{"id":15056923,"url":"https://github.com/lumbrjx/ebpf-nta","last_synced_at":"2025-10-26T01:06:59.028Z","repository":{"id":254016870,"uuid":"845088120","full_name":"lumbrjx/ebpf-NTA","owner":"lumbrjx","description":"A simple, portable eBPF C program for analyzing and filtering network traffic on Linux. With a self-cleaning Go-based user-space program including easy setup and cleanup using a Makefile.","archived":false,"fork":false,"pushed_at":"2024-08-25T16:17:31.000Z","size":5510,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-24T06:11:27.594Z","etag":null,"topics":["c","ebpf","filtering","golang","kernel-space","linux","monitoring","networking","observability","packet","tcp","traffic-control","user-space"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lumbrjx.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-08-20T14:57:51.000Z","updated_at":"2024-10-17T23:36:15.000Z","dependencies_parsed_at":"2025-02-16T14:38:09.292Z","dependency_job_id":"8740695f-a27b-45eb-b90f-a38d27b8db84","html_url":"https://github.com/lumbrjx/ebpf-NTA","commit_stats":null,"previous_names":["lumbrjx/ebpf-nta"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lumbrjx%2Febpf-NTA","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lumbrjx%2Febpf-NTA/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lumbrjx%2Febpf-NTA/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lumbrjx%2Febpf-NTA/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lumbrjx","download_url":"https://codeload.github.com/lumbrjx/ebpf-NTA/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248161257,"owners_count":21057554,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["c","ebpf","filtering","golang","kernel-space","linux","monitoring","networking","observability","packet","tcp","traffic-control","user-space"],"created_at":"2024-09-24T21:58:32.892Z","updated_at":"2025-10-12T17:07:36.886Z","avatar_url":"https://github.com/lumbrjx.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# eBPF Network Traffic Analyzer\n\n### This repository contains an eBPF program designed to analyze network traffic on a Linux system. The program is compiled with Clang and loaded into the Linux kernel using the tc (Traffic Control) command. It attaches to both the ingress and egress paths of a specified network interface, allowing real-time inspection and filtering of packets.\n\n## Features\n\n- Packet Inspection: Analyze incoming and outgoing packets on a specific network interface.\n- Real-Time Logging: Use bpf_printk to log packet details directly from the kernel.\n- User-Space Control with Go: A Go program is provided for interacting with the eBPF program in user space, offering an easy and flexible way to control and retrieve data from the eBPF program.\n- Easy Setup: Automated setup and cleanup using a Makefile.\n\n## Getting Started\n\nClone the repository and run make all to compile and load the eBPF program.\n\n```bash\n\ngit clone https://github.com/lumbrjx/ebpf-NTA.git\ncd ebpf-NTA\nmake all\n```\n### Requirements\n\nBefore using the Makefile, ensure you have the following installed on your system:\n\n- Linux with eBPF support\n- Clang/LLVM\n- Kernel headers\n- Go (for user-space control)\n- libelf-dev: A library to handle ELF files (used by the eBPF program).\n\n### Targets:\n\nThe Makefile contains the following targets:\n1. install-deps\n\nDescription: Installs the necessary dependencies for building and running the eBPF and user-space programs.\n\nUsage:\n\n```bash\n\nmake install-deps\n```\n2. $(TARGET)\n\nDescription: Compiles the eBPF program (tc.c) into a binary object file (tc.o).\n\nUsage:\n\n```bash\n\nmake tc.o\n```\n3. load\n\nDescription: Loads the compiled eBPF program into the kernel using the tc command. This sets up a classifier-action (clsact) qdisc and attaches the eBPF program to the ingress and egress filters on the specified network interface.\n\nUsage:\n\n```bash\n\nmake load\n```\n4. view *Deprecated*\n\nDescription: Views the output of bpf_printk in the kernel trace pipe.\n\nUsage:\n\n```bash\n\nmake view \n```\n5. view-tcp *Deprecated*\n\nDescription: Filters the trace_pipe output to show only TCP-related logs.\n\nUsage:\n\n```bash\n\nmake view-tcp\n```\n6. view-udp *Deprecated*\n\nDescription: Filters the trace_pipe output to show only UDP-related logs.\n\nUsage:\n\n```bash\n\nmake view-udp\n```\n7. build-US\n\nDescription: Compiles the Go user-space program (tc.go) located in the user_space directory.\n\nUsage:\n\n```bash\n\nmake build-US\n```\n8. start-US\n\nDescription: Starts the compiled user-space program (tc_US).\n\nUsage:\n\n```bash\n\nmake start-US\n```\n9. clean\n\nDescription: Cleans up the environment by removing the compiled eBPF object file, the user-space binary, and detaching the eBPF program from the network interface.\n\nUsage:\n\n```bash\n\nmake clean\n```\n10. all\n\nDescription: Executes all the steps in sequence: installs dependencies, compiles the eBPF program, builds the user-space program, and starts the user-space program.\n\nUsage:\n\n```bash\n\nmake all\n```\n### Notes\n\nThe default network interface used in this Makefile is enp1s0. If your network interface is different, modify the INTERFACE variable in the Makefile.\nEnsure you have root privileges to execute some of these commands as they interact with the network interface and kernel tracing features.\n\n# License\n\nThis project is licensed under the MIT License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flumbrjx%2Febpf-nta","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flumbrjx%2Febpf-nta","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flumbrjx%2Febpf-nta/lists"}