{"id":17644696,"url":"https://github.com/jschwinger233/skbdump","last_synced_at":"2025-05-05T21:16:40.711Z","repository":{"id":143571332,"uuid":"609561084","full_name":"jschwinger233/skbdump","owner":"jschwinger233","description":"ebpf-based tcpdump","archived":false,"fork":false,"pushed_at":"2024-01-08T09:34:04.000Z","size":5974,"stargazers_count":89,"open_issues_count":1,"forks_count":7,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-05-05T21:16:35.086Z","etag":null,"topics":["bpf","ebpf","network-sniffer","tcpdump"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jschwinger233.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-03-04T14:53:12.000Z","updated_at":"2025-04-30T01:33:05.000Z","dependencies_parsed_at":null,"dependency_job_id":"e7fd315d-c71e-48c6-8d61-a38542045e04","html_url":"https://github.com/jschwinger233/skbdump","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jschwinger233%2Fskbdump","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jschwinger233%2Fskbdump/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jschwinger233%2Fskbdump/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jschwinger233%2Fskbdump/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jschwinger233","download_url":"https://codeload.github.com/jschwinger233/skbdump/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252577027,"owners_count":21770721,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bpf","ebpf","network-sniffer","tcpdump"],"created_at":"2024-10-23T10:39:38.824Z","updated_at":"2025-05-05T21:16:40.693Z","avatar_url":"https://github.com/jschwinger233.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# skbdump\n\nskbdump is the tcpdump(8) implemented by eBPF.\n\nskbdump tries to solve following tcpdump(8) issues without losing flexibility of pcap-filter(7):\n\n1. tcpdump(8) will be bypassed if a bpf program on a netdev redirects the skb to another netdev;\n2. tcpdump(8) `-i any` relies on Linux cooked-mode capture (SLL) so the link layer header isn't available;\n3. tcpdump(8) can't capture skb metadata in the `struct __sk_buff` / `struct sk_buff`;\n4. tcpdump(8) can't dump traffic on specific kernel functions, e.g. `ip_rcv`;\n\n# Installation\n\nPlease download the latest binary in the [releases](https://github.com/jschwinger233/skbdump/releases).\n\n### Requirements\n\nLinux kernel version must be larger than 5.5.\n\n# Usage\n\n```\nUsage of skbdump:\n  -i, --interface string       interface to capture (default \"lo\")\n  -a, --kaddrs string          kernel addresses to trace, e.g. \"0xffffffffa0272110,0xffffffffa0272118\"\n  -f, --kfuncs string          kernel functions to trace, e.g. \"ip_rcv,icmp_rcv\"\n  -n, --netns string           netns specifier, e.g. \"pid:1234\", \"path:/var/run/netns/foo\"\n  -o, --output-fields string   output fields of skb, e.g. \"mark,cb\"\n  -w, --pcap-filename string   output pcap filename (default \"skbdump.pcap\")\n  -s, --skb-filename string    output skb filename (default \"skbdump.meta\")\n```\n\n### Example commands\n\n1. `skbdump -i eth0 port 80 and host 10.10.1.1`\n2. `skbdump -i eth0 udp or arp`\n3. `skbdump -i any icmp or icmp6`\n4. `skbdump -i any ip6 and dst host fd04::18ab`\n5. `skbdump -i veth 'tcp[((tcp[12:1] \u0026 0xf0) \u003e\u003e 2):4] = 0x47455420'`\n6. `skbdump -i veth -f arp_rcv,arp_process 'arp and arp[7] = 1 and arp[24]= 169 and arp[25] = 254 and arp[26] = 0 and arp[27] = 1'`\n\n### Example output\n\n```\nstart tracing\n1 ffff9b30ec48ad00 in@15(zcv-peer) cb= Ethernet(a2:c4:a3:6b:6f:f8\u003eff:ff:ff:ff:ff:ff) | ARP(who-has 169.254.0.1 tell 192.168.0.1)\n2 ffff9b30ec48ad00 arp_rcv@15(zcv-peer) cb=[28,] Ethernet(a2:c4:a3:6b:6f:f8\u003eff:ff:ff:ff:ff:ff) | ARP(who-has 169.254.0.1 tell 192.168.0.1)\n3 ffff9b30ec48ad00 arp_rcv+r@15(zcv-peer) rv=0 cb= Ethernet(a2:c4:a3:6b:6f:f8\u003eff:ff:ff:ff:ff:ff) | ARP(who-has 169.254.0.1 tell 192.168.0.1)\n```\n\n# Known Issues\n\n1. Doesn't support L3 netdev such as wireguard or tun.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjschwinger233%2Fskbdump","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjschwinger233%2Fskbdump","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjschwinger233%2Fskbdump/lists"}