ebpf-demo2

A modular eBPF-based system monitoring tool for collecting and forwarding system events.

Current Project Structure

Prerequisites

• Linux kernel 4.15+
• Python 3.8+
• BCC tools
• Root privileges (for eBPF operations)

Installation

1. System Dependencies

sudo apt-get update && sudo apt-get install -y \
    bpfcc-tools \
    linux-headers-generic \
    python3-pip \
    python3-dev

2. Python Environment Setup

# Create virtual environment
python3 -m venv venv
source venv/bin/activate

# Install package and dependencies
pip install -e ".[dev]"

Configuration

Edit config/config.yaml to customize the monitoring:

collectors:
  - type: syscall
    enabled: true
    syscalls:
      - execve
      - open
      - connect

emitters:
  - type: tcp
    enabled: true
    host: localhost
    port: 5000
    format: proto

debug: false
log_level: INFO
buffer_size: 1024

Usage

Running Locally

1. Direct Execution

# With default configuration
sudo python -m src.main

# With custom configuration
sudo python -m src.main --config path/to/config.yaml

2. Docker Execution

# Build the collector image
docker build -f Dockerfile.collector -t ebpf-collector .

# Run the collector
docker run --privileged \
    -v /sys/kernel/debug:/sys/kernel/debug:ro \
    ebpf-collector

Components

Collectors

1. Syscall Collector (src/collectors/syscall_collector.py)
   • Monitors system calls
   • Configurable syscall list
   • Captures:
     • Process ID (PID)
     • Timestamp
     • Command name

Emitters

1. TCP Emitter (src/core/base_emitter.py)
   • Streams events over TCP
   • Configurable host/port
   • Supports Protocol Buffer format

Development

Adding a New Collector

1. Create a new collector in src/collectors/:

from ..core.base_collector import BaseCollector

class MyCollector(BaseCollector):
    def __init__(self, config: dict):
        bpf_source = """
        // Your eBPF program here
        """
        super().__init__(bpf_source, config)
        self.tables = ["events"]

    def setup_probes(self) -> None:
        # Setup your probes
        pass

    def process_event(self, cpu: int, data: Any, size: int) -> dict:
        # Process and return event data
        pass

Adding a New Emitter

1. Create a new emitter in src/emitters/:

from ..core.base_emitter import BaseEmitter

class MyEmitter(BaseEmitter):
    def connect(self) -> None:
        # Setup connection
        pass

    def emit(self, event: Dict[str, Any]) -> None:
        # Emit event
        pass

    def close(self) -> None:
        # Cleanup
        pass

Troubleshooting

Common Issues

1. Permission Errors

   
   # Error: Permission denied
   Solution: Run with sudo
   sudo python -m src.main
   

2. BPF Filesystem

   
   # Check if BPF filesystem is mounted
   mount | grep bpf
   
   # Mount if needed
   sudo mount -t bpf bpf /sys/fs/bpf/
   

3. Module Not Found

   
   # Verify installation
   pip list | grep ebpf-demo2
   
   # Reinstall if needed
   pip install -e .
   

Future Enhancements

1. Network monitoring collector
2. File output emitter
3. Kubernetes deployment support
4. Real-time visualization
5. Event filtering capabilities

License

This project is licensed under the MIT License - see the LICENSE file for details.

Contributing

1. Fork the repository
2. Create your feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request