Exploring eBPF

Core eBPF Examples

• System Call Tracing: Monitor execve() calls and process creation
• System Call Counting: Collect and analyze syscall statistics
• TCP Connection Monitoring: Track network connections and traffic
• File I/O Security Monitoring: Block and monitor access to protected files
• HTTP Session Tracing: Capture complete HTTP request/response pairs using eBPF

🛡️ File I/O Security Monitoring (NEW!)

The I/O blocking example demonstrates eBPF-based file system security:

• eBPF Kernel: Monitors file open operations at system call level (openat)
• Real-time Alerts: Immediately detects when protected_file.txt is accessed
• Clean Detection: Simple, focused monitoring of file opening operations
• Process Tracking: Shows which processes attempt to access protected files
• Zero Bypass: Cannot be circumvented by applications since monitoring happens at kernel level

🌐 HTTP Session Tracing (NEW!)

The HTTP tracer demonstrates application-layer monitoring following the Datadog eBPF tutorial:

• eBPF Kernel: Hooks accept4, read, write, close syscalls to capture HTTP traffic
• Session Reconstruction: Builds complete request/response pairs from syscall data
• Zero Instrumentation: Monitors HTTP sessions without modifying application code
• Real-time Capture: Shows live HTTP traffic with timing and payload information
• Lima VM Integration: Runs FastAPI server and eBPF tracer in same environment

Quick Start

# 1. Setup Lima VM with eBPF environment
make setup

# 2. Try the HTTP session tracer (Datadog tutorial implementation)
# Terminal 1: Start FastAPI server
make run-http-server

# Terminal 2: Start eBPF HTTP tracer  
make run-http-tracer

# Terminal 3: Generate traffic and see live capture
make shell
bash /home/lima/ebpf-examples/scripts/test-http-tracer.sh

# 3. Or try other examples
make run-io-monitor   # File I/O security monitoring
make run-tracer       # System call tracing
make run-counter      # System call counting 
make run-tcp          # TCP connection monitoring

eBPF Resources

TLDR

• eBPF Overview
• A practical guide to capturing production traffic with eBPF

Videos

• eBPF in 120 seconds
• Think eBPF for Kernel Security Monitoring – Eric Sage & Melissa Kilby, Apple
• Container Level Network Observability with eBPF – Lan Pye, Kentik, Inc.
• eBPF Superpowers
• eBPF - Rethinking the Linux Kernel

Articles & Documentation

• eBPF Overview
• A practical guide to capturing production traffic with eBPF
• Running eBPF programs on Docker containers
• Running eBPF and Perf in Docker for Mac
• Setup eBPF Profiling on Docker
• Debugging eBPF-enabled programs in Docker
• Technical Challenges for Attaching eBPF Programs in Containers
• How to: run BpfTrace from a small alpine image, with least privileges.

Tools & Repositories

• datadog
• docker-bpf