Cloudflare Company open project , which develops a network packet analyzer similar to tcpdump, built on the basis of the subsystem (Express Data Path). The project code is written in Go and under the BSD license. The project also a library for binding eBPF traffic handlers from Go applications.
The xdpcap utility is compatible with tcpdump/libpcap filtering expressions and allows you to process significantly larger amounts of traffic on the same hardware. Xdpcap can also be used for debugging under conditions where normal tcpdump is not applicable, such as filtering, DoS protection, and load balancing systems that use the XDP Linux kernel subsystem, which processes packets in a stage before they are processed by the Linux kernel networking stack (tcpdump does not see packets dropped by the XDP handler).
High performance is achieved through the use of eBPF and XDP subsystems. eBPF is a bytecode interpreter built into the Linux kernel that allows you to create high-performance incoming/outgoing packet handlers with a decision to forward or discard them. With the help of a JIT compiler, eBPF bytecode is translated into machine instructions on the fly and executed with the performance of native code. The XDP (eXpress Data Path) subsystem complements eBPF with the ability to run BPF programs at the network driver level, with support for direct access to the DMA packet buffer and work at the stage before the network stack allocates the skbuff buffer.
Like tcpdump, the xdpcap utility first translates high-level traffic filtering rules into the classic BPF representation (cBPF) using the standard libpcap library, and then converts them into the form of eBPF routines using the compiler , which uses LLVM / Clang developments. At the output, traffic information is stored in the standard pcap format, which allows you to use the traffic dump prepared in xdpcap for further study in tcpdump and other existing traffic analyzers. For example, to capture information about DNS traffic, instead of the command "tcpdump ip and udp port 53", you can run "xdpcap /path/to/hook capture.pcap 'ip and udp port 53'", and then use the capture.pcap file, for example, with the command "tcpdump -r" or in Wireshark.
Source: opennet.ru