This looks pretty slick. We have been looking at eBPF to capture some debugging traffic without having to have session key logging. The additional ability to capture bash commands and mysql queries could be useful; I just spent almost an entire day tracking down a bug that seeing the wire mysql commands would have cut to the chase. I was logging the queries I thought were interesting, but another part of the code was doing a query that was interfering, but not on my radar.