{"id":15056978,"url":"https://github.com/tarsal-oss/kflowd","last_synced_at":"2025-04-10T05:06:56.286Z","repository":{"id":239980632,"uuid":"785723704","full_name":"tarsal-oss/kflowd","owner":"tarsal-oss","description":"Kernel-based Process Monitoring on Linux Endpoints for File System, TCP and UDP Networking Events and optionally DNS, HTTP and SYSLOG Application Messages via eBPF Subsystem","archived":false,"fork":false,"pushed_at":"2025-04-10T02:01:09.000Z","size":3690,"stargazers_count":60,"open_issues_count":1,"forks_count":3,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-04-10T05:06:34.921Z","etag":null,"topics":["co-re","detection","dlp","dns","dpi","ebpf","edr","filesystem","http","monitoring","netflow","siem","syslog","tcp","udp","virus","vulnerability","xdr"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tarsal-oss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-12T13:41:34.000Z","updated_at":"2025-03-31T20:41:59.000Z","dependencies_parsed_at":"2024-07-22T11:37:03.356Z","dependency_job_id":"c99c738a-00f9-429c-8e1b-9dcc970d990f","html_url":"https://github.com/tarsal-oss/kflowd","commit_stats":null,"previous_names":["tarsal-oss/kflowd"],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tarsal-oss%2Fkflowd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tarsal-oss%2Fkflowd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tarsal-oss%2Fkflowd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tarsal-oss%2Fkflowd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tarsal-oss","download_url":"https://codeload.github.com/tarsal-oss/kflowd/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248161274,"owners_count":21057555,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["co-re","detection","dlp","dns","dpi","ebpf","edr","filesystem","http","monitoring","netflow","siem","syslog","tcp","udp","virus","vulnerability","xdr"],"created_at":"2024-09-24T21:59:43.747Z","updated_at":"2025-04-10T05:06:56.256Z","avatar_url":"https://github.com/tarsal-oss.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"right\"\u003e\n\u003ca href=\"#\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/endpoint?url=https://tarsal-oss.github.io/kflowd/gh-stats-version.json\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/tarsal-oss/kflowd/actions/workflows/kflowd-ci.yml\" target=\"_blank\"\u003e\u003cimg src=\"https://github.com/tarsal-oss/kflowd/actions/workflows/kflowd-ci.yml/badge.svg\"/\u003e\u003c/a\u003e\n\u003ca href=\"#license\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/badge/License-GPL_v2-lightgrey.svg\"/\u003e\u003c/a\u003e\n\u003c/div\u003e\n\n\u003cpicture\u003e\n\u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://github.com/tarsal-oss/kflowd/assets/108887718/d2d59b0d-947a-4f76-ac7e-db121974fc58\" width=\"240px\"/\u003e\n\u003cimg src=\"https://github.com/tarsal-oss/kflowd/assets/108887718/fdf5f7de-9c9f-43e0-8f39-068f9b71a9f1\" width=\"240px\"/\u003e\n\u003c/picture\u003e\n\n## Kernel-based Process Monitoring on Linux Endpoints via eBPF\n\n### kflowd runs as agent on Linux endpoints to monitor processes via eBPF kernel subsystem for filesystem and TCP and UDP networking events, enabling immediate threat and anomaly detection on suspicious activities.