Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
a
alessandrogario
04/26/2022, 11:59 AMAs mentioned in the office hours notes for today, here's the PoC for the new bpf_network_events table. See https://hackmd.io/023_mOVkRi2zv49WMn5PEQ?view#Introducing-the-bpf_network_events-experiment for more information
🚀 3
Hey @Zander Mackie && @Matt Uebel, any chance you can take a look at this PoC? 🙂
Only has network events, but should be a huge performance improvement compared to core (and I will add process events too in the future!)
m
Matt Uebel
04/28/2022, 8:56 PMI'll take a look!
a
alessandrogario
04/29/2022, 2:32 PMI have forgot to mention this but bpf needs to
1. be able to call the bpf() syscall
2. access debug symbols defined in /sys/kernel/btf/linux
so it will likely not work inside a container out of the box