eBPF on Linux: Complete Guide to Modern Observability and Networking

Extended Berkeley Packet Filter (eBPF) has revolutionized how we approach observability, networking, and security in Linux systems. In 2026, eBPF has become the de facto standard for high-performance system monitoring and network management. This comprehensive guide explores eBPF from fundamentals to advanced implementations, providing practical examples for modern infrastructure.

What is eBPF?

eBPF is a revolutionary technology that allows running sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. Originally derived from the Berkeley Packet Filter (BPF), eBPF has evolved into a general-purpose execution engine that can safely and efficiently extend kernel capabilities.

Unlike traditional kernel modules that can crash the entire system, eBPF programs are verified before execution, ensuring they cannot harm the kernel. This safety mechanism, combined with JIT (Just-In-Time) compilation for near-native performance, makes eBPF ideal for production environments.

Why eBPF Matters in 2026

The adoption of eBPF has accelerated dramatically due to several factors:

• Zero-overhead observability: Monitor systems without significant performance impact
• Kubernetes native monitoring: Deep visibility into containerized workloads
• Network security: Implement sophisticated security policies at the kernel level
• Service mesh performance: Replace traditional sidecars with kernel-level networking
• Cloud-native infrastructure: Major cloud providers now offer eBPF-based services

eBPF Architecture and Components

Understanding eBPF architecture is crucial for leveraging its capabilities effectively.

Core Components

1. eBPF Programs: Small programs written in restricted C that run in kernel space. They attach to various kernel hooks and events.

2. eBPF Maps: Key-value data structures that allow communication between eBPF programs and user space applications.

3. eBPF Verifier: Ensures program safety by analyzing code paths, checking memory access, and preventing infinite loops.

4. JIT Compiler: Translates eBPF bytecode into native machine code for optimal performance.

Setting Up eBPF Development Environment

Before diving into eBPF programming, you need a proper development environment. Here’s how to set it up on modern Linux distributions.

Prerequisites

First, check your kernel version. eBPF requires Linux kernel 4.4 or later, but for full features, kernel 5.4+ is recommended:

uname -r

ubuntu-debian">Installing BCC Tools (Ubuntu/Debian)

BCC (BPF Compiler Collection) provides high-level tools for eBPF development:

sudo apt update
sudo apt install -y bpfcc-tools linux-headers-5.15.0-160-generic
sudo apt install -y python3-bpfcc libbpfcc-dev

centos-fedora">Installing BCC Tools (RHEL/CentOS/Fedora)

sudo dnf install -y bcc-tools kernel-devel-5.15.0-160-generic
sudo dnf install -y python3-bcc bcc-devel

Installing libbpf and bpftool

For modern eBPF development, libbpf provides a lighter-weight alternative to BCC:

sudo apt install -y libbpf-dev bpftool clang llvm

Verify the installation:

bpftool version
ls /usr/share/bcc/tools/

Practical eBPF Examples

Example 1: Tracing System Calls

Let’s create a simple eBPF program to trace execve system calls and monitor process execution:

#!/usr/bin/env python3
from bcc import BPF

# eBPF program
prog = """
#include <uapi/linux/ptrace.h>

int trace_execve(struct pt_regs *ctx) {
    char comm[16];
    bpf_get_current_comm(&comm, sizeof(comm));
    bpf_trace_printk("Process executed: %s\\n", comm);
    return 0;
}
"""

# Load eBPF program
b = BPF(text=prog)
b.attach_kprobe(event=b.get_syscall_fnname("execve"), fn_name="trace_execve")

print("Tracing execve system calls... Press Ctrl+C to stop")
b.trace_print()

Save this as trace_exec.py and run with:

sudo python3 trace_exec.py

Example 2: Network Packet Filtering

This example demonstrates XDP (eXpress Data Path) for ultra-fast packet filtering:

#!/usr/bin/env python3
from bcc import BPF

# XDP program to drop packets from specific IP
xdp_prog = """
#include <uapi/linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>

int xdp_filter(struct xdp_md *ctx) {
    void *data_end = (void *)(long)ctx->data_end;
    void *data = (void *)(long)ctx->data;
    
    struct ethhdr *eth = data;
    if ((void *)(eth + 1) > data_end)
        return XDP_PASS;
    
    if (eth->h_proto != htons(ETH_P_IP))
        return XDP_PASS;
    
    struct iphdr *ip = data + sizeof(*eth);
    if ((void *)(ip + 1) > data_end)
        return XDP_PASS;
    
    // Drop packets from 192.168.1.100
    if (ip->saddr == htonl(0xC0A80164))
        return XDP_DROP;
    
    return XDP_PASS;
}
"""

b = BPF(text=xdp_prog)
fn = b.load_func("xdp_filter", BPF.XDP)

# Attach to network interface
device = "eth0"
b.attach_xdp(device, fn, 0)

print(f"XDP program loaded on {device}. Press Ctrl+C to exit")
try:
    b.trace_print()
except KeyboardInterrupt:
    pass

b.remove_xdp(device, 0)

