Skip to main content

eBPF Socket

Plugin: ebpf.plugin Module: socket

Overview

Monitor bandwidth consumption per application for protocols TCP and UDP.

Attach tracing (kprobe, trampoline) to internal kernel functions according options used to compile kernel.

This collector is only supported on the following platforms:

  • Linux

This collector supports collecting metrics from multiple instances of this integration, including remote instances.

The plugin needs setuid because it loads data inside kernel. Netada sets necessary permission during installation time.

Default Behavior

Auto-Detection

The plugin checks kernel compilation flags (CONFIG_KPROBES, CONFIG_BPF, CONFIG_BPF_SYSCALL, CONFIG_BPF_JIT) and presence of BTF files to decide which eBPF program will be attached.

Limits

The default configuration for this integration does not impose any limits on data collection.

Performance Impact

This thread will add overhead every time that an internal kernel function monitored by this thread is called. The estimated additional period of time is between 90-200ms per call on kernels that do not have BTF technology.

Metrics

Metrics grouped by scope.

The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.

Per eBPF Socket instance

These metrics show total number of calls to functions inside kernel.

This scope has no labels.

Metrics:

MetricDimensionsUnit
ip.inbound_connconnection_tcpconnections/s
ip.tcp_outbound_connreceivedconnections/s
ip.tcp_functionsreceived, send, closedcalls/s
ip.total_tcp_bandwidthreceived, sendkilobits/s
ip.tcp_errorreceived, sendcalls/s
ip.tcp_retransmitretransmitedcalls/s
ip.udp_functionsreceived, sendcalls/s
ip.total_udp_bandwidthreceived, sendkilobits/s
ip.udp_errorreceived, sendcalls/s

Per apps

These metrics show grouped information per apps group.

Labels:

LabelDescription
app_groupThe name of the group defined in the configuration.

Metrics:

MetricDimensionsUnit
app.ebpf_call_tcp_v4_connectionconnectionsconnections/s
app.app.ebpf_call_tcp_v6_connectionconnectionsconnections/s
app.ebpf_sock_bytes_sentbandwidthkilobits/s
app.ebpf_sock_bytes_receivedbandwidthkilobits/s
app.ebpf_call_tcp_sendmsgcallscalls/s
app.ebpf_call_tcp_cleanup_rbufcallscalls/s
app.ebpf_call_tcp_retransmitcallscalls/s
app.ebpf_call_udp_sendmsgcallscalls/s
app.ebpf_call_udp_recvmsgcallscalls/s

Per cgroup

This scope has no labels.

Metrics:

MetricDimensionsUnit
cgroup.net_conn_ipv4connected_v4connections/s
cgroup.net_conn_ipv6connected_v6connections/s
cgroup.net_bytes_recvreceivedcalls/s
cgroup.net_bytes_sentsentcalls/s
cgroup.net_tcp_recvreceivedcalls/s
cgroup.net_tcp_sendsentcalls/s
cgroup.net_retransmitretransmittedcalls/s
cgroup.net_udp_sendsentcalls/s
cgroup.net_udp_recvreceivedcalls/s
services.net_conn_ipv6a dimension per systemd serviceconnections/s
services.net_bytes_recva dimension per systemd servicekilobits/s
services.net_bytes_senta dimension per systemd servicekilobits/s
services.net_tcp_recva dimension per systemd servicecalls/s
services.net_tcp_senda dimension per systemd servicecalls/s
services.net_tcp_retransmita dimension per systemd servicecalls/s
services.net_udp_senda dimension per systemd servicecalls/s
services.net_udp_recva dimension per systemd servicecalls/s

Alerts

There are no alerts configured by default for this integration.

Setup

Prerequisites

Compile kernel

Check if your kernel was compiled with necessary options (CONFIG_KPROBES, CONFIG_BPF, CONFIG_BPF_SYSCALL, CONFIG_BPF_JIT) in /proc/config.gz or inside /boot/config file. Some cited names can be different accoring preferences of Linux distributions. When you do not have options set, it is necessary to get the kernel source code from https://kernel.org or a kernel package from your distribution, this last is preferred. The kernel compilation has a well definedd pattern, but distributions can deliver their configuration files with different names.

Now follow steps:

  1. Copy the configuration file to /usr/src/linux/.config.
  2. Select the necessary options: make oldconfig
  3. Compile your kernel image: make bzImage
  4. Compile your modules: make modules
  5. Copy your new kernel image for boot loader directory
  6. Install the new modules: make modules_install
  7. Generate an initial ramdisk image (initrd) if it is necessary.
  8. Update your boot loader

Configuration

File

The configuration file name for this integration is ebpf.d/network.conf.

You can edit the configuration file using the edit-config script from the Netdata config directory.

cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config ebpf.d/network.conf

Options

All options are defined inside section [global]. Options inside network connections are ignored for while.

Config options
NameDescriptionDefaultRequired
update everyData collection frequency.5no
ebpf load modeDefine whether plugin will monitor the call (entry) for the functions or it will also monitor the return (return).entryno
appsEnable or disable integration with apps.pluginnono
cgroupsEnable or disable integration with cgroup.pluginnono
bandwidth table sizeNumber of elements stored inside hash tables used to monitor calls per PID.16384no
ipv4 connection table sizeNumber of elements stored inside hash tables used to monitor calls per IPV4 connections.16384no
ipv6 connection table sizeNumber of elements stored inside hash tables used to monitor calls per IPV6 connections.16384no
udp connection table sizeNumber of temporary elements stored inside hash tables used to monitor UDP connections.4096no
ebpf type formatDefine the file type to load an eBPF program. Three options are available: legacy (Attach only kprobe), co-re (Plugin tries to use trampoline when available), and auto (plugin check OS configuration before to load).autono
ebpf co-re tracingSelect the attach method used by plugin when co-re is defined in previous option. Two options are available: trampoline (Option with lowest overhead), and probe (the same of legacy code).trampolineno
maps per coreDefine how plugin will load their hash maps. When enabled (yes) plugin will load one hash table per core, instead to have centralized information.yesno
lifetimeSet default lifetime for thread when enabled by cloud.300no

Examples

There are no configuration examples.


Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.