go conntracer bpf

go-conntracer-bpf is a library for Go for tracing network connection (TCP/UDP) events (connect, accept, sendto, recvfrom) on BPF kprobe inspired by weaveworks/tcptracer-bpf. go-conntracer-bpf is implemented on top of libbpf, which is a representative C library for BPF included Linux kernel.

• Low-overhead tracing by aggregating connection events in kernel.
• BPF CO-RE (Compile Once – Run Everywhere)-enabled

• libbpf source code
• Clang/LLVM >= 9

• Linux kernel version >= 5.6 (due to batch ops to bpf maps)
• Linux kernel to be built with BTF type information. See https://github.com/libbpf/libbpf#bpf-co-re-compile-once--run-everywhere.

• libelf and zlib libraries

go-conntracer-bpf makes use of some latest features of Linux kernel.

• BPF Type Format (BTF) in kernel version 4.18.
• Batch API to BPF map (BPF_MAP_UPDATE_BATCH, BPF_MAP_LOOKUP_AND_DELETE_BATCH) in kernel version 5.6.
• Ring Buffer in kernel version 5.8 (only a flavor of no-aggregation in kernel).

• godoc

conntop is a CLI tool to show connection events.

$ make DOCKER=1

• yuuki/shawk