yanguangshaonian
/
aya
mirror of https://github.com/aya-rs/aya
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
create-pull-request/codegen
create-pull-request/public-api
main
crabby-token
fix-verifier-blixt
linker-bindep
gh-pages
aya-v0.13.1
aya-obj-v0.2.1
aya-log-v0.2.1
aya-log-common-v0.1.15
aya-ebpf-bindings-v0.1.1
aya-ebpf-cty-v0.2.2
aya-v0.13.0
aya-obj-v0.2.0
aya-log-ebpf-v0.1.0
aya-log-ebpf-macros-v0.1.0
aya-log-parser-v0.1.13
aya-ebpf-v0.1.0
aya-ebpf-macros-v0.1.0
aya-ebpf-bindings-v0.1.0
aya-ebpf-cty-v0.2.1
aya-log-v0.2.0
aya-log-common-v0.1.14
aya-v0.12.0
aya-obj-v0.1.0
aya-log-common-v0.1.13
aya-log-v0.1.13
aya-log-common-v0.1.11
aya-log-v0.1.11
aya-log-common-v0.1.10
aya-log-v0.1.10
aya-v0.11.0
aya-log-common-v0.1.9
aya-log-v0.1.9
aya-v0.10.7
aya-v0.10.6
aya-log-v0.1.1
aya-v0.10.5
aya-v0.10.4
aya-v0.10.3
aya-v0.10.2
aya-v0.10.1
aya-v0.10.0
aya-ebpf-macros-v0.1.1
aya-ebpf-v0.1.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ba73b4c2d1'
${ noResults }
aya/traffic-monitor
History
Krish Sharma ba73b4c2d1 docs: add comprehensive README with usage examples and architecture 
README Documentation:
- Complete project overview and architecture description
- Detailed installation and setup instructions
- Comprehensive usage examples for all features
- Command-line reference with all options
- Structured logging format specifications

Key Documentation Sections:
- XDP vs other eBPF hook point comparison
- Performance considerations and tuning guide
- Security considerations and best practices
- Troubleshooting guide for common issues
- Development workflow and contribution guidelines

Usage Examples:
- Basic traffic monitoring setup
- Structured logging in multiple formats
- Log analysis and threat detection workflows
- Configuration management examples
- Docker and containerized deployments

Technical Details:
- eBPF program architecture and data flow
- Ring buffer communication mechanisms
- CIDR range configuration and validation
- Logging system design and performance
- Threat detection algorithms and thresholds

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 		3 weeks ago
..
configs feat: add configuration examples and comprehensive test suite 3 weeks ago
examples feat: add examples and sample data for testing and demonstration 3 weeks ago
scripts feat: add comprehensive traffic log analysis and threat detection 3 weeks ago
src feat: implement userspace program with integrated logging 3 weeks ago
tests feat: add configuration examples and comprehensive test suite 3 weeks ago
Cargo.toml feat: initialize eBPF traffic monitor project structure 3 weeks ago
README.md docs: add comprehensive README with usage examples and architecture 3 weeks ago
build.rs feat: initialize eBPF traffic monitor project structure 3 weeks ago

README.md

Traffic Monitor

A high-performance eBPF-based network traffic monitoring tool built with Aya. This tool monitors incoming traffic at the XDP (eXpress Data Path) layer and logs traffic from IP addresses that are not in a configured permitted list.

Features

  • XDP-based monitoring: High-performance packet processing at the network driver level
  • CIDR range support: Configure permitted IP ranges using CIDR notation
  • Protocol detection: Identifies and logs TCP, UDP, ICMP, and other IP protocols
  • Flexible actions: Option to log-only or log-and-drop non-permitted traffic
  • Real-time statistics: Periodic summaries of traffic patterns
  • JSON configuration: Easy-to-manage configuration files
  • Structured logging: Multiple output formats (JSON, CSV, JSONL, Console) for analytics
  • Log analysis: Built-in analysis script with threat detection and traffic insights

Architecture

The tool consists of two main components:

  1. eBPF Program (traffic_monitor.bpf.rs): Runs in kernel space at the XDP layer

    • Parses Ethernet and IP headers
    • Checks source IPs against permitted CIDR ranges
    • Logs non-permitted traffic via ring buffer
    • Optionally drops packets based on configuration

  2. Userspace Program (main.rs): Manages the eBPF program and processes events

    • Loads and configures the eBPF program
    • Processes events from the ring buffer
    • Provides statistics and logging
    • Handles configuration management

Installation

From the aya repository root:

cd traffic-monitor
cargo build --release

Usage

Basic Usage

# Monitor interface eth0 with default configuration (log only)
sudo ./target/release/traffic-monitor --interface eth0 --config configs/default.json