\n#### Advanced non-ebpf related features such as DNS, HTTP and SYSLOG application message decoding, checksum calculation for virus detection, process and file versioning for vulnerability detection and file device, network interface and user-group identification for files and processes can be enabled via open-binary plugin modules.\u003cbr\u003ePre-built kflowd and kflowd-plugins packages can be downloaded for quick installation from the [Releases](https://github.com/tarsal-oss/kflowd/releases) section.\n\nIf you would like to join our community Slack channel please send an email to [devs@tarsal.co](mailto:devs@tarsal.co) to receive an invitation. You can also contact us directly at [kflow@tarsal.co](mailto:kflow@tarsal.co) for any questions.\n\nkflowd contains an eBPF program running in kernel context and its control application running in userspace.\u003cbr\u003e\nThe eBPF program traces kernel functions to monitor processes based on file system and networking events. Events are aggregated into records and submitted into a ringbuffer where they are polled by the userspace control application. All Records are enriched with process information and then converted into a message in JSON output format.\u003cbr\u003e\nFinal messages are printed to stdout console and can be sent via UDP protocol to specified hosts for ingestion in a security data pipeline.\n\nkflowd runs on Linux kernels 5.10+ and is built with the **libbpf+CO-RE** (Compile-Once-Run-Everywhere) eBPF development toolchain using **BTF** (BPF Type Format) to allow portability by avoiding dependencies on differences in kernel headers between kernel versions on deployment.\n\u003cdiv align=\"left\"\u003e\n\u003cpicture\u003e\n\u003cimg src=\"https://github.com/user-attachments/assets/7d2dd1cf-0b77-4049-91e3-41151d9f5ab4\" width=\"1000\"\u003e\n\u003c/picture\u003e\n\u003c/div\u003e\n\n### JSON Output\n\nkflowd outputs JSON messages generated for each record of aggregated file system and TCP, UDP networking events and optionally DNS, HTTP and SYSLOG application messages in the formats as shown in the following examples:\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u0026nbsp;Filesystem Record\u003c/summary\u003e\n\n```\n{\n \"InfoSequenceNumber\": 1,\n \"InfoTimestamp\": \"Thu, Apr 04 2024 15:34:35.643031330 UTC\",\n \"InfoMonitor\": \"filesystem\",\n \"InfoHostName\": \"dev.kflow.co\",\n \"InfoHostIP\": \"38.110.1.24\",\n \"InfoSystem\": \"Linux\",\n \"InfoKernel\": \"6.1.0-10-amd64\",\n \"InfoVersion\": \"kflowd-v0.9.1\",\n \"InfoUptime\": 21.262713426,\n \"ProcParent\": \"sshd\",\n \"Proc\": \"sftp-server\",\n \"ProcVersion\": \"1:9.2p1-2+deb12u1\",\n \"ProcUser\": \"dirk\",\n \"ProcGroup\": \"dirk\",\n \"ProcPPID\": 183546,\n \"ProcPID\": 183547,\n \"ProcTID\": 183547,\n \"ProcUID\": 1002,\n \"ProcGID\": 1002,\n \"ProcAge\": 2.408293862,\n \"FilePath\": \"/home/dirk/\",\n \"File\": \"malware\",\n \"FileVersion\": \"0.9\",\n \"FileMode\": \"regular\",\n \"FileEventCount\": 4,\n \"FileEvents\": {\n \"OPEN\": 1,\n \"MODIFY\": 2,\n \"CLOSE_WRITE\": 1\n },\n \"FileEventsDuration\": 0.811829334,\n \"FileInode\": 19567988,\n \"FileInodeLinkCount\": 1,\n \"FileDevice\": \"902h:/dev/md2:/:ext4\",\n \"FilePermissions\": \"0755/-rwxr-xr-x\",\n \"FileUser\": \"dirk\",\n \"FileGroup\": \"dirk\",\n \"FileUID\": 1002,\n \"FileGID\": 1002,\n \"FileSize\": 41,\n \"FileSizeChange\": 41,\n \"FileAccessTime\": \"Thu, Apr 04 2024 15:12:01.435718956 UTC\",\n \"FileStatusChangeTime\": \"Thu, Apr 04 2024 15:34:35.154106191 UTC\",\n \"FileModificationTime\": \"Thu, Apr 04 2024 15:34:35.154106191 UTC\",\n \"FileModificationTimeChange\": 0.327993681,\n \"FileMD5\": \"96760f46bd29ba986279f22bed9839f5\",\n \"FileSHA256\": \"72c58c2d02ae3a87f521594373433b7d05477c4994fc0ab4376827cadb29ba7e\"\n}\n```\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u0026nbsp;UDP + DNS Networking Record\u003c/summary\u003e\n\n```\n{\n \"InfoSequenceNumber\": 2,\n \"InfoTimestamp\": \"Thu, Apr 04 2024 15:39:11.463732866 UTC\",\n \"InfoMonitor\": \"socket\",\n \"InfoHostName\": \"dev.kflow.co\",\n \"InfoHostIP\": \"38.110.1.24\",\n \"InfoSystem\": \"Linux\",\n \"InfoKernel\": \"6.1.0-10-amd64\",\n \"InfoVersion\": \"kflowd-v0.9.1\",\n \"InfoUptime\": 23.972984597,\n \"ProcParent\": \"bash\",\n \"Proc\": \"curl\",\n \"ProcVersion\": \"7.45.2-3\",\n \"ProcUser\": \"dirk\",\n \"ProcGroup\": \"dirk\",\n \"ProcPPID\": 199853,\n \"ProcPID\": 199856,\n \"ProcTID\": 199857,\n \"ProcUID\": 1002,\n \"ProcGID\": 1002,\n \"ProcAge\": 0.044454620,\n \"SockProtocol\": \"UDP\",\n \"SockRole\": \"CLIENT\",\n \"SockState\": \"UDP_ESTABLISHED\",\n \"SockFamily\": \"AF_INET\",\n \"SockLocalIP\": \"38.110.1.24\",\n \"SockLocalPort\": 56664,\n \"SockRemoteIP\": \"8.8.4.4\",\n \"SockRemotePort\": 53,\n \"SockTxInterface\": \"4:enp5s0:0c:c4:7a:88:84:c2\",\n \"SockTxPackets\": 2,\n \"SockTxDuration\": 0.000048490,\n \"SockTxBytes\": 52,\n \"SockTxInterface\": \"4:enp5s0:0c:c4:7a:88:84:c2\",\n \"SockRxPackets\": 2,\n \"SockRxPacketsQueued\": 0,\n \"SockRxPacketsDrop\": 0,\n \"SockRxPacketsFrag\": 0,\n \"SockRxDuration\": 22.475134750,\n \"SockRxBytes\": 155,\n \"SockRxTTL\": 125,\n \"SockAge\": 0.043689149,\n \"App\": \"DNS\",\n \"AppTxDns\": [{\n \"_Timestamp\": 0.000001177,\n \"TransactionId\": 56864,\n \"OpCode\": \"QUERY\",\n \"Flags\": [\"RD\"],\n \"ResourceRecords\": [\n [\"A\", \"kflow.co\"]\n ]\n },\n {\n \"_Timestamp\": 0.000048627,\n \"TransactionId\": 52515,\n \"OpCode\": \"QUERY\",\n \"Flags\": [\"RD\"],\n \"ResourceRecords\": [\n [\"AAAA\", \"kflow.co\"]\n ]\n }],\n \"AppRxDns\": [{\n \"_Timestamp\": 0.037965555,\n \"TransactionId\": 52515,\n \"ResponseCode\": \"NOERROR\",\n \"Flags\": [\"QR\", \"RD\", \"RA\"],\n \"AnswerCount\": 0,\n \"ResourceRecords\": []\n },\n {\n \"_Timestamp\": 0.043688644,\n \"TransactionId\": 56864,\n \"ResponseCode\": \"NOERROR\",\n \"Flags\": [\"QR\", \"RD\", \"RA\"],\n \"AnswerCount\": 2,\n \"ResourceRecords\": [\n [\"A\", \"kflow.co\", 600, \"IN\", \"15.197.142.173\"],\n [\"A\", \"kflow.co\", 600, \"IN\", \"3.33.152.147\"]\n ]\n }]\n}\n```\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u0026nbsp;TCP + HTTP Networking Record\u003c/summary\u003e\n\n```\n{\n \"InfoSequenceNumber\": 3,\n \"InfoTimestamp\": \"Thu, Apr 04 2024 15:39:11.928989997 UTC\",\n \"InfoMonitor\": \"socket\",\n \"InfoHostName\": \"dev.kflow.co\",\n \"InfoHostIP\": \"38.110.1.24\",\n \"InfoSystem\": \"Linux\",\n \"InfoKernel\": \"6.1.0-10-amd64\",\n \"InfoVersion\": \"kflowd-v0.9.1\",\n \"InfoUptime\": 24.873001288,\n \"ProcParent\": \"bash\",\n \"Proc\": \"curl\",\n \"ProcVersion\": \"7.45.2-3\",\n \"ProcUser\": \"dirk\",\n \"ProcGroup\": \"dirk\",\n \"ProcPPID\": 199853,\n \"ProcPID\": 216998,\n \"ProcTID\": 216998,\n \"ProcUID\": 1002,\n \"ProcGID\": 1002,\n \"ProcAge\": 0.114196829,\n \"SockProtocol\": \"TCP\",\n \"SockRole\": \"CLIENT\",\n \"SockState\": \"TCP_CLOSE\",\n \"SockFamily\": \"AF_INET\",\n \"SockLocalIP\": \"38.110.1.24\",\n \"SockLocalPort\": 43302,\n \"SockRemoteIP\": \"15.197.142.173\",\n \"SockRemotePort\": 80,\n \"SockTxInterface\": \"4:enp5s0:0c:c4:7a:88:84:c2\",\n \"SockTxDataPackets\": 1,\n \"SockTxPackets\": 6,\n \"SockTxPacketsRetrans\": 0,\n \"SockTxPacketsDups\": 0,\n \"SockTxFlags\": {\n \"SYN\": 1,\n \"ACK\": 3,\n \"PSH-ACK\": 1,\n \"FIN-ACK\": 1\n },\n \"SockTxDuration\": 0.057274799,\n \"SockTxBytes\": 72,\n \"SockTxBytesAcked\": 74,\n \"SockTxBytesRetrans\": 0,\n \"SockTxRTO\": 51,\n \"SockTxInterface\": \"4:enp5s0:0c:c4:7a:88:84:c2\",\n \"SockRxDataPackets\": 1,\n \"SockRxPackets\": 4,\n \"SockRxPacketsQueued\": 0,\n \"SockRxPacketsDrop\": 0,\n \"SockRxPacketsReorder\": 0,\n \"SockRxPacketsFrag\": 0,\n \"SockRxFlags\": {\n \"SYN-ACK\": 1,\n \"ACK\": 1,\n \"PSH-ACK\": 1,\n \"FIN-ACK\": 1\n },\n \"SockRxDuration\": 0.057197399,\n \"SockRxBytes\": 342,\n \"SockRxTTL\": 185,\n \"SockRTT\": 0.000450625,\n \"SockAge\": 0.057344028,\n \"App\": \"HTTP\",\n \"AppTxHttp\": [{\n \"_Timestamp\": 0.000876589,\n \"_Method\": \"GET\",\n \"_Url\": \"/\",\n \"_Version\": \"HTTP/1.1\",\n \"Host\": \"kflow.co\",\n \"User-Agent\": \"curl/7.88.1\",\n \"Accept\": \"*/*\"\n }],\n \"AppRxHttp\": [{\n \"_Timestamp\": 0.056237469,\n \"_Version\": \"HTTP/1.1\",\n \"_Status\": 301,\n \"_Reason\": \"Moved Permanently\",\n \"Date\": \"Thu, 04 Apr 2024 15:49:12 GMT\",\n \"Content-Type\": \"text/html; charset=utf-8\",\n \"Content-Length\": \"59\",\n \"Connection\": \"keep-alive\",\n \"Location\": \"https://kflowd.github.io\",\n \"Server\": \"ip-10-123-123-119.ec2.internal\",\n \"X-Request-Id\": \"5c331cbe-fbe1-40ea-ba2b-989691e687a0\",\n \"_Body\": \"\u003ca href=\\\"https://kflowd.github.io\\\"\u003eMoved Permanently\u003c/a\u003e.