ebpf-mcp-tracer
Enables LLMs to safely write and run bpftrace scripts against the Linux kernel for observability, with explicit probe allowlists and execution timeout.
README
ebpf-mcp-tracer
An MCP server that lets an LLM write and run bpftrace scripts against your kernel, gated by an explicit probe allowlist and a hard execution timeout.
It does not compile raw eBPF C. bpftrace is the engine -- it already handles BTF/CO-RE portability, hook attachment, and ring-buffer-to-text formatting, so this project is the orchestration and safety layer on top of it rather than a from-scratch eBPF compiler.
The ebpf-mcp-tracer is a secure MCP server that bridges LLMs and the Linux kernel by orchestrating bpftrace for natural-language, kernel-level observability. Instead of compiling raw eBPF C, it leverages bpftrace's built-in safety and portability while enforcing strict guardrails through explicit probe allowlists, blocked dangerous builtins, and hard execution timeouts. By exposing simple tools for probe discovery, dry-run validation, and timed trace execution over local stdio, it empowers AI agents to safely debug complex system bottlenecks and analyze process behavior without requiring deep eBPF expertise or risking host stability.
What it exposes
Three tools, callable by any MCP client (Claude Desktop, etc.):
list_probes(pattern)-- read-only listing of kernel probes (bpftrace -l)validate_script(script)-- safety allowlist check + compile-only dry run (bpftrace -d, no attachment)run_trace(script, duration_seconds)-- attaches and streams events for up to 60s, then detaches and returns parsed JSON events
And one resource: ebpf://system/kernel-info (kernel version, bpftrace
availability).
Setup on your machine
-
Install bpftrace:
sudo apt update && sudo apt install -y bpftraceConfirm it works standalone first:
sudo bpftrace -e 'BEGIN { printf("it works\n"); exit(); }' -
Install the Python deps:
cd ebpf-mcp-tracer python3 -m venv venv source venv/bin/activate pip install -r requirements.txt -
Permissions. bpftrace needs to load BPF programs into the kernel, which normally requires root. You have two options:
-
Simplest: run the MCP server process itself as root. Fine for a personal box, not something to do on a shared machine.
-
Better, if your kernel is 5.8+: grant the venv's python binary the specific capabilities bpftrace needs instead of full root:
sudo setcap cap_bpf,cap_perfmon,cap_sys_resource+ep $(readlink -f venv/bin/python3)Note this grants those capabilities to any script run by that exact python binary -- keep the venv dedicated to this project.
-
-
Test the server directly before wiring it into a client:
python3 -m mcp dev src/ebpf_mcp_tracer/server.pyor run it raw and talk to it over stdio:
python3 src/ebpf_mcp_tracer/server.py -
Point your MCP client at it. Example Claude Desktop config entry:
{ "mcpServers": { "ebpf-tracer": { "command": "/absolute/path/to/ebpf-mcp-tracer/venv/bin/python3", "args": ["/absolute/path/to/ebpf-mcp-tracer/src/ebpf_mcp_tracer/server.py"] } } }(Verify the exact config file location and key names against current Claude Desktop docs -- this has changed before.)
Running the tests
The safety-allowlist tests need no privileges and no bpftrace install:
pip install pytest
python3 -m pytest tests/test_safety.py -v
There's also a fake bpftrace shim at tests/fakebin/bpftrace used during
development to exercise the subprocess/timeout/JSON-parsing logic in
engine.py without needing a real kernel. You shouldn't need it once you
have the real binary installed, but it's there if you want to test changes
to engine.py without root.
Extending the probe allowlist
src/ebpf_mcp_tracer/safety.py has ALLOWED_PROBE_PATTERNS. Every probe
the LLM can attach to must match one of these regexes -- there are no
wildcards on purpose. To add a new function:
- Look up what it does and confirm it's safe to hook (read-only tracing, not something that can be abused to leak secrets across processes or degrade performance under load).
- Add an explicit pattern, e.g.
r"^kprobe:tcp_v4_connect$". - Re-run the safety tests.
Don't add kprobe:* or kprobe:do_*-style wildcards -- that defeats the
point of the allowlist.
For furthur documentation
Look into https://github.com/blackdragoon26/ebpf-mcp-tracer/blob/main/INSTALL.md
What's deliberately NOT here yet
- No
--unsafeflag anywhere, which meanssystem(),override(), and a few other dangerous bpftrace builtins are unreachable even if the allowlist regex check somehow had a hole. This is enforced at two independent layers on purpose. - No automatic verifier-error-to-LLM retry loop.
validate_scriptreturns the raw bpftrace compile error; wiring up an automatic "LLM reads the error and retries" loop is a natural next step once you've used this manually a few times and have a feel for what errors actually show up. - No network exposure. This talks stdio only. If you want this reachable remotely later, that's a real auth/access-control project on its own -- don't bolt on a port without thinking that through separately.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.