Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/ntop/libebpfflow
Container traffic visibility library based on eBPF
https://github.com/ntop/libebpfflow
containers docker ebpf kubernetes linux netflow traffic-monitoring
Last synced: about 1 month ago
JSON representation
Container traffic visibility library based on eBPF
- Host: GitHub
- URL: https://github.com/ntop/libebpfflow
- Owner: ntop
- License: lgpl-3.0
- Created: 2019-02-13T22:11:01.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2022-05-17T07:16:11.000Z (over 2 years ago)
- Last Synced: 2024-06-18T21:35:02.712Z (3 months ago)
- Topics: containers, docker, ebpf, kubernetes, linux, netflow, traffic-monitoring
- Language: C
- Homepage:
- Size: 302 KB
- Stars: 355
- Watchers: 10
- Forks: 38
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: COPYING
Awesome Lists containing this project
README
# libebpfflow
Traffic visibility library based on eBPF
### Introduction
libebpfflow is a traffic visibility library based on eBPF able to compute network flows. It can be used to:
* enable network visibility
* create a packet-less network probe
* inspect host and container communications for different container runtimes
### Main features
* Ability to inspect TCP and UDP traffic
* Container visibility
* TCP latency computation
* Process and user visibility
### Supported Languages
* Golang
* C/C++
### Requirements
You need a modern eBPF-enabled Linux distribution.
On Ubuntu 16.04/18.04/20.04 Server LTS you can install the prerequisites (we assume that the compiler is already installed) as follows:
```sh
$ sudo apt-get install build-essential autoconf automake autogen libjson-c-dev pkg-config libzmq3-dev libcurl4-openssl-dev libbpfcc-dev
```
### Build
Generate makefile
```sh
$ ./autogen.sh
```
Now build averything
```sh
$ make
```
Go testing tool
```sh
make go_ebpflowexport
```
### Testing
The library comes with two different tools: *ebpflowexport* and *go\_ebpflowexport*. In the _Build_ section is reported how to build the tools. Although both tools were developed to show potential library usage and to provide guidance on how to use the library, *ebpflowexport* displays all the information provided by *libebpfflow* and provides some options for filtering flow events while *go\_ebpflowexport* displays only basic information concerning events.
```sh
$ sudo ./ebpflowexport -h
ebpflowexport: Traffic visibility tool based on libebpfflow. By default all events will be shown
Usage: ebpflow [ OPTIONS ]
-h, --help display this message
-t, --tcp TCP events
-u, --udp UDP events
-i, --in incoming events (i.e. TCP accept and UDP receive)
-o, --on outgoing events (i.e. TCP connect and UDP send)
-r, --retr retransmissions events
-c, --tcpclose TCP close events
-d, --docker gather additional information concerning containers (default: enabled)
-v, --verbose vebose formatting (default: every event is shown)
Note: please run as root
```
What follows is a demostration of the execution of *ebpflowexport* in a system where both minikube with containerd as runtime and docker containers are running at the same time.
```sh
$ sudo ./ebpflowexport -tio
Welcome to ebpflowexport v.1.0.190407
(C) 2018-19 ntop.org
Initializing eBPF [Legacy API]...
eBPF initializated successfully
1554803923.684786 [lo][Sent][IPv4/TCP][pid/tid: 1446/496 [/usr/bin/kubelet], uid/gid: 0/0][father pid/tid: 1/0 [/lib/systemd/systemd], uid/gid: 0/0][addr: 127.0.0.1:53790 <-> 127.0.0.1:10252][latency: 0.10 msec]
1554803923.685139 [lo][Rcvd][IPv4/TCP][pid/tid: 2554/2329 [/usr/local/bin/kube-controller-manager], uid/gid: 0/0][father pid/tid: 2295/0 [/usr/local/bin/containerd-shim], uid/gid: 0/0][addr: 127.0.0.1:53790 <-> 127.0.0.1:10252][containerID: 275d71585e03][runtime: containerd][kube_pod: kube-controller-manager-minikube][kube_ns: kube-system][latency: 0.00 msec]
1554803924.781354 [eth0][Sent][IPv4/TCP][pid/tid: 30197/30197 [/usr/bin/curl], uid/gid: 0/0][father pid/tid: 26219/0 [/bin/bash], uid/gid: 0/0][addr: 172.17.0.2:54348 <-> 216.58.205.46:80][containerID: cbd2540ec5be][runtime: docker][docker_name: sleepy_haibt][latency: 0.22 msec]
1554803929.257494 [enp0s3][Sent][IPv4/TCP][pid/tid: 30221/30221 [/usr/lib/apt/methods/http], uid/gid: 104/65534][father pid/tid: 30216/0 [/usr/bin/apt], uid/gid: 0/0][addr: 10.0.2.15:37140 <-> 91.189.88.162:80][latency: 0.17 msec]
```
A basic example of usage in c++ can be found in the directory */examples* whereas for the Go language the example provided is the one in */go/ebpf_flow.go*. More details on how to use the library you can be found in the [ntopng](https://github.com/ntop/ntopng) code or by inspecting the code of the tool ebpflowexport application.
### Export eBPF Information to ntopng
Supposing to start both ebpflowexport and ntopng on the same host do
- ntopng -i tcp://127.0.0.1:1234
- ebpflowexport -z tcp://127.0.0.1:1234
### Start as a Docker container
To use ebpflowexport as a Docker container first you have to build the tool. Once the tool has been built, build the docker image from the project root:
```sh
$ docker build -t ebpflowexport .
```
The container can then be run
```sh
$ docker run -it --rm --privileged \
-v /lib/modules:/lib/modules:ro \
-v /usr/src:/usr/src:ro \
-v /etc/localtime:/etc/localtime:ro \
-v /sys/kernel/debug:/sys/kernel/debug \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /snap/bin/microk8s.ctr:/snap/bin/microk8s.ctr \
ebpflowexport
```
### Open Issues
While the library is already usable in production, we plan to add some additional features including:
* Implement periodic flow stats exports including bytes/packets/retransmissions