How to Run Code in Kernel Space? eBPF! Complete Guide with XDP Packet Capture#

Running custom code directly in the Linux kernel has traditionally been risky and complex, requiring kernel modules or source code modifications. eBPF (Extended Berkeley Packet Filter) revolutionizes this by providing a safe, efficient way to execute custom programs in kernel space without compromising system stability.

Overview#

What is eBPF?#

eBPF is a powerful, modern technology that allows users to execute custom sandboxed programs directly within the Linux kernel without modifying the kernel source or loading kernel modules. Originally designed for packet filtering, eBPF has evolved into a general-purpose engine capable of executing bytecode in the kernel context.

1
graph TB
2
    subgraph "eBPF Architecture Overview"
3
        UserSpace["User Space Application"]
4
        Compiler["LLVM/Clang Compiler"]
5
        Bytecode["eBPF Bytecode"]
6
        Verifier["eBPF Verifier"]
7
        VM["eBPF Virtual Machine"]
8
        Hooks["Kernel Hooks"]
9

10
        UserSpace --> |"C/Go/Rust Code"| Compiler
11
        Compiler --> Bytecode
12
        Bytecode --> Verifier
13
        Verifier --> |"Safe Code"| VM
14
        VM --> Hooks
15

16
        subgraph "Kernel Space"
17
            VM
18
            Hooks
19
            Maps["eBPF Maps"]
20
            Helpers["Helper Functions"]
21
        end
22
    end
23

24
    style UserSpace fill:#e1f5fe
25
    style VM fill:#e8f5e8
26
    style Verifier fill:#fff3e0
27
    style Maps fill:#f3e5f5

eBPF programs run in a restricted environment where:

Direct access to kernel memory is prohibited
Only specific helper functions can interact with kernel components
All programs are verified for safety before execution
Minimal performance overhead through JIT compilation

Why Was eBPF Invented?#

eBPF addresses critical limitations of traditional kernel programming:

1
graph LR
2
    subgraph "Traditional Approach Problems"
3
        A["Kernel Modules"] --> A1["Security Risks"]
4
        A --> A2["System Instability"]
5
        A --> A3["Kernel Recompilation"]
6

7
        B["iptables/Netfilter"] --> B1["Performance Bottlenecks"]
8
        B --> B2["Limited Flexibility"]
9
        B --> B3["Complex Debugging"]
10
    end
11

12
    subgraph "eBPF Solutions"
13
        C["Safe Execution"] --> C1["Sandboxed Environment"]
14
        C --> C2["Verification Process"]
15

16
        D["High Performance"] --> D1["JIT Compilation"]
17
        D --> D2["Zero-Copy Operations"]
18

19
        E["Dynamic Loading"] --> E1["No Kernel Reboot"]
20
        E --> E2["Real-time Updates"]
21
    end
22

23
    style A fill:#ffcdd2
24
    style B fill:#ffcdd2
25
    style C fill:#c8e6c9
26
    style D fill:#c8e6c9
27
    style E fill:#c8e6c9

Traditional Problems:

Security Vulnerabilities: Kernel modules could crash the system
Performance Limitations: Tools like iptables had high overhead
Inflexibility: Required kernel recompilation for changes
Debugging Complexity: Limited introspection capabilities

eBPF Solutions:

Safe Execution: Comprehensive verification prevents crashes
High Performance: JIT compilation and optimized execution
Dynamic Loading: Real-time program updates without reboots
Rich Observability: Detailed system monitoring and tracing

eBPF Security#

Security is paramount in eBPF design. Every program undergoes rigorous verification:

1
graph TD
2
    subgraph "eBPF Security Model"
3
        Program["eBPF Program"]
4

5
        subgraph "Verification Process"
6
            Syntax["Syntax Checking"]
7
            Control["Control Flow Analysis"]
8
            Memory["Memory Access Validation"]
9
            Helper["Helper Function Verification"]
10
        end
11

12
        subgraph "Runtime Protection"
13
            Sandbox["Sandboxed Execution"]
14
            Limits["Resource Limits"]
15
            Isolation["Memory Isolation"]
16
        end
17

18
        Program --> Syntax
19
        Syntax --> Control
20
        Control --> Memory
21
        Memory --> Helper
22
        Helper --> Sandbox
23
        Sandbox --> Limits
24
        Limits --> Isolation
25
    end
26

27
    style Program fill:#e1f5fe
28
    style Sandbox fill:#c8e6c9
29
    style Limits fill:#fff3e0

Deeper Understanding#

Core Components#

eBPF Virtual Machine#

The eBPF VM is a lightweight, register-based virtual machine embedded in the kernel:

Register Set: 11 64-bit registers (R0-R10)
Stack Space: 512-byte stack for local variables
Instruction Set: 64-bit instructions supporting arithmetic, logic, and memory operations
JIT Compilation: Bytecode compiled to native machine code for optimal performance

eBPF Hooks#

eBPF programs attach to specific kernel execution points:

