Skip to content

Internet-Architecture-and-Security/PacketScope

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

75 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

packetscope-logo

δΈ­ζ–‡ Β· English

GitHub Release GitHub License

PacketScope: "Smart Armor" for Server-Side Defense

Try Demo

What's New: Analyzer module fully rewritten in Go + cilium/ebpf, replacing the original Python + BCC implementation. Lightweight redesign removes BCC runtime dependency, uses CO-RE (bpf2go) for pre-compiled eBPF, and adds MCP skill integration for each module.

PacketScope is a general-purpose protocol stack analysis and debugging tool based on eBPF. It integrates performance optimization, anomaly diagnosis, and security defense. It aims to implement fine-grained tracing and intelligent analysis of network packets at the protocol stack level on the server side. By solving three major pain pointsβ€”difficult diagnosis of performance bottlenecks, unclear transmission paths, and hard-to-detect low-level attacksβ€”PacketScope provides visualized, intelligent endpoint-side security analysis and defense capabilities.

packetscope

Background

With the proliferation of social platforms, online banking, large-scale AI models, logistics, and travel services, open servers have become key execution environments. These must balance performance and security under the condition of being openly accessible. Traditional WAFs and IDS tools have blind spots in protocol stack-level defense, which PacketScope addresses:

🚨 Three Core Pain Points:

  1. Unclear packet paths through the protocol stack make bottlenecks and faults hard to diagnose
  2. Lack of fine-grained cross-domain transmission data makes routing risks invisible
  3. Low-level protocol stack attacks are stealthy and difficult to detect with traditional tools

Through protocol tracing, path visualization, and intelligent analysis, PacketScope builds "smart armor" for the server.

πŸš€ Core Capabilities

  • 🧠 Intelligent Engine: Combines eBPF with LLMs for low-level network behavior observation and intelligent security defense
  • πŸ“Š Multidimensional Analysis: Real-time tracking of network paths, statistics on latency, packet loss, interaction frequency
  • 🌐 Global Network Visualization: Maps global paths and latency, presented on a topology graph
  • πŸ” Protocol Stack Defense: Detects and intercepts low-level abnormal traffic, covering the blind spots of traditional WAF/IDS
  • πŸ€– MCP Skill Integration: Each module provides an MCP server for LLM agent integration (Trae, Cline, etc.)
  • πŸ–₯️ User-Friendly Interface: GUI designed for easy use by security engineers and operators

⚑ Getting Started

Prerequisites

  • Docker: Version 20.10 or higher
  • Docker Compose: Version 2.0 or higher
docker --version
docker compose version

One-Click Deployment

git clone https://github.com/Internet-Architecture-and-Security/PacketScope.git
cd PacketScope
sudo bash starter.sh

The script will automatically check Docker, build all containers in order, and start all services.

Access the Application

Open your browser: http://localhost:4173/

Service Endpoints

Service Endpoint Description
Web UI http://localhost:4173 Frontend dashboard
Guarder API http://localhost:8080 Security & filtering API
Tracer API http://localhost:8000 Route tracing API
Monitor API http://localhost:8010 Packet capture & function call API
Calculator WS ws://localhost:8020 Cross-layer metrics WebSocket

Managing Services

sudo docker compose ps              # View status
sudo docker compose logs -f         # View logs
sudo docker compose down            # Stop all
sudo docker compose restart <name>  # Restart a service

πŸ“ Project Structure

PacketScope/
β”œβ”€β”€ modules/                    # Backend service modules
β”‚   β”œβ”€β”€ Analyzer/              # Protocol stack analysis (Go)
β”‚   β”‚   β”œβ”€β”€ Monitor/           # Packet capture & function call monitor (Go + eBPF)
β”‚   β”‚   β”œβ”€β”€ Calculator/        # Cross-layer metrics calculator (Go + eBPF)
β”‚   β”‚   β”œβ”€β”€ README.md          # English docs
β”‚   β”‚   └── README-zh.md       # Chinese docs
β”‚   β”œβ”€β”€ Guarder/               # Security defense (Go + eBPF/XDP)
β”‚   └── Tracer/                # Route tracing & risk analysis (Python + MCP)
β”œβ”€β”€ skills/                     # MCP skill packages for LLM agents
β”‚   β”œβ”€β”€ monitor/               # Monitor MCP server & client
β”‚   β”œβ”€β”€ tracer/                # Tracer MCP server & client
β”‚   └── guarder/               # Guarder MCP client
β”œβ”€β”€ src/                        # Frontend source (React + TypeScript)
β”œβ”€β”€ docker-compose.yml          # Docker Compose configuration
β”œβ”€β”€ starter.sh                  # One-click deployment script
β”œβ”€β”€ README.md                   # This file
└── README-zh_CN.md             # Chinese docs

✨ Functional Modules

Analyzer β€” Protocol Stack Analysis

The Analyzer module has been fully rewritten in Go + cilium/ebpf, replacing the original Python + BCC implementation. This lightweight redesign removes BCC runtime dependency, uses CO-RE (bpf2go) for pre-compiled eBPF, and significantly improves deployment portability.

