-
-
--userspace-trace option with no filters.
-
--kernel-trace option.
-
eBPF LEGO obtained from the Cilium Cluster Mesh at KCD UK Edinburgh 2025.
Inspiration
Wanted to go beyond Hello World with eBPF and general interest in networking.
What it does
At a very simple level, traces with filters incoming network traffic.
How we built it
Used Python as the CLI, which used a BPF wrapper to communicate with the eBPF/XDP C program. The key was a shared eBPF hash map to share the network packet data.
Challenges we ran into
Understanding the complexity of kernel networking, I had some interesting issues with IPv6 packets. I found it's not really like a traditional program where you just pass arguments to a function. Once I understood the utility of the shared hash map, this made things clearer. Although I only used it from kernel to userspace, it's clear (I think) how it can be used in both directions to share data. Finally, I had to go back and refresh my networking knowledge a bit, because to really understand eBPF/XDP, you need to turn everything upside down. The networking packets are coming into the NIC, which I initially thought meant I could capture outgoing networking packets. Once I got the flow clear, it made things far simpler.
Accomplishments that we're proud of
It actually works, doesn't do anything exciting, but I'm very happy it does more or less what I wanted.
What we learned
Many things, above all TCP/IP kernel programming at a very simple level. Importance of Big/Small endian and also paying attention to offsets when reading/writing network packet data.
What's next for xguard
- Incomplete support for IPv6 and port handling.
- Output handling is currently minimal and oversimplified, requiring further improvement - especially for kernel-level tracing, which tends to be very noisy.
Log in or sign up for Devpost to join the conversation.