eBPF, end to end.
From a kernel hook to a process name.

NetWatch wants to name the process behind every connection. But the moment a socket is interesting — the connect() — the answer (pid, comm) is known only for an instant, deep in the kernel, and only to the task making the call.

• Polling /proc races the kernel: short-lived flows open and close between two reads. You see the connection, never the owner.
• A kernel module could see it — but a bug is a kernel panic, and you'd recompile per kernel. Nobody ships that to end users.
• Packet capture alone sees bytes on the wire, not the task that produced them.

You need to run your logic at the kernel event, with the kernel's guarantee that your logic can't crash or hang it.

eBPF erases the wall: a sliver of your code, running right at the kernel event.

eBPF isn't a scripting language — it's a real instruction set the kernel interprets or JIT-compiles to native code. Deliberately minimal, so it can be proven safe before it runs.

Every instruction is the same 64-bit shape. Click the fields →

Loading a program isn't "trust me." The kernel statically proves three things by walking every path through your instructions:

• It terminates — a DAG with bounded loops only; no way to hang the kernel.
• Memory safety — every pointer is tracked with known bounds; no read/write escapes its object.
• No leaks — resources you acquire (a reserved ring-buffer slot) must be released on every exit path.

It does this by simulating execution: for each instruction it tracks the type and range of every register, forking its analysis at branches. Reject → your program never loads.

Flip to "reserve first" and step to the early return — the same rejection that shaped NetWatch's real program. This is also why a sandbox can drop CAP_BPF after load.

Your program can't just dereference kernel pointers or call kernel functions. It calls a fixed, audited set of helpers — and, on modern kernels, kfuncs. Each is vetted for the verifier's safety model.

• bpf_probe_read_kernel() — safely copy from a kernel address (faults become errors, not panics).
• bpf_get_current_pid_tgid() / _comm() — who is running right now.
• bpf_ktime_get_ns() — a monotonic timestamp.
• bpf_ringbuf_reserve/submit() — the map ops behind aya's reserve()/submit().

A real footgun: forget this 4-byte section and the load fails with an error that points nowhere near the cause. NetWatch documents it in the source so the next person doesn't lose an afternoon.

A struct sock's field offsets differ between kernel builds. Hardcode them and your program is wrong on the next box. The fix is two pieces:

• BTF (BPF Type Format) — compact type info for the running kernel, shipped at /sys/kernel/btf/vmlinux.
• CO-RE (Compile Once – Run Everywhere) — your object carries relocations like "offset of field X"; the loader patches them against the target's BTF at load time.

The result: one .o that adapts, instead of a build per kernel (the old BCC model that shipped Clang to every machine).

NetWatch's Phase-1 program reads a copied-in sockaddr at fixed, ABI-stable offsets, so it leans on CO-RE less than a program chasing struct sock internals would — but the same machinery is what makes the eBPF Phase-2 hooks portable.

The kernel program compiles to bpfel-unknown-none — little-endian BPF, no OS. That constraint explains every odd line at the top of the file:

• #![no_std] — no standard library; there's no allocator or syscalls down here.
• #![no_main] — the kernel calls your hook, not a main().
• a #[panic_handler] — required for no_std; it just loops, because there's nothing to panic to.

Output: netwatch_sdk_ebpf.o, an ELF object of BPF bytecode + map definitions + that license section.

Built by scripts/build-ebpf.sh, then copied to target/bpf/netwatch_sdk_ebpf.o so the userspace crate can swallow it whole (next slide).

The .o is baked into the userspace binary with include_bytes! — no file to ship or lose. At runtime aya walks it through the kernel's loading protocol:

Two things worth internalizing:

• Everything is a file descriptor. The loaded program and the map are fds the process owns. Close them and the kernel tears down the attachment — which is exactly how NetWatch's Drop detaches cleanly.
• Verification happens at load, once. The expensive proof is paid at PROG_LOAD; after that the JITed code runs at native speed on every event.

This is also where it can fail in the field — missing CAP_BPF, a kernel that rejects the probe, no BTF. NetWatch surfaces each as EbpfStatus::Unavailable rather than crashing (Act V).

The kernel program writes these bytes; userspace reads them out of the same ring-buffer slot. There's no serialization — it's raw memory. So the layout must be identical and predictable on both sides.

