Real-time network & syscall monitoring tool for Linux systems and Kubernetes clusters
OTHER License
bpfsnitch is an open-source, real-time monitoring tool for Linux systems and Kubernetes clusters. Inspired by GlassWire, bpfsnitch leverages eBPF (extended Berkeley Packet Filter) technology to provide observability at the lowest level possible by tracking system calls and network activities. It is capable of monitoring every syscall and network event in real-time, offering valuable insights into what's happening inside your systems and containers.
libbpf
and related dependencies are installed.Deploy bpfsnitch as a DaemonSet to monitor all nodes in your cluster.
curl -s https://raw.githubusercontent.com/nullswan/bpfsnitch/main/deployments/daemonset.yaml | kubectl apply -f -
bpfsnitch exposes a variety of Prometheus metrics, providing insights into syscalls and network activities.
# HELP bpfsnitch_dns_query_counter Number of DNS queries
# TYPE bpfsnitch_dns_query_counter counter
bpfsnitch_dns_query_counter{container="kube-proxy-cwn8r"} 23
# HELP bpfsnitch_network_received_bytes_counter Number of bytes received
# TYPE bpfsnitch_network_received_bytes_counter counter
bpfsnitch_network_received_bytes_counter{pod="nginx-7b9f54988c-2tpbd",remote_subnet="0.0.0.0/24"} 1334512
# HELP bpfsnitch_network_received_packets_counter Number of packets received
# TYPE bpfsnitch_network_received_packets_counter counter
bpfsnitch_network_received_packets_counter{pod="nginx-7b9f54988c-2tpbd",remote_subnet="0.0.0.0/24"} 623
# HELP bpfsnitch_network_sent_bytes_counter Number of bytes sent
# TYPE bpfsnitch_network_sent_bytes_counter counter
bpfsnitch_network_sent_packets_counter{pod="kube-proxy-cwn8r",remote_subnet="1.2.3.0/24"} 1293500
bpfsnitch_network_sent_packets_counter{pod="kube-proxy-cwn8r",remote_subnet="1.2.97.0/24"} 80
bpfsnitch_network_sent_packets_counter{pod="kube-proxy-cwn8r",remote_subnet="1.2.111.0/24"} 310
bpfsnitch_network_sent_packets_counter{pod="kube-proxy-cwn8r",remote_subnet="1.2.108.0/24"} 65
# HELP bpfsnitch_network_sent_packets_counter Number of packets sent
# TYPE bpfsnitch_network_sent_packets_counter counter
bpfsnitch_network_sent_packets_counter{pod="kube-proxy-cwn8r",remote_subnet="1.2.3.0/24"} 1529
bpfsnitch_network_sent_packets_counter{pod="kube-proxy-cwn8r",remote_subnet="1.2.97.0/24"} 1
bpfsnitch_network_sent_packets_counter{pod="kube-proxy-cwn8r",remote_subnet="1.2.111.0/24"} 3
bpfsnitch_network_sent_packets_counter{pod="kube-proxy-cwn8r",remote_subnet="1.2.108.0/24"} 1
# HELP bpfsnitch_syscall_counter Number of syscalls
# TYPE bpfsnitch_syscall_counter counter
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="arch_prctl"} 520
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="bind"} 2713
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="clone"} 818
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="connect"} 264
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="getrandom"} 578
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="getsockname"} 2845
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="read"} 16424
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="recvmsg"} 56939
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="sendmsg"} 443
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="sendto"} 32007
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="setsockopt"} 819
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="socket"} 2845
bpfsnitch_syscall_counter{pod="kube-proxy-cwn8r",syscall="wait4"} 818
Starting from v0.1.0, bpfsnitch is built to be lightweight and efficient using eBPF technology. It monitors syscalls and network events at the kernel level, providing real-time insights with minimal system impact.
In production, bpfsnitch typically uses an average of 5ms of CPU per 60-second scrape and maintains a memory footprint of up to 250MB
. It is statically bound to a maximum of 100ms
CPU usage, ensuring consistent performance regardless of system configuration or workload. See the DaemonSet resources
To monitor bpfsnitch's performance in real-time, start it with the -pprof flag to expose a pprof server. Access live profiling data at the /debug/pprof route to analyze CPU and memory usage and optimize performance as needed.
We are committed to providing detailed performance benchmarks and optimization tips in future releases to help you maximize bpfsnitch's benefits.
bpfsnitch comes with a predefined list of syscalls to monitor, focusing on critical operations that could affect system security or stability. We plan to provide a configurable syscall whitelist in future releases, allowing you to tailor monitoring to your specific needs.
var WhitelistedSyscalls = []int{
SyscallToId["clone"],
SyscallToId["execve"],
SyscallToId["mknodat"],
SyscallToId["chroot"],
SyscallToId["mount"],
SyscallToId["umount2"],
SyscallToId["pivot_root"],
SyscallToId["setuid"],
SyscallToId["setgid"],
...
bpfsnitch is not only a powerful monitoring tool but also an excellent educational resource. It provides insights into:
bpfsnitch is released under the GNU General Public License (GPL).
If you find bpfsnitch valuable, please give us a ⭐ star on GitHub and share it with others who might be interested. Your support helps us improve and grow the project!
Feel free to reach out if you have any questions or need assistance getting started with bpfsnitch. We look forward to your feedback!