pythops

pythops/oryx

Rust GPL-3.0 Security

🕵️‍♂️ TUI for sniffing network traffic using eBPF on Linux

2.5k stars
69 forks
recent
GitHub +6 / week

2.5k

Stars

69

Forks

6

Open issues

7

Contributors

v0.8.0 04 Feb 2026

AI Analysis

Oryx is a terminal UI for real-time network traffic inspection and analysis using eBPF on Linux, offering packet sniffing, traffic statistics, firewall rule management, and metrics exploration. It is purpose-built for system administrators, security practitioners, and network engineers who need kernel-level network observability on Linux—not a general-purpose tool and not suitable for Windows/macOS users or those seeking application-level packet analysis.

Security Security Tool Discovery value: 6/10
Documentation 8/10
Activity 8/10
Community 7/10
Code quality 5/10

Inferred from signals mentioned in the README (tests, CI, type safety) — not a review of the actual code.

Overall score 8/10

AI's overall editorial judgment — not an average of the bars above, can weigh other factors too.

ebpf network-observability linux-kernel tui packet-analysis
Actively maintained Well documented Niche/specialized use case Production ready
Deep Analysis · Based on README and public signals
2w ago

eBPF-based terminal UI for Linux network traffic inspection, with firewall control

Oryx is a terminal user interface (TUI) for real-time network traffic analysis on Linux, built in Rust using eBPF for kernel-space packet inspection. It targets systems administrators and network engineers who need interactive traffic visibility without leaving the terminal. The project is young (created September 2024) but actively maintained, with modest adoption relative to category peers like Sniffnet, and requires kernel 6.10+ or recent distributions (Ubuntu 24.04+, Debian 13+). It occupies a narrower niche than broader packet capture tools.

Origin

Oryx emerged in mid-2024 as part of a wave of Rust-based eBPF networking tools. The creator (pythops) has prior TUI experience (see similar repo bluetui, 2,856 stars). The project leverages the aya-rs eBPF framework and represents a deliberate choice to build a specialized, kernel-space traffic inspection tool rather than relying on traditional userspace libpcap-based sniffers.

Growth

The project gained ~2,500 stars over approximately 21 months, averaging roughly 120 stars per month — steady but not explosive growth. Recent 7-day gain of 5 stars suggests sustained but modest interest. Early adoption in Arch Linux (added to extra repository) indicates ecosystem recognition. The growth pattern reflects a niche tool with technical credibility rather than mainstream appeal.

In production

Adoption not verified. No case studies, production deployment accounts, or user testimonials documented in README. Arch Linux packaging is a positive signal of ecosystem adoption but does not demonstrate production usage at scale. The tool is available as pre-built binaries and via package managers, suggesting accessibility, but real-world usage numbers are opaque.

Code analysis
Architecture

Based on README, the tool appears to be a Rust TUI built on eBPF kernel probes (aya-rs framework). It requires a nightly Rust toolchain and eBPF compilation via bpf-linker, suggesting a complex build pipeline. The feature set (real-time inspection, firewall rules, fuzzy search, metrics explorer, multi-protocol support) indicates substantial userspace/kernel-space coordination. Actual code quality, error handling, and architectural patterns cannot be evaluated without source inspection.

Tests

Not documented in README. No mention of test suites, CI/CD validation steps, or test coverage metrics.

Maintenance

Last push 2026-06-09 (18 days before analysis date) indicates active maintenance. Project created September 2024, so it is less than 2 years old but shows consistent upkeep. Presence in Arch Linux extra repository suggests some level of vetting. No explicit information about issue response times, PR merge frequency, or contributor count provided in README.

Honest verdict

ADOPT IF: you are a Linux systems administrator or network engineer who (1) requires real-time terminal-based traffic inspection, (2) run kernel 6.10+ or Ubuntu 24.04+/Debian 13+, (3) value eBPF efficiency and built-in firewall rule management, and (4) are comfortable with a young, niche project with limited third-party documentation. AVOID IF: you need cross-OS support, depend on production-grade vendor support/SLAs, require Wireshark-equivalent deep packet inspection features, or operate on older Linux kernels or distributions. MONITOR IF: you are evaluating eBPF-based observability tools in general; Oryx shows technical promise but adoption and long-term maintenance trajectory are not yet established relative to competitors.

Independent dimensions

Mainstream potential

4/10

Technical importance

6/10

Adoption evidence

3/10

Risks
  • Kernel version dependency (6.10+ ideal, or recent distribution-specific versions) creates friction for users on older/stable Linux distributions; limits addressable user base.
  • Adoption not verified at production scale; user base remains opaque; risk of dormancy if creator loses interest after initial launch phase (project is <2 years old).
  • Limited third-party documentation, tutorials, or case studies; users may struggle to troubleshoot edge cases or integrate into automated workflows.
  • Build complexity (nightly Rust, eBPF linker, aya-rs framework) may deter casual users and lower barrier for contributions/forks.
  • Firewall integration and packet capture at kernel level introduce security surface (eBPF/LSM bugs, privilege escalation) — real-world hardening and security audits not documented in README.
Prediction

Oryx will likely remain a specialized, Linux-focused tool used by sysadmins and network engineers who prioritize terminal-based efficiency and eBPF performance. Mainstream adoption (competing with Sniffnet or OpenSnitch) is unlikely unless adoption barriers (kernel requirements, documentation) are significantly lowered or a compelling use case (e.g., observability integration) emerges. The project will probably stabilize as a solid niche offering rather than scale to category leadership.

0 found this helpful

Newsletter

Get analyses like this every Monday

Free weekly digest of the most interesting open-source discoveries.

Languages

Rust
99.8%
Just
0.2%

Information

Language
Rust
License
GPL-3.0
Last updated
1mo ago
Created
23mo ago
Analyzed with
anthropic/claude-haiku-4-5

Stars over time

Loading…

Contributors over time

Top 100 contributors only — repos with more will plateau at 100.

Loading…

Similar repos

domcyrus

domcyrus/rustnet

RustNet is a terminal-based, per-process network monitoring tool for Linux,...

4.7k Rust DevOps
GyulyVGC

GyulyVGC/sniffnet

Sniffnet is a cross-platform graphical application for real-time Internet...

40k Rust Security
pythops

pythops/bluetui

Bluetui is a terminal user interface (TUI) for managing Bluetooth connections...

2.9k Rust Dev Tools
curlpipe

curlpipe/ox

Ox is a terminal-based text editor written in Rust that emphasizes simplicity,...

3.7k Rust Dev Tools
evilsocket

evilsocket/opensnitch

OpenSnitch is a GNU/Linux interactive application firewall that monitors and...

13.9k Python Security
vs. alternatives
Sniffnet (39,629 stars)

Sniffnet is significantly more popular and also Rust-based. Oryx differentiates via eBPF kernel-space capture and firewall integration; Sniffnet likely uses userspace packet capture. Sniffnet has likely broader adoption and lower barrier to entry (fewer kernel version constraints).

Rustnet (4,589 stars)

Similar Rust-based network tool ecosystem competitor. Oryx's eBPF focus and TUI interface may offer different UX and performance characteristics, but comparative technical details unavailable from metadata alone.

OpenSnitch (13,831 stars)

Python-based firewall/network monitor with broader OS support (not Linux-only). OpenSnitch has significantly larger adoption. Oryx targets a more specialized Linux-only niche with kernel-space efficiency as a selling point.

tcpdump / Wireshark (category incumbents)

Oryx is not compared directly here (different maturity levels), but differentiates via modern TUI, eBPF kernel efficiency, and focus on real-time terminal-based analysis vs. GUI or traditional CLI tooling.