• #[repr(C)] pins field order & C alignment — no Rust field reordering.
• _pad0: [u8; 3] is explicit padding: it pushes tgid to offset 4 so the u32 is naturally aligned. Leave it out and the compiler inserts silent padding — fine until the two sides disagree.
• All address fields stay in network byte order; userspace converts on decode.

Click a field to see exactly which bytes it owns. Then break it →

Every line is doing one of three jobs:

• Get the context — ProbeContext is the kprobe's window onto the probed function's registers. ctx.arg(1) is the second argument, struct sockaddr *uaddr.
• Ask the kernel via helpers — pid/tgid, comm, and a timestamp come from helpers, not from poking memory. Safe by construction.
• Carefully read kernel memory — bpf_probe_read_kernel copies the destination port and address out of uaddr at the sockaddr_in offsets, fault-safe.

Notice saddr and sport are hardcoded to 0. That's not laziness — it's a fact about when this code runs. Which is the whole next slide.

Why read uaddr and not the socket? Because of a bug that made eBPF attribution silently return nothing — issue #38. →

Look back at the program's ordering: it reads every field first, and only then reserves the ring-buffer slot. That order isn't taste — the verifier requires it.

Once you call reserve() you hold a reference. The verifier proves that on every path to BPF_EXIT, that reference is released (submit or discard). An early return after a reserve — e.g. a read that failed — is a leak, and the program is rejected. So: do everything fallible before you reserve.

Flip the toggle in the stepper on "The verifier" (slide 7) to watch the real rejection fire. Here's the rule in the source's own words →

The verifier turns a whole class of resource-leak bugs into a compile-time "no." You either structure the code correctly or it never loads.

The ring buffer is the conveyor belt from kernel to userspace. The program reserve()s a slot, write()s the event into it, and submit(0)s — the 0 flag meaning "wake a polling consumer."

• Sized for bursts — 256 KiB absorbs ~5k connect/sec for a few hundred ms if userspace stalls.
• Lossy, not corrupting — when it's full, reserve() returns None and the event is dropped. Never a torn write.
• Ordered & multi-producer — every CPU can submit; the consumer sees a single ordered stream.

Drive the producer and consumer and watch it fill, wake, and drop.

The submit(0) wake is a latency/throughput knob: BPF_RB_NO_WAKEUP trades immediacy for fewer wakeups once you know your consumer.

Three moves, mirroring the kernel side:

• Embed, don't ship. include_bytes! folds the .o into the executable — nothing to install or path-resolve at runtime.
• Attach by name. aya finds the tcp_v4_connect program in the object, loads it (verify + JIT), and attaches the kprobe.
• Own the lifecycle via fds. The Bpf handle owns the program and map; its Drop closes the fds and the kernel detaches the probe. No explicit teardown.

Decoding flips the network-byte-order fields back and hands a typed EbpfEvent to the rest of NetWatch over an mpsc channel.

On non-Linux, or without the ebpf feature, this whole path is a stub returning UnsupportedPlatform — every other OS still compiles.

Running code in the kernel sounds reckless for a TUI people install. It isn't, because the risky parts are proven done before the program runs and the capability is dropped right after load.

• The verifier already proved termination, memory safety, and no leaks — a panic or hang isn't on the table.
• The GPL gate keeps you to audited helpers; you can't call arbitrary kernel code.
• The sandbox drops CAP_BPF / CAP_PERFMON / CAP_NET_RAW the instant load+attach finish — the program keeps running, but nothing can load another one.

This is the same "earn privilege, then drop it" arc as packet capture in NetWatch's sandbox — eBPF just joins the list of things opened before the drop.

Phase 1 is a single IPv4 TCP kprobe. The roadmap's eBPF Phase 2 widens it until NetWatch can decrypt a QUIC flow and name the process that owns it — something nothing else in the category does end to end.

• tcp_v6_connect — same story, IPv6.
• UDP send path — so QUIC (which NetWatch already decrypts) gets per-process attribution, not just /proc guesses.
• inet_sock_set_state — catch flows by state transition, including short-lived ones the connect-entry probe can miss.

Every one of these is the same question this deck has been answering, asked again:

Adding a hook means reading the same kernel networking source a netdev contributor reads — so this is also a real on-ramp into upstream kernel work. The #38 timeline is the kind of question you'll keep answering.