// the find
pythops/oryx
🕵️♂️ TUI for sniffing network traffic using eBPF on Linux
Oryx is a terminal UI for real-time network traffic inspection built on eBPF and Rust. It uses the aya-rs framework to load eBPF programs into the kernel for zero-copy packet capture, with ratatui handling the TUI layer. Aimed at sysadmins and security engineers who want a lightweight Wireshark alternative without the GUI overhead.
eBPF-based capture means packets are filtered in the kernel before reaching userspace — much lower overhead than libpcap/tcpdump for high-traffic interfaces. The workspace split between oryx-ebpf and oryx-tui is clean; eBPF bytecode compiles separately with its own nightly toolchain and gets embedded at build time. Firewall rules are a genuine differentiator over pure sniffers — you can block traffic directly from the inspection UI without touching iptables. Fuzzy search on live packet streams is a nice UX detail that's actually useful when you're hunting a specific host or port.
Requires Rust nightly for the eBPF side, which is a real friction point for teams running reproducible builds or security-hardened environments. The kernel version floor (6.10 recommended) rules out most RHEL/CentOS derivatives and older Ubuntu LTS installs people actually run in production. No application-layer protocol decoding — you see TCP/UDP but not HTTP, DNS queries, TLS handshakes, or anything at L7, which limits how useful this is for debugging real application behavior. Only 69 forks against 2490 stars suggests the community is mostly consumers, not contributors; the bus factor is probably one person.