Building an eBPF-based SIP Monitor in Go

I recently built a SIP monitoring service that uses eBPF to capture SIP traffic directly in the Linux kernel and export metrics to Prometheus. The entire pipeline from packet to Prometheus metric takes ~3μs in userspace. Here's how it works and what I learned along the way. The Problem Monitoring SIP/VoIP infrastructure at scale requires tracking call success rates, active dialogs, and response codes — without adding latency to the signaling path. I wanted something that: Processes packets in kernel space Exports standard Prometheus metrics Runs as a single container Tracks SIP dialogs per RFC 3261 Implements RFC 6076 performance metrics (Session Establishment Ratio) Architecture SIP Traffic → NIC → eBPF socket filter → ringbuf → Go poller → SIP parser → Prometheus The eBPF program (written in C) attaches as a socket filter via AF_PACKET. It intercepts UDP packets on configurable SIP ports (default 5060/5061), copies them to a ring buffer, and the Go userspace process polls and parses