ebpf-xdp

This repo contains code to build a tool to examine IP address a host is connecting to. Here eBPF is used to write a program in kernel space using XDP to examine the packets and extract the IP address.
Since XDP is the earliest point where the packets can be intercepted it was very interesting to experiment with and learn.
All sorts of interesting things such as filtering and re-shaping plus introspection into the packet data can be performed using XDP.
Used Golang to write the userspace program to display the IP address with the count of packets.
Used Cilium eBPF to write the userspace Go code. There is a very handy tool bpf2go which can be used to generate the Go code from the eBPF code.
Used Bubble-Table which is based on the BubbleTea framework to product the TUI

Development

Pre-requisites:

make docker-run

This will open up a shell with the Docker container that has all the dependencies installed

make build

# on amd64 machine (use ebpf-xdp-arm64 if you are on arm64)
./bin/ebpf-xdp <iface_name>
# ./bin/ebpf-xdp eth0

Example Output:

XDP Kernel program can be found here

The header files for the XDP kernel program are generated and downloaded by update.sh and vmlinux.sh

Name		Name	Last commit message	Last commit date
Latest commit History 20 Commits
.github/workflows		.github/workflows
.vscode		.vscode
ebpf		ebpf
pkg		pkg
.gitignore		.gitignore
Dockerfile		Dockerfile
LICENSE.txt		LICENSE.txt
README.md		README.md
example-output.png		example-output.png
go.mod		go.mod
go.sum		go.sum
main.go		main.go
makefile		makefile