DavidHavoc's ayaflow is a high-performance network traffic analyzer built in Rust that leverages eBPF for kernel-native packet capture. Running as a sidecarless DaemonSet in Kubernetes, it provides real-time visibility into node-wide network traffic with minimal overhead by hooking directly into the kernel's traffic control subsystem.

Built on the Aya eBPF framework, ayaflow parses Ethernet, IPv4, TCP, and UDP headers using TC classifier hooks at both ingress and egress points. The userspace component uses Tokio for async event processing, DashMap for connection state tracking, and SQLite for persistent packet storage. Optional deep inspection features extract TLS SNI and DNS query data for domain-level visibility into encrypted traffic.

Memory footprint remains remarkably small at around 33 MB for the userspace agent, with the eBPF program compiling to just 576 bytes when JIT-optimized. The project includes a comprehensive REST API, WebSocket streaming for live dashboards, and Prometheus metrics export. Available under Apache 2.0 or MIT license with GPL-licensed eBPF components, ayaflow targets Linux kernel 5.8+ with BTF support and requires CAP_BPF, CAP_NET_ADMIN, and CAP_PERFMON capabilities.