What is eBPF?

eBPF (extended Berkeley Packet Filter) is a technology in the Linux kernel that lets you run sandboxed programs in the kernel without changing kernel source or loading kernel modules.

Why eBPF?

• Safe: Programs are verified before execution; invalid or unsafe code is rejected.
• Efficient: Runs in the kernel, so you can observe and act on events with low overhead.
• Flexible: Attach to many hook points: network packets, system calls, tracepoints, etc.

Main use cases

1. Observability – Tracing, metrics, and profiling (e.g. BPF Compiler Collection (BCC), bpftrace).
2. Networking – Load balancing, DDoS mitigation, custom packet processing (e.g. Cilium).
3. Security – Runtime security, audit, and enforcement (e.g. Falco, Tracee).

How it works (simplified)

1. You write a program in C or a higher-level language (e.g. bpftrace script).
2. It is compiled to BPF bytecode.
3. The kernel verifier checks it for safety (bounds, no loops that can’t be proven finite, etc.).
4. A JIT compiles it to native code and attaches it to a hook (e.g. kprobe, tracepoint, XDP).
5. When the hook fires, your program runs in the kernel and can submit data to user space via maps or perf buffers.

Try it

# bpftrace one-liner: count syscalls by process
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_* { @[probe] = count(); }'

Learn more

• eBPF.io – Overview and resources
• BCC – Toolchain and libraries
• bpftrace – High-level tracing language