'. 'entry' is to capture packet before BPF prog, 'exit' is to capture packet after BPF prog.\n --pcap-snaplen uint16 snapture length of packet for pcap (default 256)\n --timestamp string print timestamp per event (\"relative\", \"absolute\", \"none\") (default \"none\")\n --version show vista version and exit\n```\n\nThe `--filter-skb-func` switch does an exact match on function names i.e.\n`--filter-skb-func=foo` only matches `foo()`; for a wildcarded match, try\n`--filter-skb-func=\".*foo.*\"` instead. The same applies to `--filter-sk-func`.\n\n### Examples\n\n#### Capture packets when --filter-trace-xdp and/or --filter-trace-tc is enabled\n\n```bash\n$ sudo ./vista --filter-trace-xdp --filter-trace-tc --output-meta --output-tuple --output-limit-lines 4 --pcap-file vista.pcapng icmp\n2024/05/25 13:08:37 Tracing tc progs..\n2024/05/25 13:08:37 Tracing xdp progs..\n2024/05/25 13:08:37 Listening for events..\n SKB/SK CPU PROCESS FUNC\n0xffff990282314000 2 [\u003cempty\u003e(0)] dummy(xdp) netns=4026531840 mark=0x0 iface=2(ens33) proto=0x0000 mtu=1500 len=98 pkt_type=HOST 192.168.241.1-\u003e192.168.241.133(icmp request id=23089 seq=0)\nSaving this packet to vista.pcapng..\n0xffff990282314000 2 [\u003cempty\u003e(0)] dummy(xdp) netns=4026531840 mark=0x0 iface=2(ens33) proto=0x0000 mtu=1500 len=98 pkt_type=HOST 192.168.241.1-\u003e192.168.241.133(icmp request id=23089 seq=0)\nSaving this packet to vista.pcapng..\n0xffff990282314000 2 [\u003cempty\u003e(0)] dummy(tc) netns=4026531840 mark=0x0 iface=2(ens33) proto=0x0800 mtu=1500 len=98 pkt_type=HOST 192.168.241.1-\u003e192.168.241.133(icmp request id=23089 seq=0)\nSaving this packet to vista.pcapng..\n0xffff990282314000 2 [\u003cempty\u003e(0)] dummy(tc) netns=4026531840 mark=0x0 iface=2(ens33) proto=0x0800 mtu=1500 len=98 pkt_type=HOST 192.168.241.1-\u003e192.168.241.133(icmp request id=23089 seq=0)\nSaving this packet to vista.pcapng..\n2024/05/25 13:08:39 Printed 4 events, exiting program..\n```\n\nThere is enhanced packet information for each packet, like `comment`, `Interface queue` and `Verdict`.\n\n![vista.pcapng](./vista-pcapng.png)\n\n## Developing\n\n### Dependencies\n\n* Go \u003e= 1.16\n* LLVM/clang \u003e= 1.12\n* Bison\n* Lex/Flex \u003e= 2.5.31\n\n### Building\n\n```bash\nmake\n```\n\nAlternatively, you can build in the Docker container:\n\n```bash\nmake release\n```\n\n## Contributing\n\n`vista` is an open source project. The userspace code is licensed under\n[Apache-2.0](LICENSE), while the BPF under [BSD 2-Clause](bpf/LICENSE.BSD-2-Clause)\nand [GPL-2.0](bpf/LICENSE.GPL-2.0). Everybody is welcome to contribute.\nContributors are required to follow the [Contributor Covenant Code of\nConduct](https://www.contributor-covenant.org/version/1/4/code-of-conduct/) and\nmust adhere to the [Developer Certificate of\nOrigin](https://developercertificate.org/) by adding a Signed-off-by line to\ntheir commit messages.\n\n## Credits\n\nThis repo is forked from [cilium/pwru](https://github.com/cilium/pwru), and\nextend to support iptables tracing and socket tracing.\n\nThanks for the original great work!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasphaltt%2Fvista","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fasphaltt%2Fvista","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fasphaltt%2Fvista/lists"}