Introducing libebpfflow: packet-less network traffic and container visibility based on eBPF

Posted · Add Comment

As previewed during our FOSDEM 2019 talk, this is to introduce libebpfflow a new library for enabling network traffic and container visibility based on eBPF. Designed to be CPU and memory friendly (its presence it is almost unnoticeable) , it allows people to inspect network communications inside a system. It provides visibility for

  • processes
  • users
  • containers

Built from scratch on eBPF, it allows people to develop monitoring applications and network sensors without having to deal with packets. Sounds strange, but this is the idea: how to monitor networks without looking at packets.

The library has been designed to provide applications such as ntopng to provide system introspection, and also to be used in fields other than traffic monitoring and in particular for cybersecurity. If you are interested you can read this paper that describes how we successfully used in network security.

libebpfflow is released under the LGPL license. Enjoy!