{"id":31465593,"url":"https://github.com/carlossanchess/observer","last_synced_at":"2026-04-17T12:34:49.034Z","repository":{"id":315659499,"uuid":"1059763275","full_name":"CarlosSanchess/Observer","owner":"CarlosSanchess","description":"Tracing system calls in Linux, using BCC toolkit leveraging eBPF technology.","archived":false,"fork":false,"pushed_at":"2025-09-19T21:31:18.000Z","size":286,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-09-20T00:06:01.419Z","etag":null,"topics":["bcc","ebpf","linux-kernel","systemcalls"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CarlosSanchess.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-18T23:06:10.000Z","updated_at":"2025-09-19T21:31:22.000Z","dependencies_parsed_at":"2025-09-20T15:01:42.190Z","dependency_job_id":null,"html_url":"https://github.com/CarlosSanchess/Observer","commit_stats":null,"previous_names":["carlossanchess/observer"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/CarlosSanchess/Observer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CarlosSanchess%2FObserver","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CarlosSanchess%2FObserver/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CarlosSanchess%2FObserver/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CarlosSanchess%2FObserver/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CarlosSanchess","download_url":"https://codeload.github.com/CarlosSanchess/Observer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CarlosSanchess%2FObserver/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":277883736,"owners_count":25894167,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-01T02:00:09.286Z","response_time":88,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bcc","ebpf","linux-kernel","systemcalls"],"created_at":"2025-10-01T17:55:45.571Z","updated_at":"2025-10-01T17:55:47.443Z","avatar_url":"https://github.com/CarlosSanchess.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"imgs/binoculars.jpg\" width=\"350\" height=\"330\" style=\"border-radius: 50%;\" /\u003e\n\n\u003c/div\u003e\n\n# Observer\n\nObserver is a system call tracer leveraging eBPF technology to execute programs within the kernel.\n\nThis project uses BCC as the toolkit, which provides a frontend to create valid BPF programs while maintaining flexibility, making development easier and more efficient.\n\nFor translating system call IDs to their designations, we use a syscall table for the x86_64 architecture. Ensure you use the correct syscall table for your system architecture.\n\n## Implemented Features\n\n- [x] Trace all system calls made by all processes.\n- [x] Trace all system calls made by a specific process.\n- [x] Trace a specific system call made by a specific process.\n- [x] Trace a specific system call made by all processes.\n- [ ] GUI interface for visualization.\n\n## eBPF (Extended Berkeley Packet Filter)\n\n\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"imgs/eBPF.png\" width=\"500\" height=\"250\" style=\"align:center\" /\u003e\n\n\u003c/div\u003e\n\neBPF is a event-driven, Linux kernel technology that allow to run sandboxed programs in a privileged context, extending kernel capabilities without modifying source code or loading kernel modules. \n\nIt enables efficient kernel-space code execution, bypassing system call overhead, and allows customization of kernel-space operations.\n\n### Kernel Capabilities\n\nIn this project, we leverage the eBPF virtual machine (VM) for Just-In-Time (JIT) compilation of eBPF bytecode into native machine code directly within the kernel.\n\nWe also utilize static tracepoints provided by the kernel to capture  all system calls. When we want to capture a single syscall we use dynamic hooks, kprobes(kernel probes).\n\nAdditionally, the project makes use of the eBPF verifier and eBPF maps for enhanced functionality and data handling.\n\n#### Maps\n\neBPF maps store and exchange information between kernel and user space. They can be accessed by eBPF programs and user-space applications via system calls.\n\nThis project uses:\n- **Ring Buffers**: For output.\n- **Arrays**: For input, storing configuration modes, and enabling the eBPF program to choose operation modes.\n\n### BCC (BPF Compiler Collection)\n\nBCC is a framework enabling Python programs with embedded eBPF programs.\n\n\u003cdiv align=\"center\"\u003e\n\n\u003cimg src=\"imgs/bcc.png\" width=\"700\" height=\"350\" style=\"align:center\" /\u003e\n\n\u003c/div\u003e\n\n## Installation\n\nEnsure the required dependencies are installed:\n\n```bash\nsudo apt update\nsudo apt install bpfcc-tools linux-headers-$(uname -r)\n```\n\nInstall Python:\n\n```bash\nsudo apt install python3 python3-pip\n```\n\nFor additional installation help, refer to the [BCC installation guide](https://github.com/iovisor/bcc/blob/master/INSTALL.md).\n\n## How to Run\n\nSpecify one or no process IDs (PIDs) to trace system calls. If no PID is provided, the script traces system calls for all processes. \n\nYou can also specify one or no syscall names to trace.\n\n```bash\npython3 observer.py -p \u003cPID1\u003e -s \u003csyscallName\u003e\n```\n\n## References\n\n- [eBPF Website](https://ebpf.io/)\n- [eBPF Documentation](https://docs.ebpf.io/linux/)\n- [BCC Documentation](https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md)\n- [Syscall Table for x86_64](https://github.com/torvalds/linux/blob/v6.10/arch/x86/entry/syscalls/syscall_64.tbl#L11)\n- [IBM Article](https://www.ibm.com/think/topics/ebpf)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarlossanchess%2Fobserver","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcarlossanchess%2Fobserver","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcarlossanchess%2Fobserver/lists"}