AyaFlow: A high-performance, eBPF-based network traffic analyzer written in Rust

A high-performance, eBPF-based network traffic analyzer written in Rust. Designed to run as a sidecarless DaemonSet in Kubernetes, providing kernel-native visibility into node-wide network traffic with minimal overhead.

Built on the Aya eBPF framework.

Kernel: NIC --> TC Hook (eBPF, ingress + egress) --> RingBuf
|
Userspace: Tokio Event Loop
/ | \
DashMap SQLite Axum HTTP
(live stats) (history) (API + /metrics)

Kernel-side: A TC (Traffic Control) classifier attached at both ingress and egress parses Ethernet/IPv4/TCP/UDP headers and pushes lightweight PacketEvent structs (with a direction tag) to a shared ring buffer.

Userspace: An async Tokio agent polls the ring buffer, maintains live connection state in a DashMap, persists events to SQLite, and exposes a REST API with Prometheus metrics.

eBPF-native capture-- No libpcap, no privileged sidecar. Hooks directly into the kernel's traffic control subsystem.

Sidecarless DaemonSet-- One pod per node instead of one per application pod.

Real-time monitoring-- Live dashboard via REST API + WebSocket streaming.

Persistent history-- SQLite storage with configurable data retention and aggregation.

Deep L7 inspection-- Optional TLS SNI and DNS query extraction for domain-level visibility into encrypted traffic.

Prometheus /metrics-- Native exporter for ayaflow_packets_total, ayaflow_bytes_total, ayaflow_active_connections, ayaflow_domains_resolved_total, ayaflow_deep_inspect_packets_total.

Performance Metrics (Measured on Ubuntu 24.04, 2 vCPU, 2 GB RAM):

• Userspace RSS: ~33 MB
• eBPF program (JIT-compiled): 576 B
• Ring buffer memlock: ~270 KB

Deployment: Deploy as a DaemonSet using kubectl apply -f k8s/daemonset.yaml. The DaemonSet uses hostNetwork: true and mounts /sys/fs/bpf.