Ebpf Mcp

What is Ebpf Mcp

ebpf-mcp is a local MCP-compatible AI server designed for Linux that provides observability, instrumentation, and program control for eBPF through a structured interface. It allows AI assistants to safely invoke kernel-level tools.

Use cases

Use cases for ebpf-mcp include automated system monitoring, AI-driven performance tuning, and secure observability of system-level traffic and syscall activities.

How to use

To use ebpf-mcp, set up the server following the quick start guide, then utilize the provided JSON-RPC 2.0 interface to interact with eBPF tools for monitoring and controlling kernel behavior.

Key features

Key features include MCP compatibility, structured JSON-RPC 2.0 communication, safe exposure of eBPF tools, and the ability for AI agents to deploy and reason about kernel-level activities.

Where to use

ebpf-mcp can be used in environments where AI assistants need to monitor and control Linux kernel behavior, such as in system observability, performance monitoring, and security analysis.

🐝 ebpf-mcp: Kernel-Level Observability for AI Agents

🧠 AI-Ready Observability for Linux

ebpf-mcp is a lightweight MCP-compatible server that exposes structured, AI-safe access to Linux kernel observability tools, built on top of eBPF.

It wraps powerful tools like bpftool and the Cilium eBPF library into JSON-RPC endpoints that can be called by AI agents or CLI clients, enabling:

• ✅ Safe eBPF program deployment (from disk or remote URL)
• ✅ Structured inspection of attached kernel hooks
• ✅ BPF map introspection
• ✅ Error tracing of failing syscalls
• ✅ Kernel capability discovery

✅ What It Actually Delivers

These features are implemented, tested, and available today:

🔍 System Introspection

curl -X POST localhost:8080/mcp -d '{
  "jsonrpc": "2.0", "id": 1,
  "method": "tools/call",
  "params": { "tool": "info", "input": {} }
}'

✔ Detects kernel version, BTF support, cgroup v2
✔ Returns structured JSON for AI agents to reason over

🧪 Hook Inspection (bpftool wrapped in JSON)

curl -X POST localhost:8080/mcp -d '{
  "jsonrpc": "2.0", "id": 2,
  "method": "tools/call",
  "params": { "tool": "hooks_inspect", "input": {} }
}'

Returns:

{
  "programs": [
    {
      "id": 14,
      "type": "tracepoint",
      "name": "handle_syscall_error",
      "attached_to": "sys_enter",
      "pinned": false
    }
  ]
}

🚀 eBPF Deployment with Remote Support

{
  "tool": "deploy",
  "args": {
    "program_path": "https://example.com/xdp_prog.o"
  }
}

✔ Uses Cilium’s Go library
✔ Supports loading from URL or local path
✔ Returns structured success or error output
✔ Prints how many programs/maps were loaded

⚙️ System Requirements

🔐 Security & Privilege Requirements

ebpf-mcp must run with sufficient privileges to interact with the kernel:

• ✅ CAP_BPF and CAP_SYS_ADMIN usually required
• ✅ XDP and tracepoints need elevated rights
• ⚠️ Always audit .o files before loading
• 🧪 deploy validates programs via kernel verifier

❌ Failure Modes to Expect

📡 MCP Protocol Support

🔮 Roadmap

These are not yet implemented, but planned:

🧠 Claude / MCP Agent Integration

• Claude CLI can call tools/call, but doesn’t fully interpret streamed output yet
• Working on improved Claude and Ollama support via ollama-chat CLI
• MCP compliance is prioritized for LLM compatibility

🧰 Cursor AI (IDE Integration)

• We’re exploring ways for Cursor AI to call local MCP endpoints (currently not supported natively)
• Early experiments with ollama + ebpf-mcp are promising for kernel debugging inside the dev environment

⚡ Quick Start

git clone https://github.com/sameehj/ebpf-mcp.git
cd ebpf-mcp
make build
sudo ./bin/ebpf-mcp-server -t http

Then call it using your favorite JSON-RPC client or the included ollama-chat CLI.

🔐 Dual Licensing

ebpf-mcp uses a dual-license model to balance kernel compatibility with integration flexibility:

• 🧬 GPL-2.0 for all code under internal/ebpf/

  • Covers eBPF program loading and kernel-level interactions
  • eBPF programs run in kernel space and may link with GPL-licensed kernel helpers
  • Ensures compliance and compatibility with the Linux kernel and existing GPL eBPF code

• 🧠 Apache-2.0 for all other components

  • Covers the MCP server, protocol layer, tool registry, and client CLI
  • Allows integration with proprietary or commercial AI agents, dev tools, and infrastructure
  • Encourages broader adoption and contribution outside the kernel ecosystem

This model keeps kernel code legally compatible while enabling wide, flexible usage in AI-first systems and enterprise automation.

🧙 Join the eBPF Agent Army

We’re building the first structured agent layer over the Linux kernel — and we need your help:

• ⭐ Star this repo
• 🛠️ Contribute a tool (internal/tools/)
• 🧪 File bug reports or integration ideas
• 🤖 Test it with LLMs and share feedback

Contact: [email protected]
GitHub: github.com/sameehj/ebpf-mcp