K-Watch is a high-performance network engine powered by eBPF/XDP. It injects code directly into the driver layer to monitor and mitigate traffic at line-rate. Unlike traditional tools, K-Watch uses kernel-aggregated state and ring-buffer sampling to provide deep packet visibility with sub-5% CPU overhead. It demonstrates behavioral SYN-flood detection and CIDR-based hardware-offload ready filtering. Designed as a systems engineering showcase, it is not a production WAF or IDS, but a proof of eBPF depth.

See docs/architecture.md for a detailed breakdown.

NIC → XDP (Parser & Filter) → BPF Maps → Ring Buffer → C++ Daemon → CLI/TUI

cmake -B build
cmake --build build

Observe live traffic on your loopback interface:

sudo ./build/kwatch run lo

Block an IP or entire range instantly:

sudo ./build/kwatch block lo 1.2.3.4/32

• XDP-Powered: High-performance packet processing at the driver level.
• Behavioral Detection: Detects SYN floods using SYN/ACK ratio analysis.
• Auto-Mitigation: Automatically blocks malicious IPs with a configurable cooldown.
• Single Binary: No Node.js, Python, or external runtimes. Pure C++20 and libbpf.
• Interactive TUI: Opt-in dashboard via kwatch top.
• CO-RE: Portable across different kernel versions without recompilation.

• Architecture & Data Path
• Design: Behavioral Detection
• Design: CO-RE & Portability
• Design: XDP Attach Modes
• Performance Benchmarks
• Exit Codes

MIT