This project demonstrates the following features in eBPF-For-Windows:
- Native eBPF program generation.
- The BPF_PROG_TYPE_SOCK_OPS program type.
- The bpf_printk helper emitting tracing to ETW.
- The BPF_MAP_TYPE_RINGBUF map type.
The project provides a real-time list of connections that have been completed along with the source, destination, and duration of each connection.
- Build the
ebpf-for-windows-demoas outlined in Getting Started. - Install eBPF-For-Windows with the msi installer on the target machine. This should start netebpfext, ebpfcore and ebpfsvc services.
- Copy conn_track.sys and conn_tracker.exe to the target machine.
- Launch conn_tracker.exe.
- Launch a browser and navigate to any website.
- Connection tracker will then show the list of connections.
- Start an ETW session and add the eBPF-For-Windows provider:
tracelog -start MyTrace -guid ebpf-printk.guid -rt. - Start a real-time trace consumer:
tracefmt -rt MyTrace -displayonly -jsonMeta 0. - Launch conn_tracker.exe.
- Launch a browser and navigate to any website.
- The real-time trace consumer will then show all the bpf_printk events being generated by the eBPF program.
Note: ebpf-printk.guid is present in C:\Program Files\ebpf-for-windows\