δΈζ Β· English
What's New: Analyzer module fully rewritten in Go + cilium/ebpf, replacing the original Python + BCC implementation. Lightweight redesign removes BCC runtime dependency, uses CO-RE (bpf2go) for pre-compiled eBPF, and adds MCP skill integration for each module.
PacketScope is a general-purpose protocol stack analysis and debugging tool based on eBPF. It integrates performance optimization, anomaly diagnosis, and security defense. It aims to implement fine-grained tracing and intelligent analysis of network packets at the protocol stack level on the server side. By solving three major pain pointsβdifficult diagnosis of performance bottlenecks, unclear transmission paths, and hard-to-detect low-level attacksβPacketScope provides visualized, intelligent endpoint-side security analysis and defense capabilities.
With the proliferation of social platforms, online banking, large-scale AI models, logistics, and travel services, open servers have become key execution environments. These must balance performance and security under the condition of being openly accessible. Traditional WAFs and IDS tools have blind spots in protocol stack-level defense, which PacketScope addresses:
π¨ Three Core Pain Points:
- Unclear packet paths through the protocol stack make bottlenecks and faults hard to diagnose
- Lack of fine-grained cross-domain transmission data makes routing risks invisible
- Low-level protocol stack attacks are stealthy and difficult to detect with traditional tools
Through protocol tracing, path visualization, and intelligent analysis, PacketScope builds "smart armor" for the server.
- π§ Intelligent Engine: Combines eBPF with LLMs for low-level network behavior observation and intelligent security defense
- π Multidimensional Analysis: Real-time tracking of network paths, statistics on latency, packet loss, interaction frequency
- π Global Network Visualization: Maps global paths and latency, presented on a topology graph
- π Protocol Stack Defense: Detects and intercepts low-level abnormal traffic, covering the blind spots of traditional WAF/IDS
- π€ MCP Skill Integration: Each module provides an MCP server for LLM agent integration (Trae, Cline, etc.)
- π₯οΈ User-Friendly Interface: GUI designed for easy use by security engineers and operators
- Docker: Version 20.10 or higher
- Docker Compose: Version 2.0 or higher
docker --version
docker compose versiongit clone https://github.com/Internet-Architecture-and-Security/PacketScope.git
cd PacketScope
sudo bash starter.shThe script will automatically check Docker, build all containers in order, and start all services.
Open your browser: http://localhost:4173/
| Service | Endpoint | Description |
|---|---|---|
| Web UI | http://localhost:4173 |
Frontend dashboard |
| Guarder API | http://localhost:8080 |
Security & filtering API |
| Tracer API | http://localhost:8000 |
Route tracing API |
| Monitor API | http://localhost:8010 |
Packet capture & function call API |
| Calculator WS | ws://localhost:8020 |
Cross-layer metrics WebSocket |
sudo docker compose ps # View status
sudo docker compose logs -f # View logs
sudo docker compose down # Stop all
sudo docker compose restart <name> # Restart a servicePacketScope/
βββ modules/ # Backend service modules
β βββ Analyzer/ # Protocol stack analysis (Go)
β β βββ Monitor/ # Packet capture & function call monitor (Go + eBPF)
β β βββ Calculator/ # Cross-layer metrics calculator (Go + eBPF)
β β βββ README.md # English docs
β β βββ README-zh.md # Chinese docs
β βββ Guarder/ # Security defense (Go + eBPF/XDP)
β βββ Tracer/ # Route tracing & risk analysis (Python + MCP)
βββ skills/ # MCP skill packages for LLM agents
β βββ monitor/ # Monitor MCP server & client
β βββ tracer/ # Tracer MCP server & client
β βββ guarder/ # Guarder MCP client
βββ src/ # Frontend source (React + TypeScript)
βββ docker-compose.yml # Docker Compose configuration
βββ starter.sh # One-click deployment script
βββ README.md # This file
βββ README-zh_CN.md # Chinese docs
The Analyzer module has been fully rewritten in Go + cilium/ebpf, replacing the original Python + BCC implementation. This lightweight redesign removes BCC runtime dependency, uses CO-RE (bpf2go) for pre-compiled eBPF, and significantly improves deployment portability.
