Skip to content

Latest commit

 

History

History
47 lines (28 loc) · 1.69 KB

README.md

File metadata and controls

47 lines (28 loc) · 1.69 KB

ebpf-xdp

  • This repo contains code to build a tool to examine IP address a host is connecting to. Here eBPF is used to write a program in kernel space using XDP to examine the packets and extract the IP address.

  • Since XDP is the earliest point where the packets can be intercepted it was very interesting to experiment with and learn.

  • All sorts of interesting things such as filtering and re-shaping plus introspection into the packet data can be performed using XDP.

  • Used Golang to write the userspace program to display the IP address with the count of packets.

  • Used Cilium eBPF to write the userspace Go code. There is a very handy tool bpf2go which can be used to generate the Go code from the eBPF code.

  • Used Bubble-Table which is based on the BubbleTea framework to product the TUI

Development

Pre-requisites:

  • Host OS with Docker installed
  • Currently cannot be run on Docker for Mac
make docker-run

This will open up a shell with the Docker container that has all the dependencies installed

make build

# on amd64 machine (use ebpf-xdp-arm64 if you are on arm64)
./bin/ebpf-xdp <iface_name>
# ./bin/ebpf-xdp eth0

Example Output:

Example Output

XDP Kernel program can be found here

The header files for the XDP kernel program are generated and downloaded by update.sh and vmlinux.sh

TODOs

  • Add support for IPv6 addresses