Using Pre-built BCC Tools

BCC includes numerous ready-to-use tools for common monitoring tasks. Here are the most valuable ones:

execsnoop – Monitor Process Execution

sudo /usr/share/bcc/tools/execsnoop

This displays every process execution in real-time, perfect for security auditing.

opensnoop – Track File Opens

sudo /usr/share/bcc/tools/opensnoop -n mysql

Monitor which files are being opened by MySQL, useful for debugging and performance analysis.

tcpconnect – Monitor TCP Connections

sudo /usr/share/bcc/tools/tcpconnect

biolatency – Block I/O Latency Distribution

sudo /usr/share/bcc/tools/biolatency -m

Display I/O latency as a histogram in milliseconds, critical for storage performance troubleshooting.

eBPF for Kubernetes Observability

eBPF excels in Kubernetes environments, providing deep visibility without sidecar overhead.

Installing Cilium for eBPF-based Networking

Cilium leverages eBPF for Kubernetes networking and security:

# Install Cilium CLI
CILIUM_CLI_VERSION=v0.19.0
curl -L --fail --remote-name-all https://github.com/cilium/cilium-cli/releases/download//cilium-linux-amd64.tar.gz
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz

# Install Cilium in Kubernetes
cilium install --version 1.15.0

Hubble for Network Observability

# Enable Hubble
cilium hubble enable --ui

# View network flows
hubble observe --follow

Advanced eBPF Use Cases

1. Custom Performance Monitoring

Create custom latency tracking for specific functions in your application:

#!/usr/bin/env python3
from bcc import BPF
from time import sleep

prog = """
#include <uapi/linux/ptrace.h>

BPF_HASH(start, u32);
BPF_HISTOGRAM(dist);

int trace_func_entry(struct pt_regs *ctx) {
    u32 pid = bpf_get_current_pid_tgid();
    u64 ts = bpf_ktime_get_ns();
    start.update(&pid, &ts);
    return 0;
}

int trace_func_return(struct pt_regs *ctx) {
    u32 pid = bpf_get_current_pid_tgid();
    u64 *tsp = start.lookup(&pid);
    if (tsp != 0) {
        u64 delta = bpf_ktime_get_ns() - *tsp;
        dist.increment(bpf_log2l(delta / 1000));
        start.delete(&pid);
    }
    return 0;
}
"""

b = BPF(text=prog)
b.attach_uprobe(name="/lib/x86_64-linux-gnu/libc.so.6", sym="malloc", fn_name="trace_func_entry")
b.attach_uretprobe(name="/lib/x86_64-linux-gnu/libc.so.6", sym="malloc", fn_name="trace_func_return")

print("Tracing malloc() latency... Hit Ctrl-C to end.")
try:
    sleep(99999999)
except KeyboardInterrupt:
    print()

b["dist"].print_log2_hist("usecs")

2. Security Monitoring with eBPF

Detect suspicious system activity like privilege escalation attempts:

sudo /usr/share/bcc/tools/capable

This tool tracks capability checks, helping identify potential security issues.

eBPF Performance Considerations

While eBPF is designed for efficiency, following best practices ensures optimal performance:

• Minimize map lookups: Each map operation has overhead; cache values when possible
• Use appropriate map types: Choose between hash, array, or per-CPU maps based on access patterns
• Limit stack usage: eBPF programs have a 512-byte stack limit
• Avoid complex logic: Keep programs simple; move complex processing to user space
• Use CO-RE (Compile Once, Run Everywhere): For portable eBPF programs across kernel versions

Debugging eBPF Programs

Use bpftool to inspect loaded programs and maps:

# List all loaded eBPF programs
sudo bpftool prog list

# Show specific program details
sudo bpftool prog show id 123

# Dump map contents
sudo bpftool map dump id 456

# View program instructions
sudo bpftool prog dump xlated id 123

eBPF in Production: Real-World Examples

Major tech companies rely on eBPF for critical infrastructure:

• Facebook: Uses eBPF for load balancing (Katran) and DDoS mitigation
• Netflix: Employs eBPF for performance analysis and debugging
• Google: Implements eBPF for network security and monitoring
• Cloudflare: Leverages XDP for packet filtering at 100+ Gbps

Future of eBPF

eBPF continues to evolve with exciting developments:

• Windows eBPF: Microsoft is implementing eBPF support in Windows
• eBPF for AI/ML workloads: GPU monitoring and acceleration
• Enhanced security features: Runtime security monitoring and policy enforcement
• Cross-platform eBPF: Standardization efforts for multi-OS support

Conclusion

eBPF has transformed Linux observability, networking, and security. Its ability to safely extend kernel functionality without modifying source code makes it indispensable for modern infrastructure. Whether you’re monitoring Kubernetes clusters, implementing custom network policies, or troubleshooting performance issues, eBPF provides unparalleled visibility and control.

Start with the pre-built BCC tools to understand eBPF capabilities, then progress to writing custom programs as your needs evolve. The eBPF ecosystem is mature, well-documented, and continuously growing, making 2026 the perfect time to adopt this powerful technology.