README
¶
ebpf-xdp
-
This repo contains code to build a tool to examine IP address a host is connecting to. Here eBPF is used to write a program in kernel space using XDP to examine the packets and extract the IP address.
-
Since XDP is the earliest point where the packets can be intercepted it was very interesting to experiment with and learn.
-
All sorts of interesting things such as filtering and re-shaping plus introspection into the packet data can be performed using XDP.
-
Used Golang to write the userspace program to display the IP address with the count of packets.
-
Used Cilium eBPF to write the userspace Go code. There is a very handy tool bpf2go which can be used to generate the Go code from the eBPF code.
-
Used Bubble-Table which is based on the BubbleTea framework to product the TUI
Development
Pre-requisites:
- Host OS with Docker installed
- Currently cannot be run on Docker for Mac
make docker-run
This will open up a shell with the Docker container that has all the dependencies installed
make build
# on amd64 machine (use ebpf-xdp-arm64 if you are on arm64)
./bin/ebpf-xdp <iface_name>
# ./bin/ebpf-xdp eth0
Example Output:
XDP Kernel program can be found here
The header files for the XDP kernel program are generated and downloaded by update.sh and vmlinux.sh
TODOs
- Add support for IPv6 addresses
Documentation
¶
There is no documentation for this package.
Source Files
Directories