eBPF
eBPF (extended Berkeley Packet Filter) lets you run sandboxed programs inside the Linux kernel in response to any event — a syscall, a network packet, a function call, a hardware counter. It's used by Netflix for performance analysis, Cloudflare for DDoS mitigation, and Kubernetes for networking. Think of it as a safe way to extend the kernel without writing kernel modules.
What Is eBPF?
How is eBPF different from kernel modules?
Kernel modules run arbitrary code in kernel space — a bug can crash the entire system. eBPF programs are verified before loading: the kernel's eBPF verifier checks that the program terminates, doesn't access invalid memory, and doesn't cause harm. Programs are JIT-compiled to native code for near-zero overhead. The kernel guarantees safety without sacrificing performance.
eBPF execution model:
User space writes eBPF program (C-like code)
|
| (bpf() syscall)
v
Kernel eBPF verifier
- Ensures program terminates (no infinite loops)
- Checks bounds on memory accesses
- Verifies type safety
|
v (if verified)
JIT compiler translates to native machine code
|
v
eBPF program attached to hook point
- kprobe (any kernel function)
- tracepoint (static kernel events)
- XDP (NIC driver, before sk_buff)
- socket filter
- cgroup hooks
|
v
Event fires → eBPF program executes → writes to maps
|
User space reads from maps via file descriptors
BCC Tools — Ready-to-Use eBPF Programs
# Install BCC (BPF Compiler Collection):
apt install bpfcc-tools linux-headers-$(uname -r) # Ubuntu
# Commands are usually named *-bpfcc
# opensnoop: trace all file opens system-wide
opensnoop-bpfcc
# PID COMM FD ERR PATH
# 1234 nginx 3 0 /etc/nginx/nginx.conf
# 5678 sshd 4 0 /etc/ssh/sshd_config
# execsnoop: trace all program executions
execsnoop-bpfcc
# PCOMM PID PPID RET ARGS
# bash 1234 5678 0 ls /tmp
# biolatency: I/O latency histogram
biolatency-bpfcc
# usecs : count distribution
# 0 -> 1 : 500 |########
# 2 -> 3 : 2000 |###############################
# 4 -> 7 : 800 |############
# 8 -> 15 : 200 |###
# tcpconnect: trace TCP connections
tcpconnect-bpfcc
# PID COMM IP SADDR DADDR DPORT
# 1234 curl 4 127.0.0.1 93.184.216.34 80
# profile: CPU profiler
profile-bpfcc -F 99 10 # sample at 99Hz for 10 seconds
bpftrace — One-Liners for Tracing
# Install: apt install bpftrace
# Count syscalls by name:
bpftrace -e 'tracepoint:syscalls:sys_enter_* { @[probe] = count(); }'
# Trace all open() calls:
bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s %s\n", comm, str(args->filename)); }'
# Histogram of read() sizes:
bpftrace -e 'tracepoint:syscalls:sys_exit_read /retval > 0/ { @bytes = hist(retval); }'
# Trace slow disk I/O (over 10ms):
bpftrace -e 'tracepoint:block:block_rq_complete /args->nr_sector > 0/ {
$lat = (nsecs - @start[args->dev, args->sector]) / 1000000;
if ($lat > 10) { printf("slow I/O: %d ms\n", $lat); }
delete(@start[args->dev, args->sector]);
}
tracepoint:block:block_rq_issue { @start[args->dev, args->sector] = nsecs; }'
# Profile CPU by function (flame graph input):
bpftrace -e 'profile:hz:99 { @[kstack] = count(); }' -o /tmp/bpftrace.out
Real-World eBPF Use Cases
| Tool/Product | eBPF Use |
|---|---|
| Cilium | Kubernetes pod networking + policy enforcement, replaces kube-proxy |
| Cloudflare | XDP-based DDoS mitigation — drop packets before kernel stack |
| Netflix | Production performance analysis (FlameScope, bpftrace) |
| Meta | Katran load balancer — XDP-based L4 load balancing |
| Falco | Container runtime security — detect anomalous syscalls |
| Pixie | Auto-instrumentation for Kubernetes without code changes |
Frequently Asked Questions
What will I learn here?
This page covers the core concepts and techniques you need to understand the topic and progress confidently to the next lesson.
How should I use this page?
Start with the overview, then follow the section links to deepen your understanding. Use the table of contents on the right to jump to specific sections.
What should I read next?
Use the navigation below to continue to the next lesson or explore related topics.