Inspiration I've always been curious about how tools like htop or antivirus software know what is running on a computer. When I saw the eBPF Hackathon "Starter Track," I realized this was the perfect excuse to stop reading about it and actually build something.
What it does Syscall Spy hooks into the Linux Kernel's sys_enter_execve tracepoint. It sits silently in the background and intercepts every new process execution. It captures the timestamp and process name, sending it to a Python userspace agent for display. It essentially gives you "X-Ray vision" into your Linux terminal.
How I built it I used the BCC framework. I wrote a C program for the kernel side to access the tracepoint arguments and defined a Perf Ring Buffer. I used Python to load the BPF program and process the events.
Challenges I ran into My biggest challenge was the sheer amount of "noise" on a modern Linux laptop. I discovered that my system spawns thousands of hidden Docker and health-check processes. I had to write an aggressive filtering system in Python just to see my own commands! I also learned why Tracepoints are often more stable than Kprobes for reading system call arguments.
AI Tools Used I used Google Gemini to explain specific Kernel headers, debug BCC compilation warnings, and understand the difference between Kprobes and Tracepoints.
Try it out Links: https://github.com/vinayakkamatcodes/syscallspy.
Video Demo: https://youtu.be/rM2bCtm3OiE.
Log in or sign up for Devpost to join the conversation.