Project 5: Network Packet Counter (Basic XDP)

An XDP (eXpress Data Path) program that counts network packets by protocol, source/destination, and size—processing packets at the earliest possible point in the network stack.

Quick Reference

Attribute Value
Primary Language C (libbpf)
Alternative Languages Rust (aya), Go (cilium/ebpf)
Difficulty Level 3: Advanced
Time Estimate 1-2 weeks
Knowledge Area Networking / XDP
Tooling libbpf, iproute2
Prerequisites Projects 1-4 completed, basic networking knowledge (TCP/IP)

What You Will Build

An XDP (eXpress Data Path) program that counts network packets by protocol, source/destination, and size—processing packets at the earliest possible point in the network stack.

Why It Matters

XDP is where BPF really shines—processing millions of packets per second. This introduces network programming with BPF, packet parsing, and the unique challenges of the XDP environment.

Core Challenges

  • Understanding XDP attach modes → maps to native, offload, generic
  • Parsing packet headers safely → maps to bounds checking, verifier requirements
  • Counting at high speed → maps to per-CPU maps, atomic operations
  • Handling different protocols → maps to Ethernet, IP, TCP, UDP

Key Concepts

  • XDP Architecture: “Learning eBPF” Chapter 8 - Liz Rice
  • Packet Parsing: XDP Tutorial
  • Network Headers: “TCP/IP Illustrated Volume 1” - Stevens
  • XDP Actions: Julia Evans XDP Blog

Real-World Outcome

$ sudo ./xdp-counter eth0
Interface: eth0 (XDP mode: native)

PROTOCOL    PACKETS      BYTES         PPS       BPS
─────────────────────────────────────────────────────────
TCP         1,234,567    1.2 GB      45,123    156 Mbps
UDP           234,567  234.5 MB      12,456     23 Mbps
ICMP            1,234    123 KB          45      4 Kbps
Other             567     56 KB          12      1 Kbps
─────────────────────────────────────────────────────────
TOTAL       1,470,935    1.5 GB      57,636    179 Mbps

[Top Sources]
192.168.1.100:     523,456 packets
10.0.0.50:         234,123 packets
172.16.0.1:        123,456 packets

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: LEARN_BPF_EBPF_LINUX.md
  • “Learning eBPF” by Liz Rice