Hook Type	Use Case	Description
XDP	Packet Processing	Lowest-level network packet processing
kprobe	Function Tracing	Dynamic tracing of kernel functions
tracepoints	Event Monitoring	Static tracepoints in kernel code
cgroup	Resource Control	Container and process group policies
socket	Network Filtering	Socket-level packet filtering
perf_event	Performance Monitoring	Hardware/software performance counters

eBPF Maps#

Maps provide data storage and communication between kernel and user space:

1
// Example map definitions
2
struct {
3
    __uint(type, BPF_MAP_TYPE_HASH);
4
    __uint(max_entries, 1024);
5
    __type(key, __u32);
6
    __type(value, struct packet_stats);
7
} packet_map SEC(".maps");
8

9
struct {
10
    __uint(type, BPF_MAP_TYPE_RINGBUF);
11
    __uint(max_entries, 256 * 1024);
12
} events SEC(".maps");

eBPF Verifier#

The verifier ensures program safety through:

Syntax Checking: Validates instruction format and parameters
Control Flow Analysis: Prevents infinite loops and illegal jumps
Memory Access Validation: Ensures safe memory operations
Resource Limits: Enforces instruction and complexity limits

eBPF Helpers#

Helper functions provide controlled access to kernel functionality:

1
// Common helper functions
2
bpf_map_lookup_elem()     // Access map data
3
bpf_map_update_elem()     // Update map entries
4
bpf_ktime_get_ns()        // Get current timestamp
5
bpf_get_current_pid_tgid() // Get process/thread ID
6
bpf_trace_printk()        // Debug output

Workflow#

The eBPF program lifecycle follows these steps:

1
sequenceDiagram
2
    participant User as User Space
3
    participant Compiler as LLVM/Clang
4
    participant Kernel as Linux Kernel
5
    participant Verifier as eBPF Verifier
6
    participant VM as eBPF VM
7
    participant Hook as Kernel Hook
8

9
    User->>Compiler: Compile C/Go code
10
    Compiler->>User: eBPF bytecode
11
    User->>Kernel: Load program (bpf syscall)
12
    Kernel->>Verifier: Verify bytecode
13
    Verifier->>VM: Load verified program
14
    VM->>Hook: Attach to kernel hook
15

16
    Note over Hook: Program executes on events
17
    Hook->>VM: Execute program
18
    VM->>User: Send data via maps/ringbuf

Writing the eBPF Program#

We’ll create a comprehensive XDP packet capture program that monitors network traffic and extracts detailed packet information.

Kernel Space Code#

Initial Setup#

1
//go:build ignore
2

3
#include <linux/bpf.h>
4
#include <bpf/bpf_helpers.h>
5
#include <linux/if_ether.h>
6
#include <linux/ip.h>
7
#include <linux/tcp.h>
8
#include <linux/udp.h>
9
#include <linux/in.h>

Header Explanations:

//go:build ignore: Prevents Go build system from processing this C code
<linux/bpf.h>: Core eBPF definitions and data structures
<bpf/bpf_helpers.h>: Helper function declarations
<linux/if_ether.h>: Ethernet protocol definitions
<linux/ip.h>: IPv4 header structures
<linux/tcp.h> & <linux/udp.h>: Transport layer headers
<linux/in.h>: Internet protocol constants

Defining Packet Data Structure#

1
// Data structure for packet information sent to user space
2
struct packet_data {
3
    __u32 src_ip;      // Source IP address
4
    __u32 dst_ip;      // Destination IP address
5
    __u16 src_port;    // Source port (TCP/UDP)
6
    __u16 dst_port;    // Destination port (TCP/UDP)
7
    __u32 protocol;    // Protocol (TCP=6, UDP=17, etc.)
8
    __u32 packet_size; // Total packet size in bytes
9
    __u64 timestamp;   // Packet capture timestamp
10
    __u32 flags;       // Additional packet flags
11
};

This structure captures essential packet metadata for analysis.

Ring Buffer Map Definition#

1
// Ring buffer for efficient kernel-to-userspace data transfer
2
struct {
3
    __uint(type, BPF_MAP_TYPE_RINGBUF);
4
    __uint(max_entries, 1 << 24); // 16 MB ring buffer
5
} packet_ringbuf SEC(".maps");
6

7
// Statistics map for performance tracking
8
struct {
9
    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
10
    __uint(max_entries, 4);
11
    __type(key, __u32);
12
    __type(value, __u64);
13
} stats_map SEC(".maps");

Map Types:

BPF_MAP_TYPE_RINGBUF: Efficient circular buffer for events
BPF_MAP_TYPE_PERCPU_ARRAY: Per-CPU statistics to avoid contention

XDP Program Entry Point#

1
SEC("xdp")
2
int capture_packet_data(struct xdp_md *ctx) {
3
    void *data_end = (void *)(long)ctx->data_end;
4
    void *data = (void *)(long)ctx->data;
5

