Oryx: eBPF-Powered Network Monitoring in Your Terminal
Traditional network monitoring tools often require multiple utilities and complex configurations to answer simple questions about connection state and traffic patterns. Oryx consolidates these capabilities into a single terminal interface, leveraging eBPF technology to provide kernel-level network visibility without performance overhead.
What is Oryx?
Oryx is a Rust-based terminal user interface for real-time network traffic analysis on Linux. By utilizing eBPF (extended Berkeley Packet Filter), Oryx observes network activity directly in the kernel, delivering accurate metrics without the overhead of userspace packet capture. The tool presents connection data, traffic statistics, and firewall management through an intuitive interface designed for operators who live in the terminal.
With 2.1k GitHub stars and active development, Oryx serves system administrators and SREs who need immediate network visibility during troubleshooting or capacity planning.
Key Features
Real-Time Traffic Inspection: View active connections with source/destination IPs, ports, protocols, and process identifiers as they occur.
Comprehensive Statistics: Track bandwidth usage, packet counts, and connection states across all network interfaces.
Integrated Firewall Management: Create, modify, and remove firewall rules directly from the interface without switching to separate tools.
Metrics Explorer: Analyze historical traffic patterns and identify anomalies through built-in metric visualization.
Fuzzy Search: Quickly filter connections by IP, port, process name, or protocol using fast fuzzy matching.
Installation
On Arch Linux, install Oryx via pacman:
pacman -S oryx
For Debian 13+ or Ubuntu 24.04+, download the latest binary:
wget https://github.com/pythops/oryx/releases/latest/download/oryx-x86_64-unknown-linux-musl.tar.gz
tar xzf oryx-x86_64-unknown-linux-musl.tar.gz
sudo install -m 755 oryx /usr/local/bin/oryx
Building from source requires Rust nightly and bpf-linker:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
rustup install nightly
cargo install bpf-linker
cargo xtask build --release
Usage
Launch Oryx with root privileges to enable eBPF attachment:
sudo oryx
The interface displays active connections in real-time. Navigate using arrow keys, filter connections with /, and access firewall rules via the F key. Press ? to display the complete keybinding reference.
Monitor specific interfaces by selecting them from the interface list. Toggle between summary and detailed views to drill into individual connection metrics.
Operational Tips
Integrate with Incident Response: Keep Oryx running in a tmux session during on-call shifts for instant network visibility when alerts fire.
Baseline Normal Traffic: Run Oryx during known-good periods to establish baseline connection patterns and bandwidth usage for your services.
Correlate with System Metrics: Use Oryx alongside tools like htop or pidstat to identify which processes generate unexpected network activity.
Export Firewall Configs: Document firewall rules created through Oryx by exporting your iptables/nftables configuration after making changes.
Requires Modern Kernels: Oryx requires Linux kernel 6.10 or newer for full eBPF functionality. Verify your kernel version with uname -r before deployment.
Conclusion
Oryx brings the power of eBPF network monitoring to a terminal interface that respects operator workflows. By consolidating traffic inspection, statistics, and firewall management into a single tool, it eliminates context switching during troubleshooting sessions. For SREs and network engineers seeking lightweight, real-time network visibility on Linux systems, Oryx delivers essential capabilities without the complexity of traditional packet capture tools.
Explore the Oryx GitHub repository for installation instructions and feature documentation.
Enhance your system reliability with Akmatori, an AI-powered SRE assistant that predicts failures, assists in creating more reliable systems, and accelerates root cause analysis during incidents.