whatisgithub

What is pwru?

cilium/pwru — explained in plain English

Analysis updated 2026-07-03

3,746CAudience · ops devopsComplexity · 4/5Setup · hard

In one sentence

pwru (packet, where are you?) is a Linux debugging tool that shows you exactly which kernel networking functions a packet passes through and where it gets dropped or modified, using eBPF to probe the live kernel safely.

Mindmap

mindmap
  root((pwru))
    What it does
      Trace packet path
      Find drop point
      Show kernel functions
    Technology
      eBPF probes
      Linux kernel hooks
      No kernel changes needed
    Filtering
      By IP address
      By port
      tcpdump syntax
    Output options
      Stack traces
      TCP flags
      JSON or plain text
    Run environments
      Host Linux
      Docker container
      Kubernetes node
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Find the exact kernel function where a firewall rule is silently dropping your packets

USE CASE 2

Diagnose why a NAT rule is modifying packet addresses unexpectedly by watching every kernel networking step in real time

USE CASE 3

Filter traffic by IP or port and get a live trace of every kernel function that packet visits

USE CASE 4

Debug container or Kubernetes pod networking failures by running pwru directly on a cluster node

What is it built with?

CeBPFLinuxDockerKubernetes

How does it compare?

cilium/pwrusypstraw/rpi4-osdevfastos/fastsocket
Stars3,7463,7453,743
LanguageCCC
Setup difficultyhardhardhard
Complexity4/55/55/5
Audienceops devopsdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 1h+

Requires Linux kernel 5.3 or newer with specific kernel configuration options enabled and eBPF support active.

License terms are not described in the explanation, check the repository directly before use.

So what is it?

pwru (short for "packet, where are you?") is a debugging tool for Linux that lets you trace exactly what happens to a network packet as it moves through the kernel. When a network connection is broken or packets are being dropped, it can be very hard to figure out at which point in the kernel's processing pipeline the problem occurs. pwru gives you visibility into that path. The tool uses a Linux technology called eBPF, which allows programs to safely attach to points inside the running kernel and observe what is happening without modifying the kernel itself. pwru uses this to attach probes to the kernel's networking functions and report, in real time, which functions a given packet passes through and where it stops. You filter traffic using the same syntax as network capture tools: for example, you can tell pwru to only trace packets going to a specific IP address or port. Once it finds a matching packet, it follows the packet through all the kernel functions it visits and prints them out. This makes it practical to answer questions like "why is this firewall rule dropping my packet" or "at which point is my packet being altered by NAT." The output is configurable: you can ask it to print the source and destination addresses of each packet, the full kernel stack trace, packet metadata, TCP flags, tunnel headers, and more. Output can also be written to a file in plain text or JSON format. pwru requires a fairly recent Linux kernel (version 5.3 or newer) and specific kernel configuration options to be enabled. It can run directly on a host, inside a Docker container, or on a specific node in a Kubernetes cluster. Pre-built binaries for x86 and ARM are available on the releases page. The project is maintained by Cilium, the networking and security project for cloud-native infrastructure.

Copy-paste prompts

Prompt 1
Using pwru on Linux, show me how to trace all packets going to port 443 and print the kernel functions they pass through so I can see where they stop.
Prompt 2
I have a packet being dropped somewhere in the Linux kernel. Walk me through using pwru to find exactly which netfilter or iptables function is dropping it.
Prompt 3
Show me how to run pwru inside a Docker container to trace packets on eth0 and output results as JSON to a file.
Prompt 4
How do I deploy pwru on a specific Kubernetes node to trace why pods in one namespace cannot reach a service in another?
Prompt 5
My packet destination address is being changed unexpectedly by NAT. Show me how to use pwru with full stack trace output to find exactly where the address is modified.

Frequently asked questions

What is pwru?

pwru (packet, where are you?) is a Linux debugging tool that shows you exactly which kernel networking functions a packet passes through and where it gets dropped or modified, using eBPF to probe the live kernel safely.

What language is pwru written in?

Mainly C. The stack also includes C, eBPF, Linux.

What license does pwru use?

License terms are not described in the explanation, check the repository directly before use.

How hard is pwru to set up?

Setup difficulty is rated hard, with roughly 1h+ to a first successful run.

Who is pwru for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.