Monitor captures packets and tracks kernel function calls:
| Component | Technology | Port | Description |
|---|---|---|---|
| kbatch | eBPF fentry/kprobe | - | Kernel function call monitoring |
| tcxprober | eBPF TC | - | Network packet capture (ingress/egress) |
| server | Go HTTP | 8010 | RESTful API query service |
Calculator computes real-time cross-layer metrics:
| Metric | Description |
|---|---|
| PPS | Per-layer packet rate (link, network, transport) |
| LAT | Cross-layer latency (linkβnetwork, networkβtransport, linkβtransport) |
| DROP | TCP packet loss rate |
Communication via WebSocket (port 8020), metrics pushed every second.
See Analyzer/README.md for details.
Maps network paths from the host to any global IP with geographic/ASN enrichment, anomaly detection, and Spamhaus-based risk scoring.
| Feature | Description |
|---|---|
| traceroute | Real-time with ICMP/TCP, per-hop streaming |
| GeoIP | City and ASN enrichment via MaxMind GeoLite2 |
| Anomaly detection | Historical path comparison, path deviation alerts |
| Risk scoring | Malicious IP detection against Spamhaus DROP/EDROP |
HTTP API on port 8000, MCP server for LLM agent integration.
See Tracer/README.md for details.
eBPF/XDP-based network security module with AI-powered filter generation.
| Feature | Description |
|---|---|
| Connection tracking | TCP/UDP/ICMP monitoring via eBPF/XDP |
| Packet filtering | Kernel-space rules (IP, port, protocol, TCP flags, ICMP type) |
| AI filter generation | LLM-powered analysis and automatic rule creation |
| PCAP analysis | Upload PCAP files for AI-driven security inspection |
HTTP API on port 8080, supports OpenAI-compatible and Anthropic-compatible endpoints.
See Guarder/README-zh.md for details.
Each backend module provides an MCP (Model Context Protocol) server, enabling LLM agents to directly invoke module capabilities:
| Skill | MCP Tools | Transport |
|---|---|---|
| monitor | get_recent_packets, query_packets, get_recent_map, get_func_table, query_func_send, query_func_recv, get_socket_list, health_check |
SSE / stdio |
| tracer | trace_target, analyze_target, get_history, compare_routes, health_check, server_capabilities |
SSE / stdio |
| guarder | get_connections, get_stats, create_filter, ai_analyze, ai_generate, list_filters |
HTTP client |
{
"mcpServers": {
"packetscope-monitor": {
"transport": "sse",
"url": "http://localhost:8012/sse"
},
"packetscope-tracer": {
"transport": "sse",
"url": "http://localhost:8013/sse"
}
}
}See skills/ for each skill's configuration and usage.
| Module | Language | eBPF Loading | Communication | Data Storage |
|---|---|---|---|---|
| Analyzer-Monitor | Go | cilium/ebpf (bpf2go, CO-RE) | HTTP REST (8010) | PostgreSQL |
| Analyzer-Calculator | Go | cilium/ebpf (bpf2go, CO-RE) | WebSocket (8020) | BPF map aggregation |
| Guarder | Go | cilium/ebpf + XDP | HTTP REST (8080) | In-kernel maps |
| Tracer | Python | nexttrace (external) | HTTP REST (8000) | File-based cache |
Lightweight redesign highlights (Analyzer β Go):
- Removed BCC runtime dependency β no Python, no BCC installation required
- Pre-compiled eBPF via bpf2go (CO-RE) β portable across kernel versions
- Single binary deployment β no external script dependencies
- Lower resource footprint β Go vs Python runtime overhead
- Network Protocol Stack Performance Optimization: Identify bottlenecks and improve transmission efficiency
- Threat Detection and Security Defense: Detect and block potential attacks such as DDoS and ARP spoofing
- Fault Diagnosis: Diagnose issues caused by latency, packet loss, or abnormal cross-layer behavior
- Topology Analysis: Analyze path latency and routing performance in cross-regional deployments
- Industrial Internet Security: Monitor industrial control systems in real time to ensure safety and integrity
We welcome issues and pull requests! If you find bugs or have suggestions, open an issue or PR. Please refer to CONTRIBUTING for contribution guidelines.
This project is licensed under the MIT License. See LICENSE for details.

