> For the complete documentation index, see [llms.txt](https://docs.akto.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.akto.io/traffic-connector/ebpf/traffic-capture-bcc-dockerless.md). # Akto eBPF Traffic Collector Platform Specific This document is for **clients** who install the **dockerless** eBPF bundle (Go binary + module.cc(bcc) + shell wrappers), distributed as a versioned **`.tar.gz`**. Tarball naming convention: `akto-mirroring-module----.tar.gz` *** ## Platform Downloads | Platform | Download URL | | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | | Amazon Linux 2 — kernel 5.10, x86\_64 | `https://akto.blob.core.windows.net/traffic-collector-binaries/akto-mirroring-module-1.0.0-amzn2-5.10-x86_64.tar.gz` | | Amazon Linux 2023 — kernel 6.1, x86\_64 | `https://akto.blob.core.windows.net/traffic-collector-binaries/akto-mirroring-module-1.0.0-amzn2023-6.1-x86_64.tar.gz` | | Amazon Linux 2023 — kernel 6.1, aarch64 | `https://akto.blob.core.windows.net/traffic-collector-binaries/akto-mirroring-module-1.0.0-amzn2023-6.1-aarch64.tar.gz` | Contact Akto for a download URL if your platform is not listed. *** ## Install ### 1. Download the archive Use the platform-specific URL from the table above. ```bash wget -O akto-mirroring-module----.tar.gz "" ``` (`curl -fL "" -o akto-mirroring-module----.tar.gz` works the same way.) ### 2. Unpack (default layout: `/ebpf`) As **root** (paths in the archive are rooted at `ebpf/`): ```bash sudo mkdir -p /ebpf && sudo tar -xzf akto-mirroring-module----.tar.gz -C /ebpf --strip-components=1 ``` This creates **`/ebpf/`** including: | Path | Role | | ------------------------------------ | ------------------------------------------------------------------------- | | `ebpf/ebpf-logging` | Main Go binary | | `ebpf/---setup.sh` | Platform-specific prerequisite script (e.g. `amzn2-5.10-x86_64-setup.sh`) | | `ebpf/kernel/module.cc` | C kernel code | | `ebpf/ebpf-bcc-run.sh` | Supervisor loop | | `ebpf/run-ebpf-bcc-host.sh` | Host entrypoint (sudo wrapper; **detached by default**) | | `ebpf/uninstall-ebpf-bcc-host.sh` | Stops processes; leaves `${EBPF_ROOT}` on disk | | `ebpf/.env` | Default environment (edit before production) | If you install under a **different** directory, set **`EBPF_ROOT`** consistently (see below) and keep **`ebpf-bcc-run.sh`** and **`.env`** together under that directory. ### 3. Run platform prerequisites The tarball includes a platform-specific setup script that installs required kernel headers and BCC libraries. This must be run before akto ebpf module is started everytime. Run it once after unpacking: | Platform | Script | | --------------------------------------- | ----------------------------------------------- | | Amazon Linux 2 (kernel 5.10, x86\_64) | `sudo bash /ebpf/amzn2-5.10-x86_64-setup.sh` | | Amazon Linux 2023 (kernel 6.1, x86\_64) | `sudo bash /ebpf/amzn2023-6.1-x86_64-setup.sh` | | Amazon Linux 2023 (kernel 6.1, aarch64) | `sudo bash /ebpf/amzn2023-6.1-aarch64-setup.sh` | For reference, upstream BCC installation docs: ### 4. Configure Edit **`/ebpf/.env`** (or **`${EBPF_ROOT}/.env`**). At minimum set **`AKTO_KAFKA_BROKER_MAL`** to your broker (replace the `` placeholder in the shipped template). Typical bare-metal defaults in that file: * **`EBPF_ROOT=/ebpf`** — bundle root. * **`HOST_MAPPING=/`** — host path prefix (use **`/host`** when running inside Docker with `-v /:/host`). * **`ENABLE_LOGS=false`** / **`LOG_FILE=/ebpf/dump.log`** — shipped defaults; if you change **`EBPF_ROOT`**, set **`LOG_FILE`** under that directory (for example **`/opt/akto/ebpf/dump.log`**). ### 5. Run (detached by default) `run-ebpf-bcc-host.sh` starts the supervisor under **`nohup`** and returns immediately. It writes **`${EBPF_ROOT}/ebpf-bcc-run.pid`**. **`nohup.out`** is not used. With **`ENABLE_LOGS=false`**, **`ebpf-bcc-run.sh`** attaches non-TTY stdout/stderr to **`LOG_FILE`** (see **`.env`** / **`MAX_LOG_SIZE`** for rotation). ```bash sudo /ebpf/run-ebpf-bcc-host.sh ``` Follow logs: * **`ebpf-bcc-run.sh`** shell output (memory lines, restarts) and collector when **`ENABLE_LOGS=false`** (bundle default): `tail -f /ebpf/dump.log` or override **`LOG_FILE`** in **`.env`** Attach to the supervisor in the foreground (blocks this shell), for debugging: ```bash sudo /ebpf/run-ebpf-bcc-host.sh -f # or: sudo AKTO_FOREGROUND=true /ebpf/run-ebpf-bcc-host.sh ``` Or with a non-default install root: ```bash sudo EBPF_ROOT=/opt/akto/ebpf /opt/akto/ebpf/run-ebpf-bcc-host.sh ``` Ensure **`EBPF_ROOT`** in the environment matches **`EBPF_ROOT`** in **`.env`** when you use a custom path. ### 6. Uninstall Stops **`ebpf-bcc-run.sh`** / **`ebpf-logging`** for this install (using the pidfile when present, then matching processes). It does **not** remove **`EBPF_ROOT`**. ```bash sudo /ebpf/uninstall-ebpf-bcc-host.sh -y ``` Custom root: ```bash sudo EBPF_ROOT=/opt/akto/ebpf /opt/akto/ebpf/uninstall-ebpf-bcc-host.sh -y ``` Omit **`-y`** for an interactive confirmation (requires a TTY). #### What’s Happening Behind the Scenes? * **eBPF hooks into your Linux kernel** to capture real-time traffic—even if it’s encrypted (TLS). * No code changes, no traffic proxying, no SSL termination. * The collector forwards API traces to Akto for real-time inventory and security analysis. ## Get Support for your Akto setup There are multiple ways to request support from Akto. We are 24X7 available on the following: 1. In-app `intercom` support. Message us with your query on intercom in Akto dashboard and someone will reply. 2. Join our [discord channel](https://www.akto.io/community) for community support. 3. Contact `help@akto.io` for email support. 4. Contact us [here](https://www.akto.io/contact-us). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.akto.io/traffic-connector/ebpf/traffic-capture-bcc-dockerless.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.