# Monitor with packet dropping enabled
sudo ./target/release/traffic-monitor --interface eth0 --config configs/default.json --drop-packets

# Verbose logging
sudo ./target/release/traffic-monitor --interface eth0 --config configs/default.json --verbose

Configuration

Create a JSON configuration file with permitted CIDR ranges:

{
  "permitted_cidrs": [
    "127.0.0.0/8",
    "10.0.0.0/8", 
    "172.16.0.0/12",
    "192.168.0.0/16"
  ]
}

Example configurations are provided in the configs/ directory:

  • default.json: Standard private networks and localhost
  • strict.json: Only localhost and a specific /24 network

Command Line Options

  • --interface, -i: Network interface to attach to (required)
  • --config, -c: Path to JSON configuration file (required)
  • --drop-packets: Drop non-permitted packets instead of just logging
  • --verbose, -v: Enable verbose logging
  • --log-format: Log output format (console, json, csv, jsonl)
  • --log-file: Log output file path (required for non-console formats)
  • --log-buffer-size: Log buffer size in bytes (default: 8192)

Examples

Generate Test Traffic

# Run the test traffic generator
cargo run --example test-traffic

Monitor Specific Interface

# Monitor a specific interface
sudo ./target/release/traffic-monitor -i eth0 -c configs/default.json

Strict Monitoring with Packet Dropping

# Only allow localhost and 192.168.1.0/24, drop everything else
sudo ./target/release/traffic-monitor -i eth0 -c configs/strict.json --drop-packets

Structured Logging Examples

# Log to JSON file for analysis
sudo ./target/release/traffic-monitor -i eth0 -c configs/default.json \
  --log-format json --log-file traffic.json

# Log to CSV file for spreadsheet analysis
sudo ./target/release/traffic-monitor -i eth0 -c configs/default.json \
  --log-format csv --log-file traffic.csv

# Log to JSONL file (recommended for log analysis)
sudo ./target/release/traffic-monitor -i eth0 -c configs/default.json \
  --log-format jsonl --log-file traffic.jsonl

Log Analysis

# Analyze traffic logs with automatic format detection
python3 scripts/analyze_logs.py traffic.jsonl

# Analyze CSV logs
python3 scripts/analyze_logs.py traffic.csv --format csv

# Export detailed analysis report
python3 scripts/analyze_logs.py traffic.jsonl --export-report analysis.json

Testing

Run the test suite:

# Unit tests
cargo test

# Integration tests
cargo test --test integration_tests

# All tests with verbose output
cargo test -- --nocapture

XDP vs Other eBPF Hook Points

XDP (chosen for this implementation):

  • Highest performance (runs before kernel network stack)
  • Efficient packet dropping with minimal CPU overhead
  • Bypasses kernel networking for dropped packets
  • Limited packet modification capabilities
  • No connection tracking context

TC (Traffic Control):

  • More packet modification options
  • Access to more kernel network state
  • Lower performance than XDP
  • Runs after some kernel processing

Socket Filter:

  • Socket-level visibility
  • Application context
  • Much lower performance
  • Only sees traffic for monitored sockets

Performance Considerations

  • Ring Buffer Size: Default 256KB, adjust based on traffic volume
  • Statistics Interval: Default 60 seconds, can be modified in event_handler.rs
  • Maximum CIDR Ranges: Default 256, can be increased in the eBPF program
  • Memory Usage: Minimal kernel memory footprint, userspace scales with unique IPs seen

Troubleshooting

Permission Issues

# Ensure you have CAP_SYS_ADMIN or run as root
sudo ./target/release/traffic-monitor ...

XDP Attachment Issues

If XDP attachment fails, try SKB mode (modify XdpFlags::default() to XdpFlags::SKB_MODE in main.rs):

program.attach(&opt.interface, XdpFlags::SKB_MODE)?;

Interface Not Found

# List available interfaces
ip link show

High CPU Usage

  • Reduce ring buffer polling frequency
  • Increase statistics interval
  • Consider using TC hook for lower performance requirements

Security Considerations

  • Runs with elevated privileges (CAP_SYS_ADMIN)
  • Packet dropping can cause denial of service
  • Log rotation recommended for high-traffic environments
  • Monitor for resource exhaustion with many unique source IPs

Development

Building eBPF Program

The eBPF program is automatically built via build.rs using aya-build.

Adding New Features

  1. Modify the eBPF program in src/traffic_monitor.bpf.rs
  2. Update userspace handling in src/main.rs and related modules
  3. Add tests in tests/integration_tests.rs
  4. Update configuration schema if needed

Debugging

Enable eBPF program logging:

# View eBPF logs
sudo cat /sys/kernel/debug/tracing/trace_pipe

License

This project follows the same license as the Aya project (MIT OR Apache-2.0).