This is a eBPF simple primer post written with generous help from Claude.<\/p>\n\n\n\n
eBPF is like having magic glasses for your computer. These glasses let you see what’s happening inside your computer without stopping it or slowing it down. You can watch programs talk to each other, see how fast things are moving, and even catch bad behaviors. The best part is you can program these glasses to look for specific things and take action when they happen.<\/p>\n\n\n\n
eBPF is a technology in the Linux kernel that allows you to run small programs in a safe, sandboxed environment directly in the kernel. It was originally designed for network packet filtering but has evolved into a powerful, general-purpose monitoring and tracing framework.<\/p>\n\n\n\n
Key features:<\/p>\n\n\n\n
bpftrace is a high-level tracing language for eBPF that makes it easy to write small programs to trace and analyze system behavior. Think of bpftrace as the friendly interface to eBPF’s power.<\/p>\n\n\n\n
# Count system calls by process name\nbpftrace -e 'tracepoint:syscalls:sys_enter_* { @[comm] = count(); }'<\/code><\/pre>\n\n\n\nThis one-liner counts all system calls grouped by process name, demonstrating bpftrace’s concise yet powerful syntax.<\/p>\n\n\n\n
Kprobes and Uprobes<\/h1>\n\n\n\nKprobes<\/h2>\n\n\n\n
Kprobes (Kernel Probes) are debugging mechanisms in the Linux kernel that allow you to dynamically break into any kernel routine and collect debugging and performance information non-disruptively. They’re essentially dynamic breakpoints you can insert anywhere in the kernel code.<\/p>\n\n\n\n
Key features:<\/p>\n\n\n\n
\n- Can be attached to virtually any instruction in the kernel<\/li>\n\n\n\n
- Minimal performance impact when not triggered<\/li>\n\n\n\n
- Collect register and memory state at the probe point<\/li>\n\n\n\n
- Available in two flavors: kprobes (at function entry) and kretprobes (at function return)<\/li>\n<\/ul>\n\n\n\n
Uprobes<\/h2>\n\n\n\n
Uprobes (User Probes) are similar to kprobes but work in userspace. They allow you to trace and instrument user applications by inserting breakpoints at specific functions or instructions.<\/p>\n\n\n\n
Key features:<\/p>\n\n\n\n
\n- Trace applications without modifying their source code<\/li>\n\n\n\n
- Attach to specific functions in userspace programs<\/li>\n\n\n\n
- Monitor application behavior in production<\/li>\n\n\n\n
- Available as both uprobes (function entry) and uretprobes (function return)<\/li>\n<\/ul>\n\n\n\n
Relationship to eBPF<\/h2>\n\n\n\n
Kprobes and uprobes provide the attachment points for eBPF programs to hook into kernel and user application code. The relationship works like this:<\/p>\n\n\n\n
\n- Attachment mechanism<\/strong>: eBPF programs use kprobes\/uprobes as the “hooks” to insert themselves into kernel or application execution paths<\/li>\n\n\n\n
- Data collection<\/strong>: When a probe is triggered, the associated eBPF program executes, collecting data and potentially making decisions<\/li>\n\n\n\n
- Performance<\/strong>: eBPF added JIT compilation to make probe handlers extremely efficient<\/li>\n\n\n\n
- Programmability<\/strong>: Before eBPF, probes were limited in functionality; eBPF adds a programmable layer to determine what happens when a probe triggers<\/li>\n<\/ol>\n\n\n\n
An example in bpftrace showing both kprobe and uprobe:<\/p>\n\n\n\n
# Trace kernel function\nbpftrace -e 'kprobe:do_sys_open { printf(\"Opening file: %s\\n\", str(arg1)); }'\n\n# Trace user function in libc\nbpftrace -e 'uprobe:\/lib\/x86_64-linux-gnu\/libc.so.6:malloc { printf(\"malloc called, size: %d\\n\", arg0); }'<\/code><\/pre>\n\n\n\neBPF transformed kprobes and uprobes from simple debugging tools into a powerful, programmable observability framework, turning them from basic breakpoints into sophisticated monitoring tools with minimal performance impact.<\/p>\n","protected":false},"excerpt":{"rendered":"
This is a eBPF simple primer post written with generous help from Claude. ELI5 version eBPF is like having magic glasses for your computer. These glasses let you see what’s happening inside your computer without stopping it or slowing it down. You can watch programs talk to each other, see how fast things are moving, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[583],"yoast_head":"\n
eBPF (Extended Berkeley Packet Filter) for dummies - Random hacking<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"eBPF (Extended Berkeley Packet Filter) for dummies - Random hacking\" \/>\n<meta property=\"og:description\" content=\"This is a eBPF simple primer post written with generous help from Claude. ELI5 version eBPF is like having magic glasses for your computer. These glasses let you see what’s happening inside your computer without stopping it or slowing it down. You can watch programs talk to each other, see how fast things are moving, […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/\" \/>\n<meta property=\"og:site_name\" content=\"Random hacking\" \/>\n<meta property=\"article:published_time\" content=\"2025-02-21T13:55:50+00:00\" \/>\n<meta name=\"author\" content=\"cosimo\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"cosimo\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/\"},\"author\":{\"name\":\"cosimo\",\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/c443bedbf6ecf99550d6395620801df1\"},\"headline\":\"eBPF (Extended Berkeley Packet Filter) for dummies\",\"datePublished\":\"2025-02-21T13:55:50+00:00\",\"dateModified\":\"2025-02-21T13:55:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/\"},\"wordCount\":615,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/c443bedbf6ecf99550d6395620801df1\"},\"keywords\":[\"eBPF\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/\",\"url\":\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/\",\"name\":\"eBPF (Extended Berkeley Packet Filter) for dummies - Random hacking\",\"isPartOf\":{\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/#website\"},\"datePublished\":\"2025-02-21T13:55:50+00:00\",\"dateModified\":\"2025-02-21T13:55:50+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.streppone.it\/cosimo\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"eBPF (Extended Berkeley Packet Filter) for dummies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/#website\",\"url\":\"https:\/\/www.streppone.it\/cosimo\/blog\/\",\"name\":\"Random hacking\",\"description\":\"Assume nothing. Code defensively. Keep it simple, stupid!