pwru
Packet, where are you? -- eBPF-based Linux kernel networking debugger
pwru (short for "packet, where are you?") is a debugging tool for Linux that lets you trace exactly what happens to a network packet as it moves through the kernel. When a network connection is broken or packets are being dropped, it can be very hard to figure out at which point in the kernel's processing pipeline the problem occurs. pwru gives you visibility into that path.
The tool uses a Linux technology called eBPF, which allows programs to safely attach to points inside the running kernel and observe what is happening without modifying the kernel itself. pwru uses this to attach probes to the kernel's networking functions and report, in real time, which functions a given packet passes through and where it stops.
You filter traffic using the same syntax as network capture tools: for example, you can tell pwru to only trace packets going to a specific IP address or port. Once it finds a matching packet, it follows the packet through all the kernel functions it visits and prints them out. This makes it practical to answer questions like "why is this firewall rule dropping my packet" or "at which point is my packet being altered by NAT."
The output is configurable: you can ask it to print the source and destination addresses of each packet, the full kernel stack trace, packet metadata, TCP flags, tunnel headers, and more. Output can also be written to a file in plain text or JSON format.
pwru requires a fairly recent Linux kernel (version 5.3 or newer) and specific kernel configuration options to be enabled. It can run directly on a host, inside a Docker container, or on a specific node in a Kubernetes cluster. Pre-built binaries for x86 and ARM are available on the releases page.
The project is maintained by Cilium, the networking and security project for cloud-native infrastructure.