Monitor captures packets and tracks kernel function calls:

Component Technology Port Description
kbatch eBPF fentry/kprobe - Kernel function call monitoring
tcxprober eBPF TC - Network packet capture (ingress/egress)
server Go HTTP 8010 RESTful API query service

Calculator computes real-time cross-layer metrics:

Metric Description
PPS Per-layer packet rate (link, network, transport)
LAT Cross-layer latency (link↔network, network↔transport, link↔transport)
DROP TCP packet loss rate

Communication via WebSocket (port 8020), metrics pushed every second.

See Analyzer/README.md for details.

Tracer β€” Route Tracing & Risk Analysis

Maps network paths from the host to any global IP with geographic/ASN enrichment, anomaly detection, and Spamhaus-based risk scoring.

Feature Description
traceroute Real-time with ICMP/TCP, per-hop streaming
GeoIP City and ASN enrichment via MaxMind GeoLite2
Anomaly detection Historical path comparison, path deviation alerts
Risk scoring Malicious IP detection against Spamhaus DROP/EDROP

HTTP API on port 8000, MCP server for LLM agent integration.

See Tracer/README.md for details.

Guarder β€” Security Defense

eBPF/XDP-based network security module with AI-powered filter generation.

Feature Description
Connection tracking TCP/UDP/ICMP monitoring via eBPF/XDP
Packet filtering Kernel-space rules (IP, port, protocol, TCP flags, ICMP type)
AI filter generation LLM-powered analysis and automatic rule creation
PCAP analysis Upload PCAP files for AI-driven security inspection

HTTP API on port 8080, supports OpenAI-compatible and Anthropic-compatible endpoints.

See Guarder/README-zh.md for details.

πŸ€– MCP Skills

Each backend module provides an MCP (Model Context Protocol) server, enabling LLM agents to directly invoke module capabilities:

Skill MCP Tools Transport
monitor get_recent_packets, query_packets, get_recent_map, get_func_table, query_func_send, query_func_recv, get_socket_list, health_check SSE / stdio
tracer trace_target, analyze_target, get_history, compare_routes, health_check, server_capabilities SSE / stdio
guarder get_connections, get_stats, create_filter, ai_analyze, ai_generate, list_filters HTTP client

Quick Start with MCP

{
  "mcpServers": {
    "packetscope-monitor": {
      "transport": "sse",
      "url": "http://localhost:8012/sse"
    },
    "packetscope-tracer": {
      "transport": "sse",
      "url": "http://localhost:8013/sse"
    }
  }
}

See skills/ for each skill's configuration and usage.

πŸ—οΈ Technology Stack

Module Language eBPF Loading Communication Data Storage
Analyzer-Monitor Go cilium/ebpf (bpf2go, CO-RE) HTTP REST (8010) PostgreSQL
Analyzer-Calculator Go cilium/ebpf (bpf2go, CO-RE) WebSocket (8020) BPF map aggregation
Guarder Go cilium/ebpf + XDP HTTP REST (8080) In-kernel maps
Tracer Python nexttrace (external) HTTP REST (8000) File-based cache

Lightweight redesign highlights (Analyzer β†’ Go):

  • Removed BCC runtime dependency β€” no Python, no BCC installation required
  • Pre-compiled eBPF via bpf2go (CO-RE) β€” portable across kernel versions
  • Single binary deployment β€” no external script dependencies
  • Lower resource footprint β€” Go vs Python runtime overhead

🧰 Use Cases

  • Network Protocol Stack Performance Optimization: Identify bottlenecks and improve transmission efficiency
  • Threat Detection and Security Defense: Detect and block potential attacks such as DDoS and ARP spoofing
  • Fault Diagnosis: Diagnose issues caused by latency, packet loss, or abnormal cross-layer behavior
  • Topology Analysis: Analyze path latency and routing performance in cross-regional deployments
  • Industrial Internet Security: Monitor industrial control systems in real time to ensure safety and integrity

❀️ Contributing

We welcome issues and pull requests! If you find bugs or have suggestions, open an issue or PR. Please refer to CONTRIBUTING for contribution guidelines.

License

This project is licensed under the MIT License. See LICENSE for details.

About

🎯 A general-purpose protocol stack analysis and debugging tool based on eBPF 🧰

Resources

License

Code of conduct

Contributing

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Contributors