Show HN: Cerberus – Real-time network monitor with eBPF

[zrouga]

Hi HN! I'm Mo, a platform engineer at Deltaflare working on critical infrastructure protection.

I built Cerberus because traditional packet capture tools (tcpdump, Wireshark) have too much overhead for production CNI environments. eBPF lets us filter and classify packets at the kernel level with near-zero performance impact.

Some interesting challenges: - eBPF verifier is strict - every memory access needs bounds checking - Limited to 32 bytes of L7 payload (tradeoff between inspection depth and overhead) - TC vs XDP decision (chose TC for compatibility)

Looking for contributors, especially on: - Redis backend for distributed deployments - Prometheus metrics export - Anomaly detection

Happy to answer questions!

[Joel_LeBlanc]

Hi Mo, it's great to see innovative solutions like Cerberus addressing the challenges of traditional monitoring tools. I'm curious about your experience with eBPF and how it has impacted your team's workflow. It sounds like you're on an exciting journey!

[zrouga]

Thanks! eBPF has been a big win for us. Once you get past the verifier constraints, it really changes how you think about observability — pushing filtering and classification into the kernel reduces noise and makes the data much more actionable.

Workflow-wise, iteration is slower at first (compile → load → fail verifier ), but once the patterns are in place it actually simplifies things a lot. The ability to run this safely in production without noticeable overhead has been the biggest impact.

[rixed]

Aren't tcpdump and wireshark based on libpcap which itself uses ebpf to compile and run packet filters? How is cerberus different?

[zrouga]

Not exactly — that statement is only partly correct.

Yes, tcpdump and Wireshark do use libpcap for packet capture and filtering. libpcap compiles the familiar tcpdump filter syntax into classic BPF (cBPF) programs that run in the kernel to decide which packets should be passed up to userspace.

On newer Linux kernels, libpcap can translate those classic BPF filters into eBPF, but that’s mostly an internal optimization. From a user point of view, you’re still just writing simple packet filters, and packets are still being copied to userspace for analysis. libpcap itself is not really an eBPF framework.

That’s where Cerberus is different.

Cerberus uses native eBPF programs directly, not just for filtering packets, but for running logic inside the kernel. Instead of copying packets out and decoding them later, it works with structured kernel events and can correlate network activity with processes, syscalls, and security context. In many cases it can even act or block things in real time.

So while tcpdump/Wireshark are great for debugging and traffic inspection, they’re fundamentally packet sniffers. Cerberus is more of an in-kernel observability and security system, built on eBPF as a programmable platform rather than just a fast filter.

In short: tcpdump uses BPF to filter packets. Cerberus uses eBPF to run logic.

Hope that helps clear it up

[exceptione]

Thanks! Have you considered sysdig/csysdig for your needs, and if so, how do you feel about it?

[zrouga]

Yes — Sysdig/csysdig are great tools and I’ve used them before. They’re excellent for syscall-level visibility and host/container forensics.

Cerberus targets a different layer: always-on, low-overhead network classification in CNI environments. It attaches at TC, limits L7 inspection intentionally, and focuses on predictable performance rather than rich event streams.

They’re complementary rather than competing tools.