6
    // Initialize packet data structure
7
    struct packet_data pkt_data = {};
8
    pkt_data.timestamp = bpf_ktime_get_ns();
9
    pkt_data.packet_size = (__u32)(data_end - data);
10

11
    // Update packet count statistics
12
    __u32 key = 0; // Total packets
13
    __u64 *count = bpf_map_lookup_elem(&stats_map, &key);
14
    if (count) {
15
        (*count)++;
16
    }

XDP Context:

ctx->data: Start of packet data
ctx->data_end: End of packet data
Provides direct access to raw packet bytes

Ethernet Header Parsing#

1
    // Parse Ethernet header
2
    struct ethhdr *eth = data;
3
    if ((void *)(eth + 1) > data_end) {
4
        return XDP_PASS; // Packet too small, pass to network stack
5
    }
6

7
    // Only process IPv4 packets
8
    if (eth->h_proto != __constant_htons(ETH_P_IP)) {
9
        return XDP_PASS; // Not IPv4, pass through
10
    }

Safety Checks:

Verify packet contains complete Ethernet header
Filter for IPv4 packets only
Use __constant_htons() for compile-time constant conversion

IP Header Parsing and Information Extraction#

1
    // Parse IP header
2
    struct iphdr *ip = data + sizeof(struct ethhdr);
3
    if ((void *)(ip + 1) > data_end) {
4
        return XDP_PASS; // Incomplete IP header
5
    }
6

7
    // Extract IP information
8
    pkt_data.src_ip = __builtin_bswap32(ip->saddr);
9
    pkt_data.dst_ip = __builtin_bswap32(ip->daddr);
10
    pkt_data.protocol = ip->protocol;
11

12
    // Set additional flags based on IP header
13
    if (ip->frag_off & htons(IP_MF | IP_OFFSET)) {
14
        pkt_data.flags |= 0x01; // Fragmented packet
15
    }
16

17
    if (ip->ttl < 10) {
18
        pkt_data.flags |= 0x02; // Low TTL warning
19
    }

IP Header Processing:

Extract source and destination IP addresses
Convert from network to host byte order
Identify fragmented packets and low TTL values

Transport Layer Processing#

1
    // Calculate IP header length (variable due to options)
2
    __u32 ip_header_len = ip->ihl * 4;
3
    void *transport_header = data + sizeof(struct ethhdr) + ip_header_len;
4

5
    if (ip->protocol == IPPROTO_TCP) {
6
        struct tcphdr *tcp = transport_header;
7
        if ((void *)(tcp + 1) > data_end) {
8
            return XDP_PASS;
9
        }
10

11
        pkt_data.src_port = __builtin_bswap16(tcp->source);
12
        pkt_data.dst_port = __builtin_bswap16(tcp->dest);
13

14
        // TCP flag analysis
15
        if (tcp->syn) pkt_data.flags |= 0x10;    // SYN flag
16
        if (tcp->fin) pkt_data.flags |= 0x20;    // FIN flag
17
        if (tcp->rst) pkt_data.flags |= 0x40;    // RST flag
18

19
        // Update TCP packet count
20
        key = 1;
21
        count = bpf_map_lookup_elem(&stats_map, &key);
22
        if (count) (*count)++;
23

24
    } else if (ip->protocol == IPPROTO_UDP) {
25
        struct udphdr *udp = transport_header;
26
        if ((void *)(udp + 1) > data_end) {
27
            return XDP_PASS;
28
        }
29

30
        pkt_data.src_port = __builtin_bswap16(udp->source);
31
        pkt_data.dst_port = __builtin_bswap16(udp->dest);
32

33
        // Update UDP packet count
34
        key = 2;
35
        count = bpf_map_lookup_elem(&stats_map, &key);
36
        if (count) (*count)++;
37

38
    } else {
39
        // Other protocols (ICMP, etc.)
40
        key = 3;
41
        count = bpf_map_lookup_elem(&stats_map, &key);
42
        if (count) (*count)++;
43
    }

Advanced Transport Processing:

Handle variable-length IP headers
Extract TCP flags for connection analysis
Maintain per-protocol statistics

Ring Buffer Data Transmission#

1
    // Send packet data to user space via ring buffer
2
    void *ringbuf_data = bpf_ringbuf_reserve(&packet_ringbuf, sizeof(pkt_data), 0);
3
    if (!ringbuf_data) {
4
        return XDP_PASS; // Ring buffer full, drop this event
5
    }
6

7
    // Copy packet data to ring buffer
8
    __builtin_memcpy(ringbuf_data, &pkt_data, sizeof(pkt_data));
9

10
    // Submit data to user space
11
    bpf_ringbuf_submit(ringbuf_data, 0);
12

13
    return XDP_PASS; // Continue normal packet processing
14
}
15

16
// License declaration (required)
17
char __license[] SEC("license") = "Dual MIT/GPL";

