
Xdpcap: XDP Packet Capture - migueldemoura
https://blog.cloudflare.com/xdpcap/
======
ffk
Fun fact, tcpdump is one of the BPF killer apps.

eBPF extends the BPF with a more modern architecture (e.g. 64 bit support) and
being generalized so that it can support things like more fine grained
security control in seccomp which limit what commands a userspace app can
call.

Xdpcap seems like a logical progression of this path.

------
ilarum
I think IPv4 ethertype should be 0x0800, not 0x8000 as depicted in the
annotated flow chart. The picture is correct, the accompanying textbox is not.

------
binwiederhier
A little off topic: I love reading the cloud flare blog posts. They are always
well written and super interesting. It looks like a very exciting place to
work judging from what they get to work on.

~~~
jiveturkey
That is the entire point of their blog posts, you know. To make you feel like
you want to work there. There's a little bit of SEO also but mostly it's a
recruiting tool.

Does knowing you are being manipulated this way change your opinion?

------
setheron
The tailcall and preconfigured entry points for all possible results seems
excessive.

I wonder if there could have been a cleaner way with an upstream patch
instead.

Maybe if you could add xdp filter at a given priority to make sure it runs
first ?

------
bechampion
this looks close to [https://github.com/Netronome/bpf-
samples/tree/master/xdpdump](https://github.com/Netronome/bpf-
samples/tree/master/xdpdump) . I'm a cloudflare user and i really like seeing
this kind of things.

~~~
ncmncm
Yes, netronome runs the eBPF on the NIC, where they have a bazillion cores.
That is better than running it in the kernel, for some uses.

------
ncmncm
pcap files are all very well, but I want to run eBPF in the NIC and exfiltrate
pcap to a user-space ring buffer. It doesn't seem like eBPF has access to the
DMA bandwidth I think I need. Am I wrong?

