How xcap Uses eBPF to Revolutionize Kernel Network Packet Capture

Introduction

Linux kernel network packet loss is a common problem for developers. Traditional tools such as tcpdump are limited in efficiency and depth of analysis. Leveraging the rapid development of eBPF, the xcap tool was created to provide next‑generation kernel network packet capture.

Drawbacks of Traditional Tools

1. tcpdump captures packets only at fixed points (after XDP, before TC for inbound; after TC for outbound). Packets that bypass these points cannot be captured, and tcpdump lacks filtering by process name, PID, or namespace.

2. bpftrace + skboutput can capture and save packets but does not support tcpdump‑style filtering syntax.

Advantages of xcap

Customizable capture points : xcap uses hook functions, offering flexible placement and covering more network scenarios.

Highly configurable functionality : Built on the cbpfc library, xcap translates tcpdump filter syntax into C code, compiles it instantly via the Go bcc library, and accesses extensive BPF helper data (e.g., stack, process name, PID, namespace) for rich custom features.

xcap hooks the kernel via kprobe/tracepoint, obtains skb and sock structures, transfers packet data through BPF maps to user space.

Typical Use Cases

1. Kernel packet loss : In a scenario where an iptables rule drops all ICMP packets on eth1 , tcpdump cannot see the packets. xcap hooks kfree_skb_reason , captures the skb lifecycle, applies tcpdump‑style filters, and reveals the loss cause.

2. AF_XDP packet capture : Packets generated by AF_XDP bypass traditional capture points. Using xcap alongside tcpdump demonstrates that tcpdump misses these packets while xcap captures them.

Implementation Principles

1. Overall Architecture : xcap relies on the cbpfc library to convert tcpdump syntax into C functions, performs string substitution to generate BPF code, and uses the Go bcc library for just‑in‑time compilation. Data is passed to user space via BPF_MAP_TYPE_PERF_EVENT_ARRAY .

2. BPF Side Framework : BPF code is compiled with clang into bytecode, loaded and attached via the BPF syscall. The kernel verifier checks safety before loading.

3. tcpdump Syntax to C Function Conversion : The parser translates tcpdump filters into offsets on skb data (e.g., struct ethhdr is 14 bytes, struct iphdr.protocol is 9 bytes) and generates comparison logic such as <code>IPPROTO_TCP = 6</code> .

4. Mapping skb Structure to Packets : The sk_buff structure persists throughout the kernel stack, containing the full packet. xcap reads the head field, extracts header fields and payload via offsets, and stores them in a map for tcpdump‑style filtering.

5. Synthesizing skb from sock : When packet headers are not yet parsed, xcap infers missing fields from the sock structure, fabricates header data, and writes it into a pcap buffer.

6. Generating pcap Files : xcap constructs pcap headers, fills in ethhdr , iphdr , and payload, and transmits data to user space via PERF_EVENT_ARRAY . The user‑space process uses epoll to listen for events and copy data.

Future Plans

xcap will be open‑sourced and integrated into the Volcengine veLinux operating system. Planned optimizations include replacing perf ring buffer with BPF ringbuf for lower overhead, using vmlinux BTF for automatic kernel function argument parsing, adopting fentry/fexit hooks to reduce performance impact, and exploring low‑overhead uprobe techniques to support DPDK packet capture.