Servers and networking equipment

Per-Process Bandwidth Tracker using eBPF

System ProgrammingeBPFLinux KernelPython
View on GitHub

3/26/2024

I built a real-time network usage tracker that utilizes eBPF (Extended Berkeley Packet Filter) to measure send and receive bandwidth on a per-process basis. It supports per-remote IP tracking, protocol filtering, and historical usage storage.

Why eBPF?

eBPF allows us to run sandboxed programs in a privileged context such as the operating system kernel. It’s incredibly fast and efficient because it executes right where the network stack processes data, eliminating the need to constantly copy packets to user space for analysis.

Features

  • Real-time monitoring: Track network bandwidth usage per process in real-time.
  • Per-IP tracking: Monitor traffic going to or coming from specific remote IP addresses.
  • Protocol filtering: Distinctly separate TCP and UDP traffic statistics.
  • Historical storage: Store usage data in an SQLite database for long-term reporting.
  • Web UI & CLI: A simple Flask web interface for visualization, plus a command-line tool for quick stats directly in the terminal.

Architecture

The project is split into Kernel Space and User Space components:

Kernel Space (eBPF)

We attach eBPF probes directly to kernel network functions:

  • tcp_sendmsg and tcp_recvmsg for TCP tracking.
  • udp_sendmsg and udp_recvmsg for UDP tracking.

For each network operation, the eBPF program records the PID, process name, remote IP, protocol, bytes transfered, and a timestamp. All this aggregation happens rapidly inside eBPF maps.

User Space (Python/BCC)

A Python program using the BCC toolkit periodically reads these eBPF maps, aggregates the data by process, and stores it in SQLite. A Flask API then exposes this data to the visualization layer.

Performance and Security Considerations

Because the heavy lifting (aggregation and filtering) happens in kernel space before ever moving to user space, the performance impact is minimal. The tool easily scales to handle high-traffic systems.

From a security standpoint:

  • The tracker requires root privileges to load the eBPF programs into the kernel.
  • It only tracks traffic generated by local processes, not forwarded traffic.
  • All historical data is kept completely local via SQLite.

You can check out the full source code and installation instructions on the GitHub Repository!

Other Posts 18
Innovation Journey: My Experience at IIT Jammu Invention Factory

Innovation Journey: My Experience at IIT Jammu Invention Factory

Jul 20, 2023
Product DevelopmentProblem Solving
Discovering Default Credentials in BAS Portal Admin Access

Discovering Default Credentials in BAS Portal Admin Access

Nov 28, 2023
Cybersecurity
App Script to Auto Shedule meets based on mails

App Script to Auto Shedule meets based on mails

May 12, 2023
AutomationGoogle App Script
Discovering and Reporting Security Vulnerabilities in IITGN Computer Labs

Discovering and Reporting Security Vulnerabilities in IITGN Computer Labs

Dec 3, 2024
Cybersecurity
Per-Process Bandwidth Tracker using eBPF

Per-Process Bandwidth Tracker using eBPF

Mar 26, 2024
System ProgrammingeBPF
Technical Lead at EII and E-Summit

Technical Lead at EII and E-Summit

May 12, 2023
Web DevelopmentLeadership
GodBot - The Ultimate Advanced AI Bot

GodBot - The Ultimate Advanced AI Bot

Mar 26, 2024
AIPython
Issue Tracker

Issue Tracker

May 12, 2023
Web DevelopmentFlask
My Journey Through NDA SSB: A Personal Experience

My Journey Through NDA SSB: A Personal Experience

Jul 15, 2022
Life ExperienceLeadership
YouTube-Inspired Portfolio

YouTube-Inspired Portfolio

May 12, 2023
Web DevelopmentAstro
OWASP Nest: Open Source Contribution

OWASP Nest: Open Source Contribution

Dec 18, 2024
SecurityOpen Source
Software Intern at Ripplica

Software Intern at Ripplica

Aug 20, 2025
AIAutomation
SRIP Portal Serverless Migration

SRIP Portal Serverless Migration

May 12, 2023
PythonFlask
StudySahayak - AI-Powered Content Repurposing

StudySahayak - AI-Powered Content Repurposing

Mar 26, 2024
AIFlask
Void Battle: A Terminal-Based Space Combat Game

Void Battle: A Terminal-Based Space Combat Game

Nov 29, 2024
Game DevelopmentPython
Tico: A Git Clone Implementation

Tico: A Git Clone Implementation

May 12, 2023
pythongit
Interactive Course Timetable

Interactive Course Timetable

May 12, 2023
Web DevelopmentFlask
Understanding the Dark Web: A Security Perspective

Understanding the Dark Web: A Security Perspective

Nov 29, 2024
Cybersecurity