GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ntop → Libebpfflow

ntop / Libebpfflow

Licence: lgpl-3.0
Container traffic visibility library based on eBPF

Programming Languages

c
50402 projects - #5 most used programming language

Labels

dockerlinuxkubernetescontainersebpfnetflow

Projects that are alternatives of or similar to Libebpfflow

Ntopng
Web-based Traffic and Security Network Traffic Monitoring
Stars: ✭ 4,313 (+2123.2%)
Mutual labels:  netflow, ebpf
Bpfd
Framework for running BPF programs with rules on Linux as a daemon. Container aware.
Stars: ✭ 396 (+104.12%)
Mutual labels:  ebpf, containers
Falco
Cloud Native Runtime Security
Stars: ✭ 4,340 (+2137.11%)
Mutual labels:  ebpf, containers
Cilium
eBPF-based Networking, Security, and Observability
Stars: ✭ 10,256 (+5186.6%)
Mutual labels:  ebpf, containers
Data Visualization
数据可视化
Stars: ✭ 184 (-5.15%)
Mutual labels:  netflow
Kubernetes The Hard Way Aws
AWS version of Kelsey's kubernetes-the-hard-way
Stars: ✭ 179 (-7.73%)
Mutual labels:  containers
Tracepkt
Trace a ping packet journey across network interfaces and namespace on recent Linux. Supports IPv4 and IPv6.
Stars: ✭ 176 (-9.28%)
Mutual labels:  ebpf
Singularity
Singularity: Application containers for Linux
Stars: ✭ 2,290 (+1080.41%)
Mutual labels:  containers
C Macro Collections
Easy to use, header only, macro generated, generic and type-safe Data Structures in C
Stars: ✭ 192 (-1.03%)
Mutual labels:  containers
Kops
Kubernetes Operations (kops) - Production Grade K8s Installation, Upgrades, and Management
Stars: ✭ 13,601 (+6910.82%)
Mutual labels:  containers
Gatsby Docker
Develop & Build GatsbyJS static sites within Docker.
Stars: ✭ 184 (-5.15%)
Mutual labels:  containers
Garden
Automation for Kubernetes development and testing. Spin up production-like environments for development, testing, and CI on demand. Use the same configuration and workflows at every step of the process. Speed up your builds and test runs via shared result caching.
Stars: ✭ 2,289 (+1079.9%)
Mutual labels:  containers
Awesome Eks
A curated list of awesome tools for Amazon EKS 🌊
Stars: ✭ 183 (-5.67%)
Mutual labels:  containers
Runtime
Kata Containers version 1.x runtime (for version 2.x see https://github.com/kata-containers/kata-containers).
Stars: ✭ 2,103 (+984.02%)
Mutual labels:  containers
Rabbitc
Micro container runtime
Stars: ✭ 187 (-3.61%)
Mutual labels:  containers
Dockercon19
DockerCon "Docker for Node.js" examples
Stars: ✭ 176 (-9.28%)
Mutual labels:  containers
Mcw Cloud Native Applications
MCW Cloud-native applications
Stars: ✭ 184 (-5.15%)
Mutual labels:  containers
Minishift
Run OpenShift 3.x locally
Stars: ✭ 2,246 (+1057.73%)
Mutual labels:  containers
Build Templates
A library of build templates.
Stars: ✭ 184 (-5.15%)
Mutual labels:  containers
Dlib
Allocators, I/O streams, math, geometry, image and audio processing for D
Stars: ✭ 182 (-6.19%)
Mutual labels:  containers
View All Similar Projects ➔

libebpfflow

Traffic visibility library based on eBPF

Introduction

libebpfflow is a traffic visibility library based on eBPF able to compute network flows. It can be used to:

  • enable network visibility
  • create a packet-less network probe
  • inspect host and container communications for different container runtimes

Main features

  • Ability to inspect TCP and UDP traffic
  • Container visibility
  • TCP latency computation
  • Process and user visibility

Supported Languages

  • Golang
  • C/C++

Requirements

You need a modern eBPF-enabled Linux distribution.

