Hacker News new | past | comments | ask | show | jobs | submit login
Xdpcap: XDP Packet Capture (cloudflare.com)
109 points by migueldemoura 4 months ago | hide | past | web | favorite | 8 comments

Fun fact, tcpdump is one of the BPF killer apps.

eBPF extends the BPF with a more modern architecture (e.g. 64 bit support) and being generalized so that it can support things like more fine grained security control in seccomp which limit what commands a userspace app can call.

Xdpcap seems like a logical progression of this path.

I think IPv4 ethertype should be 0x0800, not 0x8000 as depicted in the annotated flow chart. The picture is correct, the accompanying textbox is not.

A little off topic: I love reading the cloud flare blog posts. They are always well written and super interesting. It looks like a very exciting place to work judging from what they get to work on.

That is the entire point of their blog posts, you know. To make you feel like you want to work there. There's a little bit of SEO also but mostly it's a recruiting tool.

Does knowing you are being manipulated this way change your opinion?

The tailcall and preconfigured entry points for all possible results seems excessive.

I wonder if there could have been a cleaner way with an upstream patch instead.

Maybe if you could add xdp filter at a given priority to make sure it runs first ?

this looks close to https://github.com/Netronome/bpf-samples/tree/master/xdpdump . I'm a cloudflare user and i really like seeing this kind of things.

Yes, netronome runs the eBPF on the NIC, where they have a bazillion cores. That is better than running it in the kernel, for some uses.

pcap files are all very well, but I want to run eBPF in the NIC and exfiltrate pcap to a user-space ring buffer. It doesn't seem like eBPF has access to the DMA bandwidth I think I need. Am I wrong?

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact