oryx
Oryx is a Linux terminal UI for real-time network traffic inspection using eBPF, offering protocol-level visibility, traffic statistics, and firewall rule management. It requires Linux kernel 6.10+ and runs with elevated privileges to capture and filter network packets at the kernel level.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | pythops/oryx |
| Owner | pythops |
| Primary language | Rust |
| License | GPL-3.0 — OSI-approved |
| Stars | 2.5k |
| Forks | 69 |
| Open issues | 6 |
| Latest release | v0.8.0 (2026-02-04) |
| Last updated | 2026-06-09 |
| Source | https://github.com/pythops/oryx |
What oryx is
Built in Rust using the aya eBPF framework and ratatui TUI library, Oryx attaches eBPF programs to kernel network hooks for zero-copy packet capture and filtering. It supports TCP, UDP, SCTP (transport), IPv4/v6, ICMP, IGMP (network), and ARP (link layer) protocols with fuzzy search and metrics export capabilities.
Get the oryx source
Clone the repository and explore it locally.
git clone https://github.com/pythops/oryx.gitcd oryx# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires Rust nightly toolchain and bpf-linker build dependencies; pre-built binaries reduce installation friction for Arch Linux and direct release downloads.
- Must run as root (sudo) to attach eBPF programs; audit capability delegation policies and SELinux/AppArmor rules if containerizing or multi-tenancy is required.
- Firewall rules persist to ~/oryx/firewall.json and capture exports to ~/oryx/capture; verify file permissions, disk space, and backup strategy for production environments.
- Kernel version 6.10+ strongly recommended; test on target distribution (Debian 13+, Ubuntu 24.04+) to confirm all features; older kernels may omit SCTP, IGMP v3, or metrics explorer.
- TUI interaction requires nerd fonts; distribute font configuration or pre-install fonts in container images to avoid rendering issues on headless deployments.
When to avoid it — and what to weigh
- Windows or macOS Deployments — Oryx is Linux-only, requiring eBPF kernel support (6.10+ recommended). No native ports or cross-platform compatibility exist.
- High-Volume Enterprise Packet Capture — Designed as a lightweight inspection tool, not a dedicated packet capture engine. Large-scale network telemetry ingestion should use specialized tools (Zeek, Suricata) with persistent storage.
- Non-Technical or GUI-Dependent Teams — Requires terminal familiarity, Linux command-line skills (sudo, key bindings), and nerd font setup. No GUI alternative or point-and-click interface available.
- Legacy Linux Kernels (< 6.10) — Requires modern eBPF features; Debian 13+ / Ubuntu 24.04+ minimum. Older systems may lack necessary kernel verifier and helper function support, causing feature gaps or failures.
License & commercial use
Licensed under GPLv3, a copyleft license requiring any derivative or distributed works to remain open-source under GPLv3 and disclose source code to recipients.
GPLv3 permits commercial use internally (e.g., running within a company) but prohibits distributing Oryx or GPLv3-derived works commercially without releasing full source and maintaining GPLv3. Embedding Oryx in a proprietary closed-source product is not permitted. Requires legal review for commercial redistribution or SaaS offerings. Contact project maintainers for alternative licensing if needed.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Requires root/sudo execution to load eBPF programs; eBPF bytecode verification by kernel protects against malicious kernel crashes but runs in privileged context. Review upstream bpf-linker and aya-rs dependencies for CVEs. No mention of input validation for firewall rule creation or fuzzy search; recommend testing with hostile inputs. Firewall rules stored in plaintext JSON; consider disk encryption for sensitive rule sets. No explicit audit logging or export signing; manual verification of exported captures recommended.
Alternatives to consider
tcpdump + Wireshark
Industry-standard packet capture and GUI analysis; cross-platform (Windows, macOS, Linux); mature, feature-complete, and widely integrated. Trade-off: heavier resource use, no built-in firewall control, and requires separate tools for real-time inspection.
Zeek (formerly Bro)
Network security monitoring framework with eBPF support, protocol parsing, and alerting; designed for large-scale capture and log aggregation. Trade-off: steeper learning curve, requires centralized logging infrastructure, not a lightweight TUI.
nethogs or iftop
Lightweight TUI tools for per-process or interface-level bandwidth monitoring on Linux. Trade-off: lower protocol-level detail, no firewall rules, no fuzzy search or packet inspection; simpler use cases only.
Build on oryx with DEV.co software developers
If you operate Linux servers, need real-time network visibility without GUI overhead, or manage kernel-level firewall policies, evaluate Oryx as a lightweight sysadmin tool. Verify kernel version (6.10+) and privilege model requirements against your environment before production deployment.
Talk to DEV.coRelated on DEV.co
Explore the category and the services that help you build with it.
oryx FAQ
Can Oryx run on Windows or macOS?
Do I need sudo to run Oryx?
What is the difference between Oryx and tcpdump/Wireshark?
Can I use Oryx in a containerized environment?
Work with a software development agency
Adopting oryx is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source observability software in production.
Assess Oryx for Your Infrastructure
If you operate Linux servers, need real-time network visibility without GUI overhead, or manage kernel-level firewall policies, evaluate Oryx as a lightweight sysadmin tool. Verify kernel version (6.10+) and privilege model requirements against your environment before production deployment.