A Go application that sniffs ingress/egress HTTP traffic for a target application, maps request/response pairs, and ships logs to AWS CloudWatch Logs. Also emits CloudWatch Metrics for health, latency, request counts, payload size, and HTTP status codes.

• Linux, any kernel (capture method is auto-selected from best available)
• Minimum capabilities: CAP_NET_RAW (for AF_PACKET / pcap fallback paths)
• For eBPF paths: additionally CAP_BPF, CAP_NET_ADMIN, CAP_PERFMON; kernel ≥ 4.18 with /sys/kernel/btf/vmlinux

sniff2cw tries capture methods in priority order — eBPF TCX → eBPF cls_bpf → AF_PACKET TPACKET_V3 → pcap — and uses the first that succeeds. See SPEC.md for the full priority table.

APP_NAME=my-service \
APP_PORT=8080 \
DIRECTION=BOTH \
LOG_GROUP_NAME=/app/log/my-service \
./sniff2cw

See SPEC.md for full details including HEALTH_URLS shorthand syntax, log/metric formats, and fail-safe behavior. See TESTING.md for the WSL2 test setup guide.

Each matched request/response pair is logged as minified JSON to stdout and CloudWatch Logs:

{
  "_q": "my-service INGRESS /api/foo 200 42ms",
  "app_name": "my-service",
  "direction": "INGRESS",
  "delay": 42,
  "platform": { "ec2_instance_id": "i-0abc123", "ec2_region": "us-east-1", "..." : "..." },
  "request": { "time": 1700000000000, "method": "POST", "path": "/api/foo", "..." : "..." },
  "response": { "time": 1700000000042, "status": 200, "..." : "..." }
}

The platform key is omitted when no EC2/ECS/EKS metadata is detected. See SPEC.md for the full field list.

Published under sniff2cw/{APP_NAME} in CloudWatch Metrics:

• HealthStatus — health check up/down per endpoint
• HealthLatency — health check response time
• RequestCount / ErrorCount — total and error requests
• Latency — request-to-response delay
• RequestBodySize / ResponseBodySize — payload sizes
• StatusCode — request count by HTTP status code

See CONTRIBUTING for more information.

This library is licensed under the MIT-0 License. See the LICENSE file.