Skip to main content

eBPF Event Interceptor

Network event tracers for Linux using eBPF (BCC) to monitor TCP and UDP traffic in real-time

Get StartedView on GitHub

Overview

eBPF Event Interceptor is a lightweight C/C++ library that provides real-time network traffic monitoring capabilities for Linux systems. By leveraging eBPF (extended Berkeley Packet Filter) technology via BCC (BPF Compiler Collection), it enables efficient, low-overhead tracing of TCP and UDP network events directly from the kernel.

TCP Event Tracking

Monitor TCP connections with detailed metrics including bytes transferred, packet counts, and connection states

UDP Traffic Monitoring

Track UDP traffic patterns with support for both IPv4 and IPv6 protocols

Process Attribution

Correlate network events with process information including PID, UID, and command names

High Performance

Efficient perf buffer streaming with minimal overhead on system resources

Key Features

Real-time Monitoring

Capture network events as they happen with kernel-level eBPF probes

IPv4 & IPv6 Support

Full support for both IPv4 and IPv6 network protocols

Rich Metrics

Collect detailed metrics including bytes sent/received, packet counts, ports, and addresses

Netlink Integration

TCP monitoring enhanced with netlink socket diagnostics for comprehensive connection tracking

Low Overhead

Efficient eBPF implementation minimizes performance impact

MIT Licensed

Open source and free to use in commercial and personal projects

Quick Start

Get started with eBPF Event Interceptor in just a few steps:
1

Install Dependencies

Install BCC and build tools on your Linux system
sudo apt install -y build-essential cmake
2

Clone and Build

Clone the repository and compile the libraries
git clone https://github.com/microsoft/eBPF-Event-Interceptor.git
cd eBPF-Event-Interceptor
mkdir build && cd build
cmake ../
make -j`nproc --ignore=1`
sudo make install
3

Start Monitoring

Use the TCP or UDP event tracers in your application
#include "event.h"

// Initialize TCP event tracer
AddProbe(BPF_PROGRAM);

// Retrieve events
while (1) {
    struct tcp_event_t event = DequeuePerfEvent();
    // Process event...
}

Use Cases

Monitor network connections in real-time to detect suspicious traffic patterns, unauthorized connections, or potential security threats at the kernel level.
Analyze network performance metrics to identify bottlenecks, optimize data transfer patterns, and troubleshoot connectivity issues in production environments.
Audit network traffic for compliance purposes by capturing detailed connection metadata including process information, data volumes, and connection timings.
Gain deep insights into application network behavior without modifying application code or adding instrumentation overhead.

Why eBPF?

eBPF (extended Berkeley Packet Filter) is a revolutionary technology that allows running sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. This provides:
  • Safety: eBPF programs are verified before execution to ensure they won’t crash the kernel
  • Performance: Code runs directly in kernel space, avoiding expensive context switches
  • Flexibility: Attach to various kernel events and tracepoints without kernel modifications
  • Real-time: Capture events as they occur with minimal latency

Architecture

The eBPF Event Interceptor consists of two main components:
  1. TCP Event Tracer (libtcpEvent.so) - Monitors TCP connections using kprobes on tcp_set_state and netlink socket diagnostics
  2. UDP Event Tracer (libudpEvent.so) - Tracks UDP traffic through kprobes on datagram and sendmsg/recvmsg functions
Both components use BPF perf buffers for efficient event streaming from kernel to user space.

Learn the Architecture

Understand how the components work together

API Reference

Explore the complete API documentation

Community & Support

This project is maintained by Microsoft and welcomes contributions from the community.

Contributing

Learn how to contribute to the project

Report Issues

Report bugs or request features

Security

Review our security policy

License

MIT License - free for commercial use

Build docs developers (and LLMs) love

Get started for freeTalk to us