Oryx decodes network frames at each layer of the stack before they reach userspace. An eBPF TC classifier attached to the selected interface reads the Ethernet header, determines the EtherType (IPv4, IPv6, or ARP), and then walks down through the network and transport headers. The fully-decoded frame — including every field that Oryx surfaces in the TUI — is written into aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/pythops/oryx/llms.txt
Use this file to discover all available pages before exploring further.
RingBuf eBPF map and consumed by the Aya-based userspace process.
The protocol filter controls which traffic is forwarded to the TUI. Filters exist independently for each layer and are enforced inside the kernel before any data is copied to userspace.
Transport layer
TCP
TCP
TCP is supported over both IPv4 and IPv6. The eBPF program reads the full
The packet list shows
TcpHdr and the TUI surfaces all of the following fields in the packet detail view:| Field | Description |
|---|---|
| Source port | Originating port number |
| Destination port | Receiving port number |
| Sequence number | Byte-stream position |
| Acknowledgment number | Next expected byte |
| Data offset | Header length in 32-bit words |
| CWR, ECE, URG, ACK, PSH, RST, SYN, FIN | Individual flag bits |
| Window | Receive window size |
| Checksum | Header and data checksum (hex) |
| Urgent pointer | Offset to urgent data |
<src-ip> <src-port> <dst-ip> <dst-port> TCP.TCP packets are subject to the firewall blocklist. If a matching IPv4 or IPv6 address and port rule is found in the eBPF maps, the packet is dropped (TC_ACT_SHOT) before it is recorded.UDP
UDP
UDP is supported over both IPv4 and IPv6. The eBPF program reads
The packet list shows
UdpHdr and the TUI displays:| Field | Description |
|---|---|
| Source port | Originating port number |
| Destination port | Receiving port number |
| Length | Datagram length in bytes |
| Checksum | Checksum (hex) |
<src-ip> <src-port> <dst-ip> <dst-port> UDP.Like TCP, UDP packets are checked against the firewall blocklist before being forwarded to the TUI.SCTP
SCTP
SCTP is supported over both IPv4 and IPv6. The eBPF program reads
The packet list shows
SctpHdr and the TUI displays:| Field | Description |
|---|---|
| Source port | Originating port number |
| Destination port | Receiving port number |
| Verification tag | Association verification tag (hex) |
| Checksum | CRC-32c checksum (hex) |
<src-ip> <src-port> <dst-ip> <dst-port> SCTP.SCTP packets are also subject to the firewall blocklist.Network layer
IPv4
IPv4
IPv4 is the primary network-layer protocol. Oryx uses the IPv4 header to extract source and destination addresses for display and firewall evaluation. IPv4 traffic can carry TCP, UDP, SCTP, ICMPv4, and IGMP payloads.The IPv4 filter hides all IPv4 traffic from the TUI regardless of transport protocol. Firewall rules for IPv4 are stored as
u32 address keys in the BLOCKLIST_IPV4 eBPF map.IPv6
IPv6
IPv6 is fully supported alongside IPv4. Source and destination addresses are 128-bit values. IPv6 traffic can carry TCP, UDP, SCTP, and ICMPv6 payloads.Firewall rules for IPv6 are stored as
u128 address keys in the BLOCKLIST_IPV6 eBPF map. Up to 32 rules are supported (matching MAX_FIREWALL_RULES).ICMPv4
ICMPv4
ICMPv4 is decoded from IPv4 packets with
Recognised ICMPv4 message types include: Echo Reply, Echo Request, Destination Unreachable, Redirect Message, Router Advertisement, Router Solicitation, Time Exceeded, Bad IP header, Timestamp, Timestamp Reply, Extended Echo Request, and Extended Echo Reply.The packet list shows
IpProto::Icmp. The TUI displays:| Field | Description |
|---|---|
| Type | Human-readable message type (see below) |
| Code | Sub-type code |
| Checksum | Checksum (hex) |
<src-ip> <dst-ip> ICMP.ICMPv6
ICMPv6
ICMPv6 is decoded from IPv6 packets with
IpProto::Ipv6Icmp. The TUI displays the same three fields as ICMPv4 — type, code, and checksum.Recognised ICMPv6 message types include: Destination Unreachable, Packet Too Big, Time Exceeded, Parameter Problem, Echo Request, Echo Reply, Multicast Listener Query/Report/Done, Router Solicitation/Advertisement, Neighbor Solicitation/Advertisement, Redirect Message, Router Renumbering, ICMP Node Information Query/Response, Inverse Neighbor Discovery, Home Agent Address Discovery, Mobile Prefix Solicitation/Advertisement, Duplicate Address Request/Confirmation, Extended Echo Request, and Extended Echo Reply.The packet list shows <src-ip> <dst-ip> ICMP.IGMP (v1, v2, v3)
IGMP (v1, v2, v3)
IGMP is decoded from IPv4 packets with
The packet list shows
IpProto::Igmp. Oryx distinguishes between all three IGMP versions and the following message types:| Type byte | Message |
|---|---|
0x11 (8-byte payload, max response time = 0) | IGMPv1 Membership Query |
0x11 (8-byte payload, max response time ≠ 0) | IGMPv2 Membership Query |
0x11 (>8-byte payload) | IGMPv3 Membership Query |
0x12 | IGMPv1 Membership Report |
0x16 | IGMPv2 Membership Report |
0x17 | IGMPv2 Leave Group |
0x22 | IGMPv3 Membership Report |
<src-ip> <dst-ip> IGMP.IGMP is an IPv4-only protocol. The eBPF program matches it under the
EtherType::Ipv4 branch only; there is no corresponding IPv6 path.Link layer
ARP
ARP
ARP frames are matched directly from the Ethernet header (
The packet list shows
EtherType::Arp) before any IP parsing. The eBPF program reads the full ArpHdr and the TUI surfaces:| Field | Description |
|---|---|
| Hardware type | Link-layer protocol type |
| Protocol type | Network-layer protocol type |
| Hardware length | Length of a hardware address |
| Protocol length | Length of a protocol address |
| Operation | Arp Request or Arp Reply |
| Sender hardware address | Source MAC address |
| Sender protocol address | Source IPv4 address |
| Target hardware address | Target MAC address |
| Target protocol address | Target IPv4 address |
<src-mac> <dst-mac> ARP.