eBPF (extended Berkeley Packet Filter) is a Linux kernel technology that lets you run sandboxed, verified user programs at specified attach points inside the kernel—without modifying kernel source or loading kernel modules. Originally a packet-filtering mechanism, eBPF has grown into a general-purpose in-kernel execution environment used for networking, tracing, observability, and security.
eBPF programs are typically written in a restricted subset of C, compiled to eBPF bytecode, verified by the kernel for safety (bounded loops, no wild pointers), and attached to events like tracepoints, kprobes, uprobes, XDP hooks, and socket filters. The result is dynamic instrumentation with very low overhead—suitable for production use.
Tools built on eBPF include:
- bcc — collection of tools (
execsnoop,opensnoop,biolatency,tcpretrans) - bpftrace — high-level tracing language, like DTrace
- Cilium — networking and security for Kubernetes
- Pixie — observability platform
- Katran — load balancer used by Facebook
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s %s\n", comm, str(args->filename)); }'
sudo execsnoop-bpfcc
eBPF has become one of the most significant developments in the Linux kernel of the 2020s, underpinning new generations of networking, observability, and security tools that would have required kernel modules a decade ago.
Discussed in:
- Chapter 19: Performance and Observability — eBPF: The Modern Frontier
Also defined in: Textbook of Linux