Intercept all outgoing/incoming traffic on Linux using eBPF

Question

I am looking for help with capturing all incoming/outgoing traffic on a host using eBPF across all containers. Need to identify from/to which container is the traffic coming. The filter should run on in a privileged docker container.

Don't need to receive the content, just the TCP/UDP headers are sufficient.

I'm looking for options. eBPF is looking to be the best choice. Need some help with that. — rubenhak, Nov 20 '19 at 08:22
Stack overflow is not the place to ask for recommendations (i.e it violates the rules). Can you reframe your question? — Ross Jacobs, Nov 20 '19 at 08:26
You could check [Hubble](https://cilium.io/blog/2019/11/19/announcing-hubble/), which was just released. — Qeole, Nov 20 '19 at 12:15

score -1 · Answer 1 · answered Nov 20 '19 at 07:11

-1

you can perform

tcpdump -i yourinterface

where yourinterface is the interface you need to monitor, as shown by ifconfig command

answered Nov 20 '19 at 07:11

rai

449
3
10

2

This doesn't answer the question. @rubenhak is asking for a C++ program, and `tcpdump` is a C program. – Ross Jacobs Nov 20 '19 at 07:16
`system ("tcpdump -i yourinterface")`? or perhaps `popen`? – David C. Rankin Nov 20 '19 at 07:37
I need a eBPF implementation for this – rubenhak Nov 20 '19 at 08:23

Intercept all outgoing/incoming traffic on Linux using eBPF

1 Answers1