On Ubuntu 16.04/18.04 LTS you can install the prerequisites (we assume that the compiler is already installed) as follows:

$ sudo apt-get install build-essential autoconf automake autogen libjson-c-dev pkg-config libzmq3-dev libcurl4-openssl-dev libbpfcc-dev

Build

Library only

$ make libebpfflow.a

Library and ebpflowexport

$ make

Go testing tool

make go_ebpflowexport

Testing

The library comes with two different tools: ebpflowexport and go_ebpflowexport. In the Build section is reported how to build the tools. Although both tools were developed to show potential library usage and to provide guidance on how to use the library, ebpflowexport displays all the information provided by libebpfflow and provides some options for filtering flow events while go_ebpflowexport displays only basic information concerning events.

$ sudo ./ebpflowexport -h
ebpflowexport: Traffic visibility tool based on libebpfflow. By default all events will be shown 
Usage: ebpflow [ OPTIONS ] 
   -h, --help      display this message 
   -t, --tcp       TCP events 
   -u, --udp       UDP events 
   -i, --in        incoming events (i.e. TCP accept and UDP receive) 
   -o, --on        outgoing events (i.e. TCP connect and UDP send) 
   -r, --retr      retransmissions events 
   -c, --tcpclose  TCP close events 
   -d, --docker    gather additional information concerning containers (default: enabled)
   -v, --verbose   vebose formatting (default: every event is shown) 
Note: please run as root

What follows is a demostration of the execution of ebpflowexport in a system where both minikube with containerd as runtime and docker containers are running at the same time.

$ sudo ./ebpflowexport -tio
Welcome to ebpflowexport v.1.0.190407
(C) 2018-19 ntop.org
Initializing eBPF [Legacy API]...
eBPF initializated successfully
1554803923.684786 [lo][Sent][IPv4/TCP][pid/tid: 1446/496 [/usr/bin/kubelet], uid/gid: 0/0][father pid/tid: 1/0 [/lib/systemd/systemd], uid/gid: 0/0][addr: 127.0.0.1:53790 <-> 127.0.0.1:10252][latency: 0.10 msec]
1554803923.685139 [lo][Rcvd][IPv4/TCP][pid/tid: 2554/2329 [/usr/local/bin/kube-controller-manager], uid/gid: 0/0][father pid/tid: 2295/0 [/usr/local/bin/containerd-shim], uid/gid: 0/0][addr: 127.0.0.1:53790 <-> 127.0.0.1:10252][containerID: 275d71585e03][runtime: containerd][kube_pod: kube-controller-manager-minikube][kube_ns: kube-system][latency: 0.00 msec]
1554803924.781354 [eth0][Sent][IPv4/TCP][pid/tid: 30197/30197 [/usr/bin/curl], uid/gid: 0/0][father pid/tid: 26219/0 [/bin/bash], uid/gid: 0/0][addr: 172.17.0.2:54348 <-> 216.58.205.46:80][containerID: cbd2540ec5be][runtime: docker][docker_name: sleepy_haibt][latency: 0.22 msec]
1554803929.257494 [enp0s3][Sent][IPv4/TCP][pid/tid: 30221/30221 [/usr/lib/apt/methods/http], uid/gid: 104/65534][father pid/tid: 30216/0 [/usr/bin/apt], uid/gid: 0/0][addr: 10.0.2.15:37140 <-> 91.189.88.162:80][latency: 0.17 msec]

A basic example of usage in c++ can be found in the directory /examples whereas for the Go language the example provided is the one in /go/ebpf_flow.go. More details on how to use the library you can be found in the ntopng code or by inspecting the code of the tool ebpflowexport application.

Export eBPF Information to ntopng

Supposing to start both ebpflowexport and ntopng on the same host do

  • ntopng -i tcp://127.0.0.1:1234
  • ebpflowexport -z tcp://127.0.0.1:1234

Start as a Docker container

To use ebpflowexport as a Docker container first you have to build the tool. Once the tool has been built, build the docker image from the project root:

$ docker build -t ebpflowexport .

The container can then be run

$ docker run -it --rm --privileged \
  -v /lib/modules:/lib/modules:ro \
  -v /usr/src:/usr/src:ro \
  -v /etc/localtime:/etc/localtime:ro \
  -v /sys/kernel/debug:/sys/kernel/debug \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /snap/bin/microk8s.ctr:/snap/bin/microk8s.ctr \
  ebpflowexport

Open Issues

While the library is already usable in production, we plan to add some additional features including:

  • Implement periodic flow stats exports including bytes/packets/retransmissions
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].