PitchHut logo
Log in / Sign up
eBPF-based network traffic analysis without the overhead.
Preview url
Visit project
Pitch

ayaFlow is a high-performance network traffic analyzer built with eBPF and Rust, designed to offer kernel-native visibility into network traffic on Kubernetes. It eliminates the need for a sidecar by using a per-node DaemonSet configuration, ensuring real-time monitoring and deep packet inspection while maintaining minimal performance overhead.

Description

ayaFlow is a powerful, eBPF-based network traffic analyzer meticulously engineered in Rust. Optimized for Kubernetes, it functions as a sidecarless DaemonSet, providing exceptional kernel-native visibility into node-wide network traffic while maintaining minimal overhead.

Core Architecture

Kernel:  NIC --> TC Hook (eBPF, ingress + egress) --> RingBuf
                                                        |
Userspace:                            Tokio Event Loop
                                     /       |       \
                              DashMap    SQLite     Axum HTTP
                            (live stats) (history)  (API + /metrics)

The architecture consists of a kernel-side Traffic Control (TC) classifier that processes Ethernet, IPv4, TCP, and UDP headers, directing lightweight PacketEvent structs (tagged with direction) into a shared ring buffer. A user-space async Tokio agent polls this buffer, managing live connection states in a DashMap, persisting events to SQLite, and providing a REST API coupled with Prometheus metrics.

Key Features

  • eBPF-native capture: Bypasses libpcap and avoids privileged sidecars by hooking directly into the kernel's traffic control subsystem.
  • Sidecarless DaemonSet: Deploys one pod per Kubernetes node, eliminating the overhead of one pod per application pod.
  • Real-time monitoring: Offers a live dashboard through a REST API and WebSocket streaming.
  • Persistent history: Utilizes SQLite for data storage with adjustable retention and aggregation settings.
  • Deep Layer 7 inspection: Capable of optional TLS SNI and DNS query extraction, enhancing visibility into encrypted traffic at the domain level.
  • Prometheus integration: Features a built-in exporter for various metrics including ayaflow_packets_total and ayaflow_active_connections.
  • IP allowlist: Provides capability to restrict access to the API and dashboard by source CIDR.

Performance & Footprint

In performance tests on a minimal VM (Ubuntu 24.04, 2 vCPU, 2 GB RAM), ayaFlow showcases impressive efficiency:

MetricValue
Userspace RSS (steady-state)~33 MB
eBPF program (xlated)784 B
eBPF program (JIT-compiled)576 B
eBPF program memlock4 KB
EVENTS ring buffer256 KB
PAYLOAD_EVENTS ring buffer256 KB
Memory growth over timeNone observed

The eBPF classifier's successful loading can be verified using bpftool, ensuring optimal integration with the Linux kernel.

Tested On

  • OS: Ubuntu 24.04 LTS (aarch64)
  • Kernel: 6.x with BTF support
  • Hardware: 2 vCPU, 2 GB RAM (Lima VM)
  • Rust: nightly toolchain + bpf-linker

Explore ayaFlow for efficient, real-time network traffic analysis that enhances visibility and control over your Kubernetes environment.

0 comments

No comments yet.

Sign in to be the first to comment.