Welcome to the Introduction to eBPF repository! This repository is a curated collection of resources, examples, and tools to help you dive into the powerful world of eBPF (extended Berkeley Packet Filter). Whether you’re a beginner or an advanced user, this repository provides theory, practical knowledge, and interactive labs to enhance your understanding of eBPF.
eBPF is a revolutionary technology that allows you to run custom programs in the Linux kernel safely and efficiently without modifying kernel source code. It’s used for:
- Observability and performance monitoring.
- Networking and security.
- Debugging and tracing applications.
eBPF programs are JIT-compiled and run in a sandboxed environment, offering minimal overhead with maximum flexibility.
eBPF (extended Berkeley Packet Filter) revolutionizes network data handling by allowing custom, high-performance code to run safely inside the Linux kernel, enabling deep packet inspection, real-time filtering (like DDoS defense), advanced load balancing, and granular observability (network/security monitoring) without modifying apps or the kernel. It works by attaching small programs to kernel "hooks" (network events) that analyze packet headers (IP, TCP/UDP), metadata, and even application data, using maps for efficient communication with user-space tools, offering huge gains in security and performance for cloud-native environments.
- Learning eBPF by Liz Rice
(Theory Knowledge) – A great introduction to the concepts and architecture of eBPF. - BPF Performance Tools by Brendan Gregg
(Practical Knowledge) – A comprehensive guide to leveraging eBPF for performance analysis.
- Interactive eBPF Lab 1
A beginner-friendly interactive lab to understand eBPF fundamentals. - Interactive eBPF Lab 2
Dive deeper into writing eBPF programs with this hands-on tutorial.
- Tutorial: Getting Started with eBPF - Liz Rice, Isovalent
A beginner's introduction to eBPF, covering key concepts and workflows. - A Beginner's Guide to eBPF Programming with Go • Liz Rice • GOTO 2021
For those who want to learn eBPF using the native Go library. - What is eBPF eBPF explained in 120 seconds.
- eBPF.io
Stay updated with the latest eBPF developments, projects, and documentation.
- LeARN: Leveraging eBPF & AI for Ransomware Nose Out
-
Libbpf:
- Difficulty: Hard
- Write eBPF programs using BPF CO-RE (Compile Once, Run Everywhere) in pure C.
- Highly customizable with full control over your programs.
-
BCC Tools (Python Wrappers):
- Difficulty: Mid-Hard
- Simplify eBPF programming using higher-level APIs with Python wrappers.
- Note: BCC Tools supports Lua & Python but does not support Go.
- GitHub Repository: BCC Tools
-
Native Go Library:
- Difficulty: Mid-Hard
- Write eBPF programs directly in Go using its native support for eBPF.
- Useful Repository: Cilium eBPF Library for Go
- Ideal for Go developers, offering flexibility and direct kernel interaction.
-
BPFtrace:
- Difficulty: Easy-Mid
- Write eBPF scripts using a high-level scripting language.
- GitHub Repository: BPFtrace
- Perfect for quick prototyping and observability tasks.
Explore example programs written with popular eBPF tools to trace system events and gain insights into kernel behavior.
-
Using BPFtrace:
- GitHub Repository: BPFtrace Tools Examples
- Examples include simple tracing programs for file operations, system calls, and performance monitoring.
-
Using BCC Tools (Python Wrapper):
- GitHub Repository: BCC Tools Examples
- Examples include Python-based tools for tracing TCP connections, disk I/O, and process-level events.
eBPF is being adapted for the Windows platform, offering similar capabilities to its Linux counterpart.
Key Notes:
- This project is currently under development.
- The documentation and resources available for eBPF on Windows are not yet vast but are growing steadily.
To be Continued...