\",\"publisher\":{\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/c443bedbf6ecf99550d6395620801df1\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.streppone.it\/cosimo\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/c443bedbf6ecf99550d6395620801df1\",\"name\":\"cosimo\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/cb1d938720df45a2720724aae99e3bfc?s=96&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/cb1d938720df45a2720724aae99e3bfc?s=96&r=g\",\"caption\":\"cosimo\"},\"logo\":{\"@id\":\"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/image\/\"},\"url\":\"https:\/\/www.streppone.it\/cosimo\/blog\/author\/cosimo\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"eBPF (Extended Berkeley Packet Filter) for dummies - Random hacking","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/","og_locale":"en_US","og_type":"article","og_title":"eBPF (Extended Berkeley Packet Filter) for dummies - Random hacking","og_description":"This is a eBPF simple primer post written with generous help from Claude. ELI5 version eBPF is like having magic glasses for your computer. These glasses let you see what’s happening inside your computer without stopping it or slowing it down. You can watch programs talk to each other, see how fast things are moving, […]","og_url":"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/","og_site_name":"Random hacking","article_published_time":"2025-02-21T13:55:50+00:00","author":"cosimo","twitter_card":"summary_large_image","twitter_misc":{"Written by":"cosimo","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/#article","isPartOf":{"@id":"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/"},"author":{"name":"cosimo","@id":"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/c443bedbf6ecf99550d6395620801df1"},"headline":"eBPF (Extended Berkeley Packet Filter) for dummies","datePublished":"2025-02-21T13:55:50+00:00","dateModified":"2025-02-21T13:55:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/"},"wordCount":615,"commentCount":0,"publisher":{"@id":"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/c443bedbf6ecf99550d6395620801df1"},"keywords":["eBPF"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/","url":"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/","name":"eBPF (Extended Berkeley Packet Filter) for dummies - Random hacking","isPartOf":{"@id":"https:\/\/www.streppone.it\/cosimo\/blog\/#website"},"datePublished":"2025-02-21T13:55:50+00:00","dateModified":"2025-02-21T13:55:50+00:00","breadcrumb":{"@id":"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.streppone.it\/cosimo\/blog\/2025\/02\/ebpf-extended-berkeley-packet-filter-for-dummies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.streppone.it\/cosimo\/blog\/"},{"@type":"ListItem","position":2,"name":"eBPF (Extended Berkeley Packet Filter) for dummies"}]},{"@type":"WebSite","@id":"https:\/\/www.streppone.it\/cosimo\/blog\/#website","url":"https:\/\/www.streppone.it\/cosimo\/blog\/","name":"Random hacking","description":"Assume nothing. Code defensively. Keep it simple, stupid!","publisher":{"@id":"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/c443bedbf6ecf99550d6395620801df1"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.streppone.it\/cosimo\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/c443bedbf6ecf99550d6395620801df1","name":"cosimo","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/cb1d938720df45a2720724aae99e3bfc?s=96&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cb1d938720df45a2720724aae99e3bfc?s=96&r=g","caption":"cosimo"},"logo":{"@id":"https:\/\/www.streppone.it\/cosimo\/blog\/#\/schema\/person\/image\/"},"url":"https:\/\/www.streppone.it\/cosimo\/blog\/author\/cosimo\/"}]}},"_links":{"self":[{"href":"https:\/\/www.streppone.it\/cosimo\/blog\/wp-json\/wp\/v2\/posts\/1038"}],"collection":[{"href":"https:\/\/www.streppone.it\/cosimo\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.streppone.it\/cosimo\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.streppone.it\/cosimo\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.streppone.it\/cosimo\/blog\/wp-json\/wp\/v2\/comments?post=1038"}],"version-history":[{"count":1,"href":"https:\/\/www.streppone.it\/cosimo\/blog\/wp-json\/wp\/v2\/posts\/1038\/revisions"}],"predecessor-version":[{"id":1039,"href":"https:\/\/www.streppone.it\/cosimo\/blog\/wp-json\/wp\/v2\/posts\/1038\/revisions\/1039"}],"wp:attachment":[{"href":"https:\/\/www.streppone.it\/cosimo\/blog\/wp-json\/wp\/v2\/media?parent=1038"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.streppone.it\/cosimo\/blog\/wp-json\/wp\/v2\/categories?post=1038"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.streppone.it\/cosimo\/blog\/wp-json\/wp\/v2\/tags?post=1038"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}