Ring Buffer Operations:

bpf_ringbuf_reserve(): Reserve space for data
__builtin_memcpy(): Copy data efficiently
bpf_ringbuf_submit(): Make data available to user space

Complete Kernel Space Code#

Click to view the complete kernel space code

1
//go:build ignore
2

3
#include <linux/bpf.h>
4
#include <bpf/bpf_helpers.h>
5
#include <linux/if_ether.h>
6
#include <linux/ip.h>
7
#include <linux/tcp.h>
8
#include <linux/udp.h>
9
#include <linux/in.h>
10

11
// Packet data structure for user space communication
12
struct packet_data {
13
    __u32 src_ip;
14
    __u32 dst_ip;
15
    __u16 src_port;
16
    __u16 dst_port;
17
    __u32 protocol;
18
    __u32 packet_size;
19
    __u64 timestamp;
20
    __u32 flags;
21
};
22

23
// Ring buffer map for packet data
24
struct {
25
    __uint(type, BPF_MAP_TYPE_RINGBUF);
26
    __uint(max_entries, 1 << 24); // 16 MB
27
} packet_ringbuf SEC(".maps");
28

29
// Statistics map
30
struct {
31
    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
32
    __uint(max_entries, 4);
33
    __type(key, __u32);
34
    __type(value, __u64);
35
} stats_map SEC(".maps");
36

37
SEC("xdp")
38
int capture_packet_data(struct xdp_md *ctx) {
39
    void *data_end = (void *)(long)ctx->data_end;
40
    void *data = (void *)(long)ctx->data;
41

42
    struct packet_data pkt_data = {};
43
    pkt_data.timestamp = bpf_ktime_get_ns();
44
    pkt_data.packet_size = (__u32)(data_end - data);
45

46
    // Update total packet count
47
    __u32 key = 0;
48
    __u64 *count = bpf_map_lookup_elem(&stats_map, &key);
49
    if (count) (*count)++;
50

51
    // Parse Ethernet header
52
    struct ethhdr *eth = data;
53
    if ((void *)(eth + 1) > data_end) {
54
        return XDP_PASS;
55
    }
56

57
    if (eth->h_proto != __constant_htons(ETH_P_IP)) {
58
        return XDP_PASS;
59
    }
60

61
    // Parse IP header
62
    struct iphdr *ip = data + sizeof(struct ethhdr);
63
    if ((void *)(ip + 1) > data_end) {
64
        return XDP_PASS;
65
    }
66

67
    pkt_data.src_ip = __builtin_bswap32(ip->saddr);
68
    pkt_data.dst_ip = __builtin_bswap32(ip->daddr);
69
    pkt_data.protocol = ip->protocol;
70

71
    // Check for fragmentation and low TTL
72
    if (ip->frag_off & htons(IP_MF | IP_OFFSET)) {
73
        pkt_data.flags |= 0x01;
74
    }
75
    if (ip->ttl < 10) {
76
        pkt_data.flags |= 0x02;
77
    }
78

79
    // Parse transport layer
80
    __u32 ip_header_len = ip->ihl * 4;
81
    void *transport_header = data + sizeof(struct ethhdr) + ip_header_len;
82

83
    if (ip->protocol == IPPROTO_TCP) {
84
        struct tcphdr *tcp = transport_header;
85
        if ((void *)(tcp + 1) > data_end) {
86
            return XDP_PASS;
87
        }
88

89
        pkt_data.src_port = __builtin_bswap16(tcp->source);
90
        pkt_data.dst_port = __builtin_bswap16(tcp->dest);
91

92
        if (tcp->syn) pkt_data.flags |= 0x10;
93
        if (tcp->fin) pkt_data.flags |= 0x20;
94
        if (tcp->rst) pkt_data.flags |= 0x40;
95

96
        key = 1;
97
        count = bpf_map_lookup_elem(&stats_map, &key);
98
        if (count) (*count)++;
99

100
    } else if (ip->protocol == IPPROTO_UDP) {
101
        struct udphdr *udp = transport_header;
102
        if ((void *)(udp + 1) > data_end) {
103
            return XDP_PASS;
104
        }
105

106
        pkt_data.src_port = __builtin_bswap16(udp->source);
107
        pkt_data.dst_port = __builtin_bswap16(udp->dest);
108

109
        key = 2;
110
        count = bpf_map_lookup_elem(&stats_map, &key);
111
        if (count) (*count)++;
112
    } else {
113
        key = 3;
114
        count = bpf_map_lookup_elem(&stats_map, &key);
115
        if (count) (*count)++;
116
    }
117

118
    // Send to user space
119
    void *ringbuf_data = bpf_ringbuf_reserve(&packet_ringbuf, sizeof(pkt_data), 0);
120
    if (!ringbuf_data) {
121
        return XDP_PASS;
122
    }
123

124
    __builtin_memcpy(ringbuf_data, &pkt_data, sizeof(pkt_data));
125
    bpf_ringbuf_submit(ringbuf_data, 0);
126

127
    return XDP_PASS;
128
}
129

130
char __license[] SEC("license") = "Dual MIT/GPL";

User Space Code#

The Go application loads the eBPF program and processes captured packet data.

