{"id":13830122,"url":"https://github.com/ntop/libebpfflow","last_synced_at":"2025-04-06T07:12:44.370Z","repository":{"id":43043183,"uuid":"170587325","full_name":"ntop/libebpfflow","owner":"ntop","description":"Container traffic visibility library based on eBPF","archived":false,"fork":false,"pushed_at":"2022-05-17T07:16:11.000Z","size":309,"stargazers_count":375,"open_issues_count":2,"forks_count":40,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-03-30T06:07:36.156Z","etag":null,"topics":["containers","docker","ebpf","kubernetes","linux","netflow","traffic-monitoring"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ntop.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-02-13T22:11:01.000Z","updated_at":"2025-03-16T15:17:59.000Z","dependencies_parsed_at":"2022-09-26T19:11:04.936Z","dependency_job_id":null,"html_url":"https://github.com/ntop/libebpfflow","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ntop%2Flibebpfflow","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ntop%2Flibebpfflow/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ntop%2Flibebpfflow/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ntop%2Flibebpfflow/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ntop","download_url":"https://codeload.github.com/ntop/libebpfflow/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247445671,"owners_count":20939958,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["containers","docker","ebpf","kubernetes","linux","netflow","traffic-monitoring"],"created_at":"2024-08-04T10:00:55.995Z","updated_at":"2025-04-06T07:12:44.352Z","avatar_url":"https://github.com/ntop.png","language":"C","readme":"# libebpfflow\nTraffic visibility library based on eBPF\n\n### Introduction\nlibebpfflow is a traffic visibility library based on eBPF able to compute network flows. It can be used to:\n* enable network visibility\n* create a packet-less network probe\n* inspect host and container communications for different container runtimes\n\n### Main features\n* Ability to inspect TCP and UDP traffic\n* Container visibility\n* TCP latency computation\n* Process and user visibility\n\n### Supported Languages\n* Golang\n* C/C++\n \n### Requirements\nYou need a modern eBPF-enabled Linux distribution.\n\nOn Ubuntu 16.04/18.04/20.04 Server LTS you can install the prerequisites (we assume that the compiler is already installed) as follows:\n```sh\n$ sudo apt-get install build-essential autoconf automake autogen libjson-c-dev pkg-config libzmq3-dev libcurl4-openssl-dev libbpfcc-dev\n```\n\n### Build\nGenerate makefile\n```sh\n$ ./autogen.sh\n```\n\nNow build averything\n```sh\n$ make\n```\nGo testing tool\n```sh\nmake go_ebpflowexport\n```\n\n### Testing\nThe library comes with two different tools: *ebpflowexport* and *go\\_ebpflowexport*. In the _Build_ section is reported how to build the tools. Although both tools were developed to show potential library usage and to provide guidance on how to use the library, *ebpflowexport* displays all the information provided by *libebpfflow* and provides some options for filtering flow events while *go\\_ebpflowexport* displays only basic information concerning events.\n```sh\n$ sudo ./ebpflowexport -h\nebpflowexport: Traffic visibility tool based on libebpfflow. By default all events will be shown \nUsage: ebpflow [ OPTIONS ] \n   -h, --help      display this message \n   -t, --tcp       TCP events \n   -u, --udp       UDP events \n   -i, --in        incoming events (i.e. TCP accept and UDP receive) \n   -o, --on        outgoing events (i.e. TCP connect and UDP send) \n   -r, --retr      retransmissions events \n   -c, --tcpclose  TCP close events \n   -d, --docker    gather additional information concerning containers (default: enabled)\n   -v, --verbose   vebose formatting (default: every event is shown) \nNote: please run as root \n```\nWhat follows is a demostration of the execution of *ebpflowexport* in a system where both minikube with containerd as runtime and docker containers are running at the same time.\n```sh\n$ sudo ./ebpflowexport -tio\nWelcome to ebpflowexport v.1.0.190407\n(C) 2018-19 ntop.org\nInitializing eBPF [Legacy API]...\neBPF initializated successfully\n1554803923.684786 [lo][Sent][IPv4/TCP][pid/tid: 1446/496 [/usr/bin/kubelet], uid/gid: 0/0][father pid/tid: 1/0 [/lib/systemd/systemd], uid/gid: 0/0][addr: 127.0.0.1:53790 \u003c-\u003e 127.0.0.1:10252][latency: 0.10 msec]\n1554803923.685139 [lo][Rcvd][IPv4/TCP][pid/tid: 2554/2329 [/usr/local/bin/kube-controller-manager], uid/gid: 0/0][father pid/tid: 2295/0 [/usr/local/bin/containerd-shim], uid/gid: 0/0][addr: 127.0.0.1:53790 \u003c-\u003e 127.0.0.1:10252][containerID: 275d71585e03][runtime: containerd][kube_pod: kube-controller-manager-minikube][kube_ns: kube-system][latency: 0.00 msec]\n1554803924.781354 [eth0][Sent][IPv4/TCP][pid/tid: 30197/30197 [/usr/bin/curl], uid/gid: 0/0][father pid/tid: 26219/0 [/bin/bash], uid/gid: 0/0][addr: 172.17.0.2:54348 \u003c-\u003e 216.58.205.46:80][containerID: cbd2540ec5be][runtime: docker][docker_name: sleepy_haibt][latency: 0.22 msec]\n1554803929.257494 [enp0s3][Sent][IPv4/TCP][pid/tid: 30221/30221 [/usr/lib/apt/methods/http], uid/gid: 104/65534][father pid/tid: 30216/0 [/usr/bin/apt], uid/gid: 0/0][addr: 10.0.2.15:37140 \u003c-\u003e 91.189.88.162:80][latency: 0.17 msec]\n```\nA basic example of usage in c++ can be found in the directory */examples* whereas for the Go language the example provided is the one in */go/ebpf_flow.go*. More details on how to use the library you can be found in the [ntopng](https://github.com/ntop/ntopng) code or by inspecting the code of the tool ebpflowexport application.\n\n### Export eBPF Information to ntopng\nSupposing to start both ebpflowexport and ntopng on the same host do\n\n- ntopng -i tcp://127.0.0.1:1234\n- ebpflowexport -z tcp://127.0.0.1:1234\n\n\n### Start as a Docker container\nTo use ebpflowexport as a Docker container first you have to build the tool. Once the tool has been built, build the docker image from the project root:\n```sh\n$ docker build -t ebpflowexport .\n```\nThe container can then be run\n```sh\n$ docker run -it --rm --privileged \\\n  -v /lib/modules:/lib/modules:ro \\\n  -v /usr/src:/usr/src:ro \\\n  -v /etc/localtime:/etc/localtime:ro \\\n  -v /sys/kernel/debug:/sys/kernel/debug \\\n  -v /var/run/docker.sock:/var/run/docker.sock \\\n  -v /snap/bin/microk8s.ctr:/snap/bin/microk8s.ctr \\\n  ebpflowexport\n```\n\n### Open Issues\nWhile the library is already usable in production, we plan to add some additional features including:\n* Implement periodic flow stats exports including bytes/packets/retransmissions\n\n","funding_links":[],"categories":["C"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fntop%2Flibebpfflow","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fntop%2Flibebpfflow","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fntop%2Flibebpfflow/lists"}