\"\n }]\n}\n```\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n\u003csummary\u003e\u0026nbsp;UNIX Socket + SYSLOG Record\u003c/summary\u003e\n\n```\n{\n \"InfoSequenceNumber\": 4,\n \"InfoTimestamp\": \"Mon, Sep 16 2024 14:30:19.409100980 UTC\",\n \"InfoMonitor\": \"socket\",\n \"InfoHostName\": \"dev.kflow.co\",\n \"InfoHostIP\": \"38.110.1.24\",\n \"InfoSystem\": \"Linux\",\n \"InfoKernel\": \"6.1.0-10-amd64\",\n \"InfoVersion\": \"kflowd-v0.9.11\",\n \"ProcParent\": \"cron\",\n \"Proc\": \"cron\",\n \"ProcVersion\": \"3.0pl1-137\",\n \"ProcUser\": \"root\",\n \"ProcGroup\": \"root\",\n \"ProcPPID\": 990,\n \"ProcPID\": 2122368,\n \"ProcTID\": 2122368,\n \"ProcUID\": 0,\n \"ProcGID\": 0,\n \"ProcAge\": 18.100170007,\n \"SockRole\": \"CLIENT\",\n \"SockAddress\": \"/run/systemd/journal/dev-log\",\n \"SockFamily\": \"AF_UNIX\",\n \"SockTxBytes\": 192,\n \"SockAge\": 18.095146325,\n \"App\": \"SYSLOG\",\n \"AppTxSyslog\": [{\n \"Facility\": \"Security/Authorization\",\n \"Severity\": \"Notice (5)\",\n \"Priority\": 85,\n \"Version\": 0,\n \"Timestamp\": \"Sep 16 14:30:01\",\n \"Appname\": \"CRON\",\n \"ProcId\": \"2122368\",\n \"Message\": \"pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)\"\n },\n {\n \"Facility\": \"Security/Authorization\",\n \"Severity\": \"Informational (6)\",\n \"Priority\": 86,\n \"Version\": 0,\n \"Timestamp\": \"Sep 16 14:30:01\",\n \"Appname\": \"CRON\",\n \"ProcId\": \"2122368\",\n \"Message\": \"pam_unix(cron:session): session closed for user root\"\n }]\n}\n```\n\u003c/details\u003e\n\n### Runtime Requirements\nKernel 5.10+ compiled with:\n- CONFIG_BPF=y\n- CONFIG_KPROBES=y\n- CONFIG_KRETPROBES=y\n- CONFIG_DEBUG_INFO_BTF=y\n- Maps (since 4.1+) to perform filesystem event aggregation in hash tables\n- Ringbuffer (since 5.8+) to share data between kernel eBPF program and user-space application\n- Global variables (since 5.5) for parameterization of application behavior\n- vmlinux.h file in binary form at /sys/kernel/btf/vmlinux\n- Libraries libelf and libz installed\n\n### Runtime Performance Recommendations\nKernel 5.10+ compiled with Just-In-Time eBPF compiler (JIT):\n- CONFIG_BPF_JIT=y\n\nJIT system control settings enabled:\n- net.core.bpf_jit_enable=1\n\nThe following link provides an overview of Linux distributions with eBPF CO-RE \u0026 BTF enabled by default:\u003cbr\u003e\n**[Linux Distributions w/ eBPF CO-RE \u0026 BTF](https://github.com/libbpf/libbpf#bpf-co-re-compile-once--run-everywhere)**\n\nFor high performance UDP output the following kernel network settings are recommended:\n- sysctl -w net.core.rmem_max=134217728\n- sysctl -w net.core.wmem_max=134217728\n\n### Runtime Options\n```\nUsage:\n kflowd [-m file,socket] [-t IDLE,ACTIVE] [-e EVENTS] [-o json|json-min|table] [-v] [-c]\n [-p dns|http|syslog=PROTO/PORT,...] [-u IP:PORT] [-q] [-d] [-V] [-T TOKEN] [-P PATH]\n [-D PROCESS], [-l] [--legend], [-h] [--help], [--version]\n -m file,socket Monitor only specified kernel subsystem (filesystem or sockets)\n (default: all, option omitted!)