Imports and Data Structures#

1
package main
2

3
import (
4
    "bytes"
5
    "encoding/binary"
6
    "flag"
7
    "fmt"
8
    "log"
9
    "net"
10
    "os"
11
    "os/signal"
12
    "syscall"
13
    "time"
14

15
    "github.com/cilium/ebpf/link"
16
    "github.com/cilium/ebpf/ringbuf"
17
    "github.com/cilium/ebpf/rlimit"
18
)
19

20
// Protocol mapping for human-readable output
21
var protocolMap = map[int]string{
22
    1:   "ICMP",
23
    2:   "IGMP",
24
    6:   "TCP",
25
    17:  "UDP",
26
    41:  "IPv6",
27
    47:  "GRE",
28
    89:  "OSPF",
29
    132: "SCTP",
30
    255: "Reserved",
31
}
32

33
// Packet data structure matching kernel space
34
type packetData struct {
35
    SrcIP      uint32
36
    DstIP      uint32
37
    SrcPort    uint16
38
    DstPort    uint16
39
    Protocol   uint32
40
    PacketSize uint32
41
    Timestamp  uint64
42
    Flags      uint32
43
}
44

45
// Statistics tracking
46
type packetStats struct {
47
    TotalPackets uint64
48
    TCPPackets   uint64
49
    UDPPackets   uint64
50
    OtherPackets uint64
51
    StartTime    time.Time
52
}

Main Function Implementation#

1
func main() {
2
    // Command line flags
3
    ifaceName := flag.String("iface", "lo", "Network interface to monitor")
4
    verbose := flag.Bool("v", false, "Verbose output")
5
    statsInterval := flag.Duration("stats", 10*time.Second, "Statistics interval")
6
    flag.Parse()
7

8
    // Initialize statistics
9
    stats := &packetStats{
10
        StartTime: time.Now(),
11
    }
12

13
    // Remove memory limits for eBPF
14
    if err := rlimit.RemoveMemlock(); err != nil {
15
        log.Fatalf("Failed to remove memlock: %v", err)
16
    }
17

18
    // Load eBPF objects
19
    var objs packetSniffObjects
20
    if err := loadPacketSniffObjects(&objs, nil); err != nil {
21
        log.Fatalf("Error loading eBPF objects: %v", err)
22
    }
23
    defer objs.Close()
24

25
    // Get network interface
26
    iface, err := net.InterfaceByName(*ifaceName)
27
    if err != nil {
28
        log.Fatalf("Error getting interface %s: %v", *ifaceName, err)
29
    }
30

31
    // Attach XDP program
32
    xdpLink, err := link.AttachXDP(link.XDPOptions{
33
        Program:   objs.CapturePacketData,
34
        Interface: iface.Index,
35
    })
36
    if err != nil {
37
        log.Fatalf("Error attaching XDP program: %v", err)
38
    }
39
    defer xdpLink.Close()
40

41
    // Create ring buffer reader
42
    rd, err := ringbuf.NewReader(objs.PacketRingbuf)
43
    if err != nil {
44
        log.Fatalf("Error creating ring buffer reader: %v", err)
45
    }
46
    defer rd.Close()
47

48
    log.Printf("Monitoring packets on interface: %s", *ifaceName)
49
    log.Printf("Verbose mode: %v", *verbose)
50

51
    // Setup signal handling
52
    stopChan := make(chan os.Signal, 1)
53
    signal.Notify(stopChan, os.Interrupt, syscall.SIGTERM)
54

55
    // Statistics ticker
56
    statsTicker := time.NewTicker(*statsInterval)
57
    defer statsTicker.Stop()
58

59
    // Main monitoring loop
60
    for {
61
        select {
62
        case <-stopChan:
63
            log.Println("Received interrupt, exiting...")
64
            printFinalStats(stats)
65
            return
66

67
        case <-statsTicker.C:
68
            printStats(stats)
69

70
        default:
71
            // Read packet data
72
            record, err := rd.Read()
73
            if err != nil {
74
                if err == ringbuf.ErrClosed {
75
                    return
76
                }
77
                log.Printf("Error reading from ring buffer: %v", err)
78
                continue
79
            }
80

81
            // Parse packet data
82
            var pkt packetData
83
            err = binary.Read(bytes.NewReader(record.RawSample), binary.LittleEndian, &pkt)
84
            if err != nil {
85
                log.Printf("Error parsing packet data: %v", err)
86
                continue
87
            }
88

89
            // Update statistics
90
            updateStats(stats, &pkt)
91

92
            // Print packet information if verbose
93
            if *verbose {
94
                printPacketInfo(&pkt)
95
            }
96
        }
97
    }
98
}

