https://github.com/yuuki/go-conntracer-bpf

Go library using eBPF to trace network flow events
https://github.com/yuuki/go-conntracer-bpf

bpf cgo ebpf go golang kprobe libbpf tcp tracing udp

Last synced: 8 months ago
JSON representation

Go library using eBPF to trace network flow events

• Host: GitHub
• URL: https://github.com/yuuki/go-conntracer-bpf
• Owner: yuuki
• License: apache-2.0
• Created: 2020-12-24T14:24:03.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2021-04-19T07:18:40.000Z (about 5 years ago)
• Last Synced: 2025-02-01T05:41:20.489Z (over 1 year ago)
• Topics: bpf, cgo, ebpf, go, golang, kprobe, libbpf, tcp, tracing, udp
• Language: C
• Homepage:
• Size: 8.93 MB
• Stars: 34
• Watchers: 3
• Forks: 2
• Open Issues: 2
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# go-conntracer-bpf

[![Go Reference](https://pkg.go.dev/badge/github.com/yuuki/go-conntracer-bpf.svg)](https://pkg.go.dev/github.com/yuuki/go-conntracer-bpf)

go-conntracer-bpf is a library for Go for tracing network connection (TCP/UDP) events (connect, accept, sendto, recvfrom) on BPF kprobe inspired by [weaveworks/tcptracer-bpf](https://github.com/weaveworks/tcptracer-bpf). go-conntracer-bpf is implemented on top of [libbpf](https://github.com/libbpf/libbpf), which is a representative C library for BPF included Linux kernel.

## Features

- Low-overhead tracing by aggregating connection events in kernel.

- BPF CO-RE (Compile Once – Run Everywhere)-enabled

![Flow events aggregation in kernel](./docs/images/aggregation.png "aggregation")

## Prerequisites

### Compilation phase

- libbpf source code

- Clang/LLVM >= 9

### Runtime phase

- Linux kernel version >= 5.6 (due to batch ops to bpf maps)

- Linux kernel to be built with BTF type information. See .

### Common to both phase

- libelf and zlib libraries

## Features of Linux kernel included in go-conntracer-bpf

go-conntracer-bpf makes use of some latest features of Linux kernel.

- BPF Type Format (BTF)	in kernel version 4.18.

- Batch API to BPF map (BPF_MAP_UPDATE_BATCH, BPF_MAP_LOOKUP_AND_DELETE_BATCH) in kernel version 5.6.

- Ring Buffer in kernel version 5.8 (only a flavor of no-aggregation in kernel).

## Usage

- [godoc](https://godoc.org/github.com/yuuki/go-conntracer-bpf)

## conntop

conntop is a CLI tool to show connection events.

### Build conntop

```shell-session

$ make DOCKER=1

```

## Projects using go-conntracer-bpf

- [yuuki/shawk](https://github.com/yuuki/shawk)