Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/yuuki/go-conntracer-bpf

Go library using eBPF to trace network flow events
https://github.com/yuuki/go-conntracer-bpf

bpf cgo ebpf go golang kprobe libbpf tcp tracing udp

Last synced: 6 days ago
JSON representation

Go library using eBPF to trace network flow events

Host: GitHub
URL: https://github.com/yuuki/go-conntracer-bpf
Owner: yuuki
License: apache-2.0
Created: 2020-12-24T14:24:03.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2021-04-19T07:18:40.000Z (over 3 years ago)
Last Synced: 2024-06-19T02:59:34.426Z (4 months ago)
Topics: bpf, cgo, ebpf, go, golang, kprobe, libbpf, tcp, tracing, udp
Language: C
Homepage:
Size: 8.93 MB
Stars: 34
Watchers: 3
Forks: 2
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # go-conntracer-bpf

[![Go Reference](https://pkg.go.dev/badge/github.com/yuuki/go-conntracer-bpf.svg)](https://pkg.go.dev/github.com/yuuki/go-conntracer-bpf)

go-conntracer-bpf is a library for Go for tracing network connection (TCP/UDP) events (connect, accept, sendto, recvfrom) on BPF kprobe inspired by [weaveworks/tcptracer-bpf](https://github.com/weaveworks/tcptracer-bpf). go-conntracer-bpf is implemented on top of [libbpf](https://github.com/libbpf/libbpf), which is a representative C library for BPF included Linux kernel.

## Features

- Low-overhead tracing by aggregating connection events in kernel.

- BPF CO-RE (Compile Once – Run Everywhere)-enabled

![Flow events aggregation in kernel](./docs/images/aggregation.png "aggregation")

## Prerequisites

### Compilation phase

- libbpf source code

- Clang/LLVM >= 9

### Runtime phase

- Linux kernel version >= 5.6 (due to batch ops to bpf maps)

- Linux kernel to be built with BTF type information. See .

### Common to both phase

- libelf and zlib libraries

## Features of Linux kernel included in go-conntracer-bpf

go-conntracer-bpf makes use of some latest features of Linux kernel.

- BPF Type Format (BTF)	in kernel version 4.18.

- Batch API to BPF map (BPF_MAP_UPDATE_BATCH, BPF_MAP_LOOKUP_AND_DELETE_BATCH) in kernel version 5.6.

- Ring Buffer in kernel version 5.8 (only a flavor of no-aggregation in kernel).

## Usage

- [godoc](https://godoc.org/github.com/yuuki/go-conntracer-bpf)

## conntop

conntop is a CLI tool to show connection events.

### Build conntop

```shell-session

$ make DOCKER=1

```

## Projects using go-conntracer-bpf

- [yuuki/shawk](https://github.com/yuuki/shawk)