An application can work in one of two network traffic interception modes:
In the Use eBPF mode, the application creates its own separate network namespace (network linux namespace), where it redirects network packets using eBPF programs associated with tc (linux traffic control) queues of local network interfaces. The redirected network traffic is then analyzed in accordance with active network tasks and then is returned to the original network interface.
For communication between namespaces, pairs of veth virtual network interfaces are used (each side of a pair is in its own network namespace):
Through these pairs of interfaces, network traffic is sent for scanning from the default namespace to the namespace created by the application, and through the same interfaces, the traffic is returned back after analysis.
Network traffic reaches these interfaces from other network interfaces in the system only if the application is running and network interception is enabled. These interfaces cannot be used for data transmission over the network between remote devices.
If your device is sensitive to network port enumeration attacks (for example, if the operating system firewall with port filtering is configured on the local device), then we do not recommend selecting the Use eBPF mode. We also do not recommend using this traffic interception mode on devices of the organization's network perimeter.
If the device is located in an isolated network segment, in a local network, or inside the perimeter of the organization's network, the traffic interception mode Use eBPF mode may be selected.
You can select the traffic interception mode in the Web Console, the Administration Console, or on the command line.
Page top