{"id":22439400,"url":"https://github.com/junka/pycbpf","last_synced_at":"2026-04-14T07:34:01.103Z","repository":{"id":167834798,"uuid":"642886741","full_name":"junka/pycbpf","owner":"junka","description":"python script which compile cbpf to C code for BCC","archived":false,"fork":false,"pushed_at":"2024-05-27T11:41:05.000Z","size":59,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-27T22:40:31.388Z","etag":null,"topics":["bcc","cbpf","ebpf","packet-capture","tcpdump"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/junka.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-05-19T15:10:31.000Z","updated_at":"2024-05-27T11:41:08.000Z","dependencies_parsed_at":"2024-12-06T01:14:06.242Z","dependency_job_id":null,"html_url":"https://github.com/junka/pycbpf","commit_stats":null,"previous_names":["junka/pycbpf"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/junka/pycbpf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/junka%2Fpycbpf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/junka%2Fpycbpf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/junka%2Fpycbpf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/junka%2Fpycbpf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/junka","download_url":"https://codeload.github.com/junka/pycbpf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/junka%2Fpycbpf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31787050,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T02:24:21.117Z","status":"ssl_error","status_checked_at":"2026-04-14T02:24:20.627Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bcc","cbpf","ebpf","packet-capture","tcpdump"],"created_at":"2024-12-06T01:14:02.234Z","updated_at":"2026-04-14T07:34:01.085Z","avatar_url":"https://github.com/junka.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"### About pycbpf ![ci](https://github.com/junka/pycbpf/actions/workflows/pylint.yml/badge.svg) ![Coverage Badge](https://codecov.io/gh/junka/pycbpf/branch/main/graph/badge.svg)\n---\n\nInspired by [cbpfc](https://github.com/cloudflare/cbpfc).\n\npycbpf2c converts tcpdump filter expression to C code which can be injected to a BCC script.\n\nThis aims to provide native python support, so BCC can import it directly.\n\nAnd it provides a BCC script for dump filtered packet to pcap format.\n\n### Simple usecase\n\nYou can save packets to a pcap file like below to sniffer packet from ```dev_queue_xmit```\n```\npython3 -m pycbpf.c2ebpf -i eth0 -w file.pcap \u003ctcpdump expresion\u003e\n```\n\nOr with no pcap file specified, you need to pipe output to tcpdump\n```\npython3 -m pycbpf.c2ebpf -i eth0 \u003ctcpdump expresion\u003e | tcpdump -r - -nev\n```\n\n### Examples of usage\n\nOf course you can generate a C program from tcpdump expresion and implement your own BCC script.\nCmdline below will generate the C program, which can be used directly in BCC.\n```\npython3 -m pycbpf.cbpf2c \u003ctcpdump expression\u003e\n```\n\nSteps to use it in python:\n\n1 - Install and import packages\n\n```\npip3 install pycbpf\n```\npython version should be 3.7 above\n\n```\nfrom bcc import BPF\nfrom pycbpf import cbpf2c, filter2cbpf\n```\n2 - Generate cbpf and compile to C program, and enable BPF for trace. Write you test_text with space reserved for the generated code. Use the inline function ```cbpf_filter_func``` in you trace program and handle return value properly.\n```\ntest_text = \"\"\"\n\n/* reserve space for the generated code cbpf_filter_func */\n%s\n\nyour_func()\n{\n      u32 datalen = 0;\n      u32 ret = 0;\n      u8 *data;\n      ...\n\n      ret = cbpf_filter_func(data, data + datalen);\n      if (!ret) {\n            return 0;\n      }\n\n      filter_event.perf_submit(ctx, \u0026e, sizeof(e));\n}\n\n\"\"\"\n\nprog = filter2cbpf.CbpfProg([\"ip\"])\nprog_c = cbpf2c.CbpfC(prog)\ncfun = prog_c.compile_cbpf_to_c()\ntest_text = bpf_text%cfun\nbpf_ctx = BPF(text=test_text, debug=0)\n```\n3 - write bcc perf event callback\n```\ndef filter_events_cb(_cpu, data, _size):\n      # print some data\n      # or write to pcap files\n\nbctx['filter_event'].open_perf_buffer(filter_events_cb)\n```\n---\n### Further explain\n\n\nAs for the code generated from cbpf, for example, filter ```ip``` packets, will generate C program:\n```\nstatic inline u32\ncbpf_filter_func (const u8 *const data, const u8 *const data_end) {\n      __attribute__((unused)) u32 A, X, M[16];\n      __attribute__((unused)) const u8 *indirect;\n\n      if (data + 12 \u003e data_end) { return 0; }\n      A = bpf_ntohs(*((u16 *)(data + 12)));\n      if (A != 0x800) {goto label3;}\n      return 262144;\nlabel3:\n      return 0;\n}\n```\n\nIt follows what cbpf code tells us to do:\n```\n(000) ldh      [12]\n(001) jeq      #0x800           jt 2\tjf 3\n(002) ret      #262144\n(003) ret      #0\n```\nA little explain about the cbpf code and cbpf_filter_func above:\n\nFirst read 2 byte at offset 12.\n\nTest the data read, if equal to 0x0800, jump to 002, else jump to 003. We name the position to labelX, X is the PC value.\n\nIf label is right after last instruction, it will be ignored.\n002 and 003 will return value and exit the function.\n\n\nsee ```c2ebpf.py``` as an example to save packets to pcap files\n\n\n\n---\n### LICENSE\npycbpf is MIT licensed, as found in the LICENSE file\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjunka%2Fpycbpf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjunka%2Fpycbpf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjunka%2Fpycbpf/lists"}