Statistics and Display Functions#

1
func updateStats(stats *packetStats, pkt *packetData) {
2
    stats.TotalPackets++
3

4
    switch pkt.Protocol {
5
    case 6: // TCP
6
        stats.TCPPackets++
7
    case 17: // UDP
8
        stats.UDPPackets++
9
    default:
10
        stats.OtherPackets++
11
    }
12
}
13

14
func printStats(stats *packetStats) {
15
    duration := time.Since(stats.StartTime)
16
    pps := float64(stats.TotalPackets) / duration.Seconds()
17

18
    fmt.Printf("\n=== Statistics (Runtime: %v) ===\n", duration.Round(time.Second))
19
    fmt.Printf("Total Packets: %d (%.2f pps)\n", stats.TotalPackets, pps)
20
    fmt.Printf("TCP Packets:   %d (%.1f%%)\n", stats.TCPPackets,
21
               percentage(stats.TCPPackets, stats.TotalPackets))
22
    fmt.Printf("UDP Packets:   %d (%.1f%%)\n", stats.UDPPackets,
23
               percentage(stats.UDPPackets, stats.TotalPackets))
24
    fmt.Printf("Other Packets: %d (%.1f%%)\n", stats.OtherPackets,
25
               percentage(stats.OtherPackets, stats.TotalPackets))
26
    fmt.Printf("=====================================\n\n")
27
}
28

29
func printPacketInfo(pkt *packetData) {
30
    srcIP := intToIP(pkt.SrcIP)
31
    dstIP := intToIP(pkt.DstIP)
32
    protocolName := getProtocolName(int(pkt.Protocol))
33

34
    timestamp := time.Unix(0, int64(pkt.Timestamp))
35

36
    fmt.Printf("[%s] %s %s:%d -> %s:%d (%d bytes)",
37
        timestamp.Format("15:04:05.000"),
38
        protocolName,
39
        srcIP, pkt.SrcPort,
40
        dstIP, pkt.DstPort,
41
        pkt.PacketSize)
42

43
    // Print flags if present
44
    if pkt.Flags != 0 {
45
        var flags []string
46
        if pkt.Flags&0x01 != 0 { flags = append(flags, "FRAG") }
47
        if pkt.Flags&0x02 != 0 { flags = append(flags, "LOW_TTL") }
48
        if pkt.Flags&0x10 != 0 { flags = append(flags, "SYN") }
49
        if pkt.Flags&0x20 != 0 { flags = append(flags, "FIN") }
50
        if pkt.Flags&0x40 != 0 { flags = append(flags, "RST") }
51

52
        if len(flags) > 0 {
53
            fmt.Printf(" [%s]", strings.Join(flags, ","))
54
        }
55
    }
56

57
    fmt.Println()
58
}
59

60
// Helper functions
61
func intToIP(ip uint32) string {
62
    ipBytes := make([]byte, 4)
63
    binary.BigEndian.PutUint32(ipBytes, ip)
64
    return net.IP(ipBytes).String()
65
}
66

67
func getProtocolName(protocol int) string {
68
    if name, exists := protocolMap[protocol]; exists {
69
        return name
70
    }
71
    return fmt.Sprintf("PROTO_%d", protocol)
72
}
73

74
func percentage(part, total uint64) float64 {
75
    if total == 0 {
76
        return 0
77
    }
78
    return float64(part) / float64(total) * 100
79
}
80

81
func printFinalStats(stats *packetStats) {
82
    fmt.Println("\n=== Final Statistics ===")
83
    printStats(stats)
84
}

Complete User Space Code#

Click to view the complete Go code

1
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang -cflags $BPF_CFLAGS PacketSniff packet_sniff.c
2

3
package main
4

5
import (
6
    "bytes"
7
    "encoding/binary"
8
    "flag"
9
    "fmt"
10
    "log"
11
    "net"
12
    "os"
13
    "os/signal"
14
    "strings"
15
    "syscall"
16
    "time"
17

18
    "github.com/cilium/ebpf/link"
19
    "github.com/cilium/ebpf/ringbuf"
20
    "github.com/cilium/ebpf/rlimit"
21
)
22

23
var protocolMap = map[int]string{
24
    1:   "ICMP",
25
    2:   "IGMP",
26
    6:   "TCP",
27
    17:  "UDP",
28
    41:  "IPv6",
29
    47:  "GRE",
30
    89:  "OSPF",
31
    132: "SCTP",
32
    255: "Reserved",
33
}
34

35
type packetData struct {
36
    SrcIP      uint32
37
    DstIP      uint32
38
    SrcPort    uint16
39
    DstPort    uint16
40
    Protocol   uint32
41
    PacketSize uint32
42
    Timestamp  uint64
43
    Flags      uint32
44
}
45

46
type packetStats struct {
47
    TotalPackets uint64
48
    TCPPackets   uint64
49
    UDPPackets   uint64
50
    OtherPackets uint64
51
    StartTime    time.Time
52
}
53

