A collection of eBPF tools that are built using libbpf in C++. The build system is written in CMake and is configured to provide a solid development experience in IDEs.
Originally submitted for the NetworkInCode hackathon by me.
Code: syscall-blocker
- Block syscalls: Specific system calls can be blocked by passing the syscall names as arguments to the program.
- Filter by UID: The user can specify the UIDs for which the syscalls should be blocked.
- Filter by Mount Namespace ID: The user can specify the mount namespace IDs for which the syscalls should be blocked.
- Logging: The blocked syscalls are logged to the console.
- Filter by container name: By passing the docker container name directly, the mount namespace ID is automatically fetched and the syscalls are blocked for that container.
Code: dns-delay
- Delay Injection: Introduce delays in DNS query packets.
- Filtering Capabilities: Filter based on:
- Process: Making the DNS request. (Process Name)
- Target URL: Being queried.
- DNS Server: Handling the request.
- Delay Configuration: Set user-defined or random delays (with jitter).
- Logging: Provide logging for debugging and verification.
Code: threadviz
- The program uses eBPF hooks to trace thread events.
- The user-space program transforms the raw data into Perfetto trace format.
- The trace is then visualized using Perfetto UI.
perfett-ebpf-demo.mov
MIT License
© 2025, @CaptainIRS