lightmon is a lightweight, Docker/K8s container-aware network traffic monitoring tool based on eBPF technology. It can capture and analyze network connections established by host and container applications in real-time, providing monitoring data in multiple formats. Suitable for system monitoring, security auditing, and network troubleshooting scenarios.
+---------------------+
| User-space Program |
| (Implemented in Go) |
+----------+----------+
|
| via perf buffer
|
+----------v----------+
| eBPF Program |
| (Implemented in C) |
| - Trace syscalls |
| - Filter network events |
+---------------------+
- Lightweight & Efficient: Based on eBPF technology with minimal performance overhead
- Comprehensive Monitoring: Tracks TCP connection information
- Container-Aware: Automatically identifies K8s/Docker container environments
- Process-Aware: Automatically identifies processes associated with traffic and their executable paths
- Flexible Filtering: Supports multi-condition combined filtering rules
- Multiple Output Formats: Supports log files, JSON, tables and other output formats
# Basic dependencies sudo apt update sudo apt install -y llvm clang # Go environment (recommended 1.23+)
git clone https://github.com/gotoolkits/lightmon.git
cd lightmon
go mod tidy
make build# Specify config file bin/amd64/lightmon -c ./config.yaml bin/arm64/lightmon -c ./config.yaml # Run with default configuration bin/amd64/lightmon bin/arm64/lightmon
lightmon supports multiple output formats ('-f'):
-
LOG format (default)
[container] [dest IP] [dest port] [protocol] [level] [message] [PID] [process args] [process name] [src ip] [src port] [time] [user] {"conatiner":"dreamy_carson","dip":"183.2.172.17","dport":"65535","ipv6":0,"level":"info","msg":"","pid":"501750","procArgs":"www.baidu.com","procPath":"/usr/bin/busybox","sip":"10.1.8.14","sport":"7825","time":"2025-04-17T14:01:48+08:00","user":"root"} -
JSON format (use
-output json){ "kernelTime": "13898485459656", "goTime":"2025年04月17日T14:09:49.162027869+08:00", "pid": 1234, "comm": "nginx", "addressFamily": "AF_INET", "saddr": "192.168.1.100", "sport": 34567, "daddr": "10.0.0.1", "dport": 80, "container":"web-server", } -
Table format (use
-output table)+----------+-------+-------+------+-----------------+-----------------+--------------+------------------------+ | TIME | USER | PID | AF | SRC | DEST | CONTAINER | PROCESS | +----------+-------+-------+------+-----------------+-----------------+---------------------------------------+ | 14:05:56 | root | 1234 | v4 | 10.4.0.16:3425 | 10.0.0.1:80 | web-server | /usr/local/bin/python | +----------+-------+-------+------+-----------------+-----------------+---------------------------------------+
Use -exclude parameter to exclude unwanted connections:
# Exclude traffic to specific ports ./lightmon -exclude 'dport=80' # Exclude traffic to specific IP ranges ./lightmon -exclude 'dip="192.168.1.0/24"' # Combined conditions ./lightmon -exclude 'dport=80;dip="192.168.1.1";keyword="nginx"'
-
Basic conditions:
dport=port- Filter by destination portdip='IP/CIDR'- Filter by destination IPkeyword='string'- Filter by process path/namecontainer='string'- Filter by container name
-
Logical operators:
&&- AND logic||- OR logic;- Condition group separator
-
Exclude local network and DNS traffic:
./lightmon -exclude 'dip="192.168.1.0/24";dport=53' -
Exclude specific services:
./lightmon -exclude 'keyword="nginx";keyword="mysql"' -
Complex condition combinations:
./lightmon -exclude 'dip="10.0.0.1" && dport=80; dip="10.0.0.1" && dport=443' -
Exclude traffic from containers with specific names:
./lightmon -exclude 'container="nginx";container="redis"'
lightmon/
├── conv/ # Protocol conversion
├── dockerinfo/ # Container info processing
├── event/ # Event type definitions
├── filter/ # Filtering logic
├── headers/ # eBPF headers
├── linux/ # Linux-specific functions
├── outputer/ # Output handlers
├── fentryTcpConnectSrc.c # Fentry eBPF program type
├── sysEnterConnectSrc.c # Tracepoint eBPF program
└── main.go # Program entry
# Run unit tests go test ./... # Build binary make build # Clean build make clean
Issues and PRs are welcome. Contribution process follows standard GitHub workflow.
Apache License 2.0, see LICENSE.txt file for details.