54
func main() {
55
    ifaceName := flag.String("iface", "lo", "Network interface to monitor")
56
    verbose := flag.Bool("v", false, "Verbose output")
57
    statsInterval := flag.Duration("stats", 10*time.Second, "Statistics interval")
58
    flag.Parse()
59

60
    stats := &packetStats{StartTime: time.Now()}
61

62
    if err := rlimit.RemoveMemlock(); err != nil {
63
        log.Fatalf("Failed to remove memlock: %v", err)
64
    }
65

66
    var objs packetSniffObjects
67
    if err := loadPacketSniffObjects(&objs, nil); err != nil {
68
        log.Fatalf("Error loading eBPF objects: %v", err)
69
    }
70
    defer objs.Close()
71

72
    iface, err := net.InterfaceByName(*ifaceName)
73
    if err != nil {
74
        log.Fatalf("Error getting interface %s: %v", *ifaceName, err)
75
    }
76

77
    xdpLink, err := link.AttachXDP(link.XDPOptions{
78
        Program:   objs.CapturePacketData,
79
        Interface: iface.Index,
80
    })
81
    if err != nil {
82
        log.Fatalf("Error attaching XDP program: %v", err)
83
    }
84
    defer xdpLink.Close()
85

86
    rd, err := ringbuf.NewReader(objs.PacketRingbuf)
87
    if err != nil {
88
        log.Fatalf("Error creating ring buffer reader: %v", err)
89
    }
90
    defer rd.Close()
91

92
    log.Printf("Monitoring packets on interface: %s", *ifaceName)
93

94
    stopChan := make(chan os.Signal, 1)
95
    signal.Notify(stopChan, os.Interrupt, syscall.SIGTERM)
96

97
    statsTicker := time.NewTicker(*statsInterval)
98
    defer statsTicker.Stop()
99

100
    for {
101
        select {
102
        case <-stopChan:
103
            log.Println("Received interrupt, exiting...")
104
            printFinalStats(stats)
105
            return
106
        case <-statsTicker.C:
107
            printStats(stats)
108
        default:
109
            record, err := rd.Read()
110
            if err != nil {
111
                if err == ringbuf.ErrClosed {
112
                    return
113
                }
114
                log.Printf("Error reading: %v", err)
115
                continue
116
            }
117

118
            var pkt packetData
119
            err = binary.Read(bytes.NewReader(record.RawSample), binary.LittleEndian, &pkt)
120
            if err != nil {
121
                log.Printf("Error parsing: %v", err)
122
                continue
123
            }
124

125
            updateStats(stats, &pkt)
126
            if *verbose {
127
                printPacketInfo(&pkt)
128
            }
129
        }
130
    }
131
}
132

133
func updateStats(stats *packetStats, pkt *packetData) {
134
    stats.TotalPackets++
135
    switch pkt.Protocol {
136
    case 6:
137
        stats.TCPPackets++
138
    case 17:
139
        stats.UDPPackets++
140
    default:
141
        stats.OtherPackets++
142
    }
143
}
144

145
func printStats(stats *packetStats) {
146
    duration := time.Since(stats.StartTime)
147
    pps := float64(stats.TotalPackets) / duration.Seconds()
148

149
    fmt.Printf("\n=== Statistics ===\n")
150
    fmt.Printf("Total: %d (%.2f pps)\n", stats.TotalPackets, pps)
151
    fmt.Printf("TCP: %d, UDP: %d, Other: %d\n",
152
               stats.TCPPackets, stats.UDPPackets, stats.OtherPackets)
153
}
154

155
func printPacketInfo(pkt *packetData) {
156
    srcIP := intToIP(pkt.SrcIP)
157
    dstIP := intToIP(pkt.DstIP)
158
    protocol := getProtocolName(int(pkt.Protocol))
159

160
    fmt.Printf("%s %s:%d -> %s:%d (%db)\n",
161
        protocol, srcIP, pkt.SrcPort, dstIP, pkt.DstPort, pkt.PacketSize)
162
}
163

164
func intToIP(ip uint32) string {
165
    ipBytes := make([]byte, 4)
166
    binary.BigEndian.PutUint32(ipBytes, ip)
167
    return net.IP(ipBytes).String()
168
}
169

170
func getProtocolName(protocol int) string {
171
    if name, exists := protocolMap[protocol]; exists {
172
        return name
173
    }
174
    return fmt.Sprintf("PROTO_%d", protocol)
175
}
176

177
func printFinalStats(stats *packetStats) {
178
    fmt.Println("\n=== Final Statistics ===")
179
    printStats(stats)
180
}

Generate, Build and Run#

Build Process#

1
# Generate Go bindings for eBPF program
2
go generate
3

4
# Build the application
5
go build -o packet-monitor .
6

7
# Run with different options
8
sudo ./packet-monitor -iface eth0 -v
9
sudo ./packet-monitor -iface lo -stats 5s

