How Zero‑Intrusion eBPF Transforms TCP Network Monitoring and Troubleshooting

Background

Machine network monitoring information plays a crucial role in daily troubleshooting, enabling performance assessment and rapid detection of anomalies such as traffic spikes or unknown data transfers, which are vital for network security and stability. Application communication records provide valuable clues for tracing issues.

Implementation Details

Traditional monitoring focuses on overall bandwidth, while application‑level traffic often requires manual instrumentation, which is intrusive. The zero‑intrusion eBPF technique mounts hooks in the kernel, allowing custom logic at function entry/exit without modifying application code. Results are exported to user space for further processing, simplifying deployment and improving accuracy.

Yunzhou Observation uses eBPF to collect per‑port traffic on a host without affecting services, aggregates detailed network data, and presents it under service domain names, accelerating problem analysis, tracing, and localization.

Implementation Explanation

Yunzhou Observation efficiently gathers data with eBPF, aggregates it by time intervals, and reports TCP connection metrics such as connection count, latency, send/receive volume, closures, retransmissions, and DNS queries. The aggregated results are stored for querying, analysis, and visualization to optimize network performance and diagnose faults.

eBPF Data Collection Interfaces

tcp_connect : monitors connection status, creation latency, and frequency, helping detect congestion, overload, or performance bottlenecks, and can predict future traffic demand.

tcp_sendmsg / tcp_cleanup_rbuf : evaluates bandwidth utilization via packet size and count, detecting abnormal inbound/outbound traffic.

tcp_close : analyzes abnormal close patterns to identify security threats such as DoS attacks and aids performance tuning.

tcp_retransmit : counts retransmissions to reveal network jitter and transmission quality issues.

udp_sendmsg (DNS) : captures DNS queries to map IPs to domain names, representing a machine’s overall network activity.

Other interfaces (e.g., state process) monitor TCP state changes and data direction.

Data Aggregation

Because real‑time data volume is high, metrics are summed and averaged over a default one‑minute window (counts, sizes, latencies). Aggregated results are written to log storage and displayed in the UI for query.

Usage Limits

eBPF depends on kernel version; interfaces and data structures differ across versions, and third‑party dependencies may not be installable on production hosts. Older kernels may lack eBPF or BTF support. Yunzhou Observation uses CO‑RE with BTF to generate minimal ELF‑embedded BTF, requiring the host kernel to support eBPF and BTF.

Usage Instructions

Install the Collector

Search for “TCP Network Connection Monitoring” in the Yunzhou Observation app market and install it on the target host.

View Observation Dashboards

The UI provides three layers:

TCP summary between the current host and remote service domains.

When a domain is selected, TCP summary for each IP under that domain.

When an IP is selected, process‑level TCP detail for that IP.

Follow Yunzhou Observation

Yunzhou Observation, launched by 360 Zhihui Cloud, offers a one‑stop data collection and monitoring solution for infrastructure, application performance, and cloud‑native metrics, helping users detect and resolve system and application issues quickly.