Summary AgentSight offers zero-instrumentation observability for LLM agents, monitoring system-level interactions via eBPF. It captures encrypted traffic and subprocesses without code changes, providing deep insights into AI agent behavior with minimal performance overhead. Ideal for engineers and researchers needing comprehensive, non-intrusive monitoring.

How It Works Leveraging eBPF at the kernel level, AgentSight intercepts SSL/TLS traffic and monitors process events, bypassing application instrumentation. Data streams through a Rust analysis framework and is visualized via a React/TypeScript frontend. This system-level approach captures critical interactions like subprocesses, raw encrypted payloads, and file operations, often missed by application-level tools.

Quick Start & Requirements Installation via Docker or source build.

• Docker: docker run --privileged --pid=host --network=host -v /sys:/sys:ro -v /usr:/usr:ro -v /lib:/lib:ro ghcr.io/eunomia-bpf/agentsight:latest record --comm python
• Source: Clone repo (git clone --recursive ...), install deps (make install), build (make build).
• Prerequisites: Linux kernel 4.1+ (5.0+ recommended) with eBPF, root privileges, Rust 1.88.0+, Node.js 18+, build tools (clang, llvm, libelf-dev).
• Web Interface: http://127.0.0.1:7395.

Highlighted Details

• Zero Instrumentation: No code changes, dependencies, or SDKs needed.
• System-Level Visibility: Captures encrypted traffic, subprocesses, file operations, cross-agent communication.
• Encrypted Traffic Capture: Provides unencrypted SSL/TLS request/response data.
• Low Performance Overhead: Claims <3% CPU impact.
• Specific Agent Support: Examples for Claude Code, Gemini CLI, Python/Node.js AI tools; requires --binary-path for statically linked SSL libraries.

Maintenance & Community Project welcomes contributions; links to design docs provided (CLAUDE.md, collector/DESIGN.md, docs/why.md). Specific community channels or maintainer details are absent from the README.

Licensing & Compatibility MIT License, permitting commercial use and integration into closed-source projects.

Limitations & Caveats Requires Linux (kernel 4.1+) and root. Applications statically linking SSL libraries need --binary-path for accurate SSL capture. Standalone tools (browsertrace, stdiocap) exist for niche use cases.