ebpfmon: tool for monitoring eBPF programs

by ddos · Published · Updated

ebpfmon

ebpfmon is a tool for monitoring eBPF programs. It is designed to be used with bpftool from the Linux kernel. ebpfmon is a TUI (terminal UI) application written in Go that allows you to do real-time monitoring of eBPF programs.

Documentation

Basic navigation

The main view for ebpfmon is the program view. This view shows all the eBPF programs that are currently loaded on the system. Each pane is selectable and you can switch between panes by using the tab key. In a given pane you can use the arrow keys to move the scroll the text or list selection up and down. For lists such as the programs or maps you can press enter to select. Selecting a program will populate the other panes with information about that program. Selecting a map will switch to a map entry view that shows the entries for that map.

Keybindings

There are a few keybindings that are available in ebpfmon. These are listed on the help page which can be access by pressing the F1 key or the ? key

Program View

To access the program view regardless of which view you are on you can press Ctrl and e.

Bpf feature view

To access the bpf feature view regardless of which view you are on you can press Ctrl and f.

Map views

To access the map view simply select a map (if one exists) for the current eBPF program. This will populate the map view with the map entries. You can delete map entries by pressing the d key. In the map view you can format the map entry data in various ways. To get to the format section simply press TAB while in the map entry list view. You can then use TAB to move between the different format options. To get back to the map entry list press ESC

You can also edit map entries by pressing ENTER on a selection. In the edit view you can edit the raw byte values of the map key/value. You can ignore the square brackets

Quitting

To quit the application you can press q or Q

Going back

Generally the ESC key should take you back to the previous view you were on. Also, if you are in the help view or error view, pressing escape should return you to the previous window.

Command Line Arguments

-bpftool

Allows you to specify the path to the bpftool binary. This is useful if you have a custom build of bpftool that you want to use. By default, it will use the system’s bpftool binary. You can also use an environment variable. It will look in the following order

  1. Check if the -bpftool argument was specified on the command line
  2. Check if the environment variable BPFTOOL_PATH is set.
  3. Use the system binary
-logfile

This argument allows you to specify a file to log into. By default, it will log to ./log.txt. This is a great file to check when trying to debug issues with the application as it will log errors that occurred during runtime.

Install & Use

Copyright (c) 2023, Red Canary

Tags: monitoring eBPF programs