\n -t IDLE,ACTIVE Timeout in seconds for idle or active network sockets until export\n (default: idle '15' seconds, active '1800' seconds)\n -e EVENTS Max number of filesystem events per aggregated record until export\n (default: disabled, '1': no aggregation)\n -o json Json output with formatting (default)\n json-min Json output with minimal formatting\n table Tabular output with limited keys and no UDP output\n -v Version of executable files identified by installed package\n (supported only for rpm- and deb-based package management)\n -c Checksum hashes of MD5 and SHA256 calculated for executables\n -p dns=PROTO/PORT,... Port(s) examined for decoding of DNS application protocol\n (default: 'dns=udp/53,tcp/53', disabled: 'dns=off')\n -p http=PROTO/PORT,... Port(s) examined for decoding of HTTP application protocol\n (default: 'http=tcp/80', disabled: 'http=off')\n -p syslog=PROTO/PORT,... Port(s) examined for decoding of SYSLOG application protocol\n (default: 'syslog=udp/514,tcp/514,unix', disabled: 'syslog=off')\n -u IP:PORT,... UDP server(s) IPv4 or IPv6 address to send json output to.\n Output also printed to stdout console unless quiet option -q or\n daemon mode -d specified\n -q Quiet mode to suppress output to stdout console\n -d Daemonize program to run in background\n -V Verbose output\n Print eBPF load and co-re messages on start of eBPF program\n to stderr console\n -T TOKEN Token specified on host to be included in json output\n -P PATH Path to search for kflowd plugin modules (default: '../lib/')\n -l, --legend Show legend\n -h, --help Show help\n --version Show version\n -D PROCESS Debug\n Print ebpf kernel log messages of process or expiration queue to\n kernel trace pipe (any process: '*', with quotes!, queue: 'q')\n Use command:\n 'sudo cat /sys/kernel/debug/tracing/trace_pipe'\n\nExamples:\n sudo ./kflowd # terminal mode\n sudo ./kflowd -m file,socket -v -c -u 1.2.3.4:2056,127.0.0.1:2057 -d # daemon mode\n sudo ./kflowd -m socket -v -c -u 1.2.3.4:2056 -V -D '*' # debug mode\n sudo ./kflowd --legend # show legend\n sudo ./kflowd --version # show version\n```\n\n### Build Requirements\n- Kernel version 5.10+ compiled with BTF for CO-RE:\n ```\n uname -a\n cat /boot/config-* | grep CONFIG_DEBUG_INFO_BTF\n ```\n- BPF enabled in file /etc/sysctl.conf:\n ```\n ...\n kernel.bpf_stats_enabled=1\n kernel.unprivileged_bpf_disabled=0\n ```\n\n### Build Prerequisites\n- Debian-based (Ubuntu, Mint)\n\n - Install libraries:\n ```\n sudo apt install libz-dev\n sudo apt install libelf-dev\n sudo apt install libcap-dev\n sudo apt install libbfd-dev\n sudo apt install libc6-dev-i386\n ```\n - Install Clang 16+ toolchain:\n ```\n sudo apt install build-essential\n sudo apt install pkg-config\n sudo apt install clang-16*\n sudo apt install llvm-16*\n sudo ln -s /usr/bin/clang-16 /usr/bin/clang\n sudo ln -s /usr/bin/llvm-strip-16 /usr/bin/llvm-strip\n ```\n - Install nfpm Linux packager:\n ```\n echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/\n /' | sudo tee /etc/apt/sources.list.d/goreleaser.list\n sudo apt update\n sudo apt install nfpm\n ```\n\n- Redhat-based (Amazon Linux, Fedora)\n\n - Install libraries:\n ```\n sudo yum install zlib-devel\n sudo yum install elfutils-libelf-devel\n sudo yum install libcap-devel\n sudo yum install binutils-devel\n sudo yum install glibc-devel.i386 or .i686\n ```\n - Install Clang 16+ toolchain:\n ```\n sudo yum groupinstall 'Development Tools'\n sudo yum install pkgconfig\n sudo yum install clang*\n sudo yum install llvm*\n ```\n - Install nfpm Linux packager:\n ```\n echo '[goreleaser]\n name=GoReleaser\n baseurl=https://repo.goreleaser.com/yum/\n enabled=1\n gpgcheck=0' | sudo tee /etc/yum.repos.d/goreleaser.repo\n sudo yum install nfpm\n ```\n\n### Build Instructions\n```\ngit clone https://github.com/tarsal-oss/kflowd.git\ncd kflowd\ngit submodule update --init --recursive\ncd src\nmake\nmake rpm deb\n```\n\n### Installation Instructions\nPackages can be installed on Linux x86_64 and arm64 based platforms:\n- Debian\n```\nsudo apt install ./kflowd_x.x.x_amd64.deb\nsudo apt install ./kflowd_x.x.x_arm64.deb\n```\n- Redhat\n```\nsudo yum install ./kflowd-x.x.x.x86_64.rpm\nsudo yum install ./kflowd-x.x.x.aarch64.rpm\n```\nNote that build artifacts can be downloaded under GitHub Actions in the Artifacts section of the kflowd-ci workflow run with binaries and packages compatible for both x86_64 and arm64 platforms (glibc 2.31+):\\\n[Pre-built binaries, RPM and DEB packages (zipped)](https://github.com/tarsal-oss/kflowd/actions/workflows/kflowd-ci.yml)\n\n\u003cbr\u003e\n\n### License\nThis work is licensed under [GNU General Public License v2.0](https://github.com/tarsal-oss/kflowd/blob/master/LICENSE).\n```\nSPDX-License-Identifier: GPL-2.0\n```\n\n### Acknowledgements\n- **libbpf+CO-RE:** Andrii Nakryiko's Blog, **[BPF CO-RE Reference Guide](https://nakryiko.com/posts/bpf-core-reference-guide/)**\n- **eBPF Tracing:** Brendan Gregg, **[Linux Extended BPF (eBPF) Tracing Tools](https://www.brendangregg.com/ebpf.html)**\n- **SHA256:** Cgminer (Bitcoin mining project), **[Fast SHA256 Implementation](https://github.com/fcicq/cgminer/)**\n- **MD5:** RSA Data Security, **[MD5 Message-Digest Algorithm](https://github.com/Zunawe/md5-c/)**\n\n\u003cbr\u003e\n\u003cdiv align=\"right\"\u003e\n\u003ca href=\"https://github.com/tarsal-oss/kflowd/graphs/traffic\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/endpoint?url=https://tarsal-oss.github.io/kflowd/gh-stats-clones.json\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/tarsal-oss/kflowd/graphs/traffic\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/endpoint?url=https://tarsal-oss.github.io/kflowd/gh-stats-clones-14d.json\"/\u003e\u003c/a\u003e\n\u003cbr\u003e\n\u003ca href=\"https://github.com/tarsal-oss/kflowd/graphs/traffic\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/endpoint?url=https://tarsal-oss.github.io/kflowd/gh-stats-views.json\"/\u003e\u003c/a\u003e\n\u003ca href=\"https://github.com/tarsal-oss/kflowd/graphs/traffic\" target=\"_blank\"\u003e\u003cimg src=\"https://img.shields.io/endpoint?url=https://tarsal-oss.github.io/kflowd/gh-stats-views-14d.json\"/\u003e\u003c/a\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftarsal-oss%2Fkflowd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftarsal-oss%2Fkflowd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftarsal-oss%2Fkflowd/lists"}