Makefile for Automation#

1
# Makefile
2
.PHONY: generate build run clean
3

4
BPF_CFLAGS := -O2 -g -Wall -Werror
5

6
generate:
7
  go generate
8

9
build: generate
10
  go build -o packet-monitor .
11

12
run: build
13
  sudo ./packet-monitor -iface lo -v
14

15
run-eth0: build
16
  sudo ./packet-monitor -iface eth0 -stats 5s
17

18
clean:
19
  rm -f packet-monitor
20
  rm -f *.o
21
  rm -f packet_sniff_*
22

23
install-deps:
24
  go mod tidy
25
  sudo apt-get update
26
  sudo apt-get install -y clang llvm
27

28
.DEFAULT_GOAL := build

Where Else Can eBPF Be Used?#

eBPF’s versatility makes it ideal for numerous real-world applications:

Security Enforcement#

1
graph TD
2
    subgraph "eBPF Security Applications"
3
        A["Runtime Protection"] --> A1["System Call Monitoring"]
4
        A --> A2["File Access Control"]
5
        A --> A3["Process Execution Tracking"]
6

7
        B["Network Security"] --> B1["DDoS Mitigation"]
8
        B --> B2["Intrusion Detection"]
9
        B --> B3["Traffic Filtering"]
10

11
        C["Container Security"] --> C1["Namespace Isolation"]
12
        C --> C2["Resource Limits"]
13
        C --> C3["Vulnerability Scanning"]
14
    end
15

16
    style A fill:#ffcdd2
17
    style B fill:#e1f5fe
18
    style C fill:#f3e5f5

Examples:

Netflix: Uses eBPF for real-time DDoS protection, filtering malicious traffic at line rate
Kubernetes Security: Runtime security monitoring for container environments
Zero-Day Protection: Behavioral analysis to detect unknown threats

Observability and Monitoring#

1
# Performance monitoring examples
2
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { @files[str(args->filename)] = count(); }'
3

4
# Network latency tracking
5
sudo bpftrace -e 'kprobe:tcp_sendmsg { @start[tid] = nsecs; } kretprobe:tcp_sendmsg { @latency = hist(nsecs - @start[tid]); delete(@start[tid]); }'
6

7
# Memory allocation tracking
8
sudo bpftrace -e 'tracepoint:kmem:kmalloc { @bytes[comm] = sum(args->bytes_alloc); }'

Load Balancing and Traffic Engineering#

1
// XDP load balancer example
2
SEC("xdp")
3
int load_balancer(struct xdp_md *ctx) {
4
    // Parse packet headers
5
    // Apply load balancing algorithm
6
    // Redirect to appropriate backend
7
    return bpf_redirect(backend_ifindex, 0);
8
}

Advanced Use Cases#

Domain	Application	Benefits
Networking	L4/L7 Load Balancing	Zero-copy packet processing
Security	Runtime Protection	Real-time threat detection
Observability	APM & Tracing	Low-overhead monitoring
Storage	I/O Optimization	Kernel-level storage policies
AI/ML	Data Pipeline Acceleration	In-kernel feature extraction

Performance Considerations#

Optimization Strategies#

1
// Use per-CPU maps to avoid contention
2
struct {
3
    __uint(type, BPF_MAP_TYPE_PERCPU_HASH);
4
    __uint(max_entries, 10000);
5
    __type(key, __u32);
6
    __type(value, struct stats);
7
} percpu_stats SEC(".maps");
8

9
// Minimize map lookups
10
__always_inline static void update_stats_efficient(__u32 key) {
11
    struct stats *s = bpf_map_lookup_elem(&percpu_stats, &key);
12
    if (s) {
13
        s->count++;
14
        s->bytes += packet_size;
15
    }
16
}
17

18
// Use ring buffers for high-throughput events
19
struct {
20
    __uint(type, BPF_MAP_TYPE_RINGBUF);
21
    __uint(max_entries, 256 * 1024);
22
} events SEC(".maps");

Benchmarking Results#

Metric	Traditional Tools	eBPF Implementation
Packet Processing	~1M pps	~10M pps
CPU Overhead	15-20%	2-5%
Memory Usage	High	Minimal
Latency Impact	100-500μs	<10μs

Conclusion#

eBPF revolutionizes kernel space programming by providing:

Safety: Verified execution prevents system crashes
Performance: JIT compilation and zero-copy operations
Flexibility: Dynamic loading without kernel modifications
Observability: Unprecedented system visibility

The combination of XDP for high-performance packet processing and eBPF’s kernel integration capabilities opens new possibilities for system optimization, security enforcement, and observability that were previously impossible or impractical.

Next Steps#

Experiment with the provided packet capture example
Explore different eBPF program types (kprobe, tracepoint, cgroup)
Build custom monitoring and security tools
Integrate eBPF programs with existing infrastructure
Contribute to the growing eBPF ecosystem