DEV.co
Open-Source Observability · pythops

oryx

Oryx is a Linux terminal UI for real-time network traffic inspection using eBPF, offering protocol-level visibility, traffic statistics, and firewall rule management. It requires Linux kernel 6.10+ and runs with elevated privileges to capture and filter network packets at the kernel level.

Source: GitHub — github.com/pythops/oryx
2.5k
GitHub stars
69
Forks
Rust
Primary language
GPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorypythops/oryx
Ownerpythops
Primary languageRust
LicenseGPL-3.0 — OSI-approved
Stars2.5k
Forks69
Open issues6
Latest releasev0.8.0 (2026-02-04)
Last updated2026-06-09
Sourcehttps://github.com/pythops/oryx

What oryx is

Built in Rust using the aya eBPF framework and ratatui TUI library, Oryx attaches eBPF programs to kernel network hooks for zero-copy packet capture and filtering. It supports TCP, UDP, SCTP (transport), IPv4/v6, ICMP, IGMP (network), and ARP (link layer) protocols with fuzzy search and metrics export capabilities.

Quickstart

Get the oryx source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/pythops/oryx.gitcd oryx# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Linux System Administration & Troubleshooting

Real-time visibility into network flows for diagnosing connectivity issues, identifying rogue connections, and monitoring system network behavior without GUI overhead on headless servers.

Security Operations & Threat Hunting

Kernel-level packet inspection with firewall rule creation/editing to detect anomalous traffic patterns, validate security policies, and capture suspicious network activity for forensic analysis.

DevOps & Container Networking Debugging

Inspect inter-service communication, validate network policies in Kubernetes/Docker environments, and export capture data for analysis when traditional tcpdump/Wireshark are unavailable or inconvenient.

Implementation considerations

  • Requires Rust nightly toolchain and bpf-linker build dependencies; pre-built binaries reduce installation friction for Arch Linux and direct release downloads.
  • Must run as root (sudo) to attach eBPF programs; audit capability delegation policies and SELinux/AppArmor rules if containerizing or multi-tenancy is required.
  • Firewall rules persist to ~/oryx/firewall.json and capture exports to ~/oryx/capture; verify file permissions, disk space, and backup strategy for production environments.
  • Kernel version 6.10+ strongly recommended; test on target distribution (Debian 13+, Ubuntu 24.04+) to confirm all features; older kernels may omit SCTP, IGMP v3, or metrics explorer.
  • TUI interaction requires nerd fonts; distribute font configuration or pre-install fonts in container images to avoid rendering issues on headless deployments.

When to avoid it — and what to weigh

  • Windows or macOS Deployments — Oryx is Linux-only, requiring eBPF kernel support (6.10+ recommended). No native ports or cross-platform compatibility exist.
  • High-Volume Enterprise Packet Capture — Designed as a lightweight inspection tool, not a dedicated packet capture engine. Large-scale network telemetry ingestion should use specialized tools (Zeek, Suricata) with persistent storage.
  • Non-Technical or GUI-Dependent Teams — Requires terminal familiarity, Linux command-line skills (sudo, key bindings), and nerd font setup. No GUI alternative or point-and-click interface available.
  • Legacy Linux Kernels (< 6.10) — Requires modern eBPF features; Debian 13+ / Ubuntu 24.04+ minimum. Older systems may lack necessary kernel verifier and helper function support, causing feature gaps or failures.

License & commercial use

Licensed under GPLv3, a copyleft license requiring any derivative or distributed works to remain open-source under GPLv3 and disclose source code to recipients.

GPLv3 permits commercial use internally (e.g., running within a company) but prohibits distributing Oryx or GPLv3-derived works commercially without releasing full source and maintaining GPLv3. Embedding Oryx in a proprietary closed-source product is not permitted. Requires legal review for commercial redistribution or SaaS offerings. Contact project maintainers for alternative licensing if needed.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Requires root/sudo execution to load eBPF programs; eBPF bytecode verification by kernel protects against malicious kernel crashes but runs in privileged context. Review upstream bpf-linker and aya-rs dependencies for CVEs. No mention of input validation for firewall rule creation or fuzzy search; recommend testing with hostile inputs. Firewall rules stored in plaintext JSON; consider disk encryption for sensitive rule sets. No explicit audit logging or export signing; manual verification of exported captures recommended.

Alternatives to consider

tcpdump + Wireshark

Industry-standard packet capture and GUI analysis; cross-platform (Windows, macOS, Linux); mature, feature-complete, and widely integrated. Trade-off: heavier resource use, no built-in firewall control, and requires separate tools for real-time inspection.

Zeek (formerly Bro)

Network security monitoring framework with eBPF support, protocol parsing, and alerting; designed for large-scale capture and log aggregation. Trade-off: steeper learning curve, requires centralized logging infrastructure, not a lightweight TUI.

nethogs or iftop

Lightweight TUI tools for per-process or interface-level bandwidth monitoring on Linux. Trade-off: lower protocol-level detail, no firewall rules, no fuzzy search or packet inspection; simpler use cases only.

Software development agency

Build on oryx with DEV.co software developers

If you operate Linux servers, need real-time network visibility without GUI overhead, or manage kernel-level firewall policies, evaluate Oryx as a lightweight sysadmin tool. Verify kernel version (6.10+) and privilege model requirements against your environment before production deployment.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

oryx FAQ

Can Oryx run on Windows or macOS?
No. Oryx is Linux-only and requires eBPF kernel support (6.10+ recommended). Windows and macOS do not have native eBPF or are not officially supported.
Do I need sudo to run Oryx?
Yes. Oryx requires root privileges to attach eBPF programs to kernel network hooks and manage firewall rules. Always run with `sudo oryx`.
What is the difference between Oryx and tcpdump/Wireshark?
Oryx is a terminal UI with real-time filtering and firewall rule creation built in; tcpdump is a CLI capture tool and Wireshark is a GUI analyzer. Oryx is lighter, kernel-driven (eBPF), and purpose-built for sysadmins; Wireshark is richer for forensic analysis but resource-heavy.
Can I use Oryx in a containerized environment?
Yes, but with caution. Containers must run in privileged mode with BPF capabilities, and the host kernel must meet version requirements (6.10+). Volume-mount firewall rules and verify SELinux/AppArmor policies. No official Dockerfile provided; custom setup required.

Work with a software development agency

Adopting oryx is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source observability software in production.

Assess Oryx for Your Infrastructure

If you operate Linux servers, need real-time network visibility without GUI overhead, or manage kernel-level firewall policies, evaluate Oryx as a lightweight sysadmin tool. Verify kernel version (6.10+) and privilege model requirements against your environment before production deployment.