tool

eBPF

eBPF (extended Berkeley Packet Filter) is a revolutionary technology in the Linux kernel that allows sandboxed programs to run in a privileged context, such as the operating system kernel, without changing kernel source code or loading kernel modules. It enables developers to write small, efficient programs that can be attached to various kernel hooks to observe, filter, and manipulate system events in real-time, providing deep visibility and control over system behavior. eBPF programs are compiled to a bytecode that is verified for safety before execution, ensuring they cannot crash or compromise the kernel.

Also known as: extended Berkeley Packet Filter, BPF, Berkeley Packet Filter, eBPF, ebpf
🧊Why learn eBPF?

Developers should learn eBPF when building performance monitoring, security enforcement, networking, or observability tools that require low-level system introspection without the overhead of traditional kernel modules. It is particularly valuable for use cases like real-time network traffic analysis, system call tracing, security anomaly detection, and performance profiling in cloud-native environments, as it offers high efficiency and minimal performance impact compared to alternatives like kernel modules or user-space polling.

Compare eBPF

eBPF vs Kernel ModuleseBPF vs DtraceeBPF vs Systemtap

Learning Resources

📄
eBPF.io - Official Documentation
docs
📝
Cilium eBPF Getting Started Guide
tutorial
📄
Linux Kernel eBPF Documentation
docs
📝
eBPF and XDP Hands-On Tutorial by Liz Rice
tutorial
📚
BPF Performance Tools Book by Brendan Gregg
book

Related Tools

Linux KernelC ProgrammingNetworkingObservabilitySecurity

Alternatives to eBPF

Kernel ModulesDtraceSystemtap