Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/pythops/oryx/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through launching Oryx, selecting a network interface, configuring protocol filters, and navigating the TUI sections. By the end you’ll have live packet capture running and know how to move between the inspection, firewall, statistics, metrics, and alerts views.
Oryx attaches eBPF programs to network interfaces, which requires root privileges. Always run Oryx with sudo.

Start Oryx

1

Launch Oryx

Run the following command to start Oryx:
sudo oryx
Oryx opens to the filter selection screen, where you choose which interface and protocols to capture.
2

Select a network interface

Use the arrow keys (j / k or Down / Up) to highlight a network interface, then press Space to select it. You can select multiple interfaces.
3

Choose protocols to capture

Move between the transport, network, and link layer filter panels using Tab. Press Space to select or deselect individual protocols. To capture everything, leave all protocols selected.The available protocols are:
LayerProtocols
TransportTCP, UDP, SCTP
NetworkIPv4, IPv6, ICMPv4, ICMPv6, IGMP
LinkARP
4

Apply your filters

Press f to apply the selected filters and start capturing traffic. Oryx attaches its eBPF programs to the chosen interfaces and begins streaming packets.
5

Navigate the TUI sections

Use Tab or Shift+Tab to switch between the five main sections:
  • Inspection — live packet table with source/destination, protocol, and port
  • Firewall — create and toggle eBPF firewall rules
  • Stats — protocol breakdowns, bandwidth, and top-10 addresses
  • Metrics — custom port-range traffic counters
  • Alerts — threat detection events such as SYN flood warnings
Press ? at any time to open the help overlay with all key bindings.

Launch with flags

You can skip the interactive filter screen by passing interface and protocol options directly on the command line. This is useful for scripting or when you already know exactly what you want to capture. 
sudo oryx -i eth0 -t tcp,udp -d ingress
Passing -i, -t, and -d flags at launch narrows the capture immediately, which reduces noise and makes it easier to find the traffic you’re looking for.
The available CLI flags are:
FlagShortValuesDefault
--interface-iAny valid network interface name
--transport-ttcp, udp, sctp, allall
--network-nipv4, ipv6, icmpv4, icmpv6, igmp, allall
--link-larp, allall
--direction-dingress, egress, allall
Run oryx --help to see the full usage reference.

What to expect

Once filters are applied, the Inspection section shows a scrolling packet table. Each row includes:
  • Source address and source port
  • Destination address and destination port
  • Protocol (TCP, UDP, SCTP, ICMPv4, ICMPv6, IGMP, or ARP)
  • Process ID (PID) — shown for egress packets where attribution is possible; - otherwise
Press i on a selected packet to open a details popup with the full decoded header. Press / to start a fuzzy search across captured packets.

Next steps

Key bindings

Full reference for every keyboard shortcut in Oryx.

Firewall

Block traffic by IP, port, and direction with persistent rules.

Filters

Learn how transport, network, and link layer filters interact.

Export

Save your capture to a file for offline analysis.

Build docs developers (and LLMs) love

Get started for freeTalk to us