Integrate libbpf
Capmon now uses libbpf instead of the less capable debugfs kprobes. This opens up for more possibilities and allows for better and more stable control. The only drawback is that this poses more requirements on the build and run environments in terms of kernel configs.
Process tracking
Process tracking runs the provided command and tracks its process ID (PID), as well as any subprocesses spawned by it. This allows filtering for only the desired processes. But there are cases where this does not work. It currently does not support orphan processes. When the initial command finishes it stops the tracking. Monitor mode is still available for such cases.
Interactive programs are supported. Capmon ignores SIGINT (Ctrl-c) and passes it through to the running command. But this means you cannot directly stop Capmon. You can still use Ctrl-z to put it in background and then kill it.
Example:
capmon "tcpdump -lnei eth0"
When you stop Tcpdump it will output a summary of the capabilities accessed.