You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: README.md
+9-3
Original file line number
Diff line number
Diff line change
@@ -15,10 +15,12 @@ At the end of the execution program will display per-IP and per-protocol statist
15
15
16
16
Program consists of the [eBPF code in C](counter.c) and the pure-Go userland Golang program that parses and outputs final IP/port/protocol/bitrate statistics. Go part of the program uses wonderful [cillium/ebpf](https://github.com/cilium/ebpf) library to load and run eBPF program, interfacing with eBPF map.
17
17
18
-
By default eBPF component uses **TC** (Traffic Control) eBPF hooks with TCX attaching requiring at minimum Linux kernel **v6.6** for both ingress and egress traffic statistics for TCP, UDP, ICMPv4 and ICMPv6. It can also switch to even faster [XDP](https://github.com/xdp-project/xdp-tutorial) (eXpress Data Path) hook but with a consequence of **losing egress statistics** since **XDP** works only in ingress path. XDP mode due to XDP program to network interface attaching calls requires at minimum Linux kernel **v5.9**. Some distributions might have backported XDP/TC patches (notable example is Red Hat Enterprise Linux kernel) and eBPF program might work on older kernels too.
18
+
By default eBPF component uses **TC** (Traffic Control) eBPF hooks with TCX attaching requiring at minimum Linux kernel **v6.6** for both ingress and egress traffic statistics for TCP, UDP, ICMPv4 and ICMPv6. It can also switch to even faster [XDP](https://github.com/xdp-project/xdp-tutorial) (eXpress Data Path) hook but with a consequence of **losing egress statistics** since **XDP** works only in ingress path. XDP mode due to XDP program to network interface attaching calls requires at minimum Linux kernel **v5.9**. Some distributions might have backported XDP/TC patches (notable example is Red Hat Enterprise Linux kernel) and eBPF program might work on older kernels too (see requirements for more info).
19
19
20
20
Alternatively it can use **KProbes** to monitor TCP, UDP, ICMPv4 and ICMPv6 communication throughout all containers, K8s pods, translations and forwards and display process ID as well as process name, if the traffic was being sent or delivered to userspace application. KProbes traditionally work the slowest, being closest to the userspace -- but they bring sometimes useful process information. KProbes work also with much older Linux kernels as well, but the hard-dependancy is a [BTF-enabled](https://docs.ebpf.io/concepts/btf/) kernel.
21
21
22
+
In case that you need to monitor just a specific **CGroup**, it is possible as well and monitoring both ingress and egress traffic is supported.
23
+
22
24
23
25
24
26
## Talk
@@ -47,8 +49,9 @@ The following table maps features, requirements and expected performance for des
-c, --cgroup STRING the path to a CGroup V2 to measure statistics on
70
74
-x, --xdp if true, use XDP instead of TC (this disables egress statistics)
71
75
-k, --kprobes if true, use KProbes for per-proces TCP/UDP statistics
72
76
-g, --tui if true, enable TUI
@@ -91,6 +95,8 @@ Additionally it is possible to change XDP attach mode with `--xdp_mode` from `au
91
95
92
96
With `--kprobes` program will switch to Kprobe mode and track TCP and UDP traffic per process. Performance will be even more degraded compared to TC and XDP mode, but all per-PID traffic will be visible, inside of all Cgroups, containers, K8s pods etc.
93
97
98
+
With `--cgroup` parameter with path to the CGroup it is possible to measure ingress and egress traffic for a specific CGroup.
99
+
94
100
## Star History
95
101
96
102
[](https://star-history.com/#dkorunic/pktstat&dkorunic/pktstat-bpf&Date)
0 commit comments