eBPF Explained: Core Concepts, Use Cases, and Best Practices

What is eBPF?

eBPF is a technology that allows sandboxed programs to run inside the kernel, providing a safe way to inject code when kernel or user events occur, enabling non‑kernel developers to control the kernel.

Originally a packet‑filter extension, eBPF has evolved to cover networking, security, tracing, and more, superseding classic BPF (cBPF) with extended capabilities.

eBPF Application Scenarios

Network Optimization

High Performance : JIT compilation yields near‑native execution speed.

High Scalability : Allows rapid addition of protocol parsers and routing policies within the kernel context.

Fault Diagnosis

eBPF uses kprobe and tracepoints to provide end‑to‑end tracing of kernel and user space, enabling fast fault diagnosis and efficient profiling without the heavy data export overhead of traditional systems.

Security Control

eBPF can observe all system calls, network packets, and socket operations, combining process‑context tracing, network‑level filtering, and system‑call filtering to enhance security enforcement.

Performance Monitoring

Unlike traditional tools such as sar that only expose static counters, eBPF allows programmable, dynamic collection and edge‑computing aggregation of custom metrics and events, greatly expanding monitoring capabilities.

Why Did eBPF Appear?

Safety : Programs must pass a verifier, cannot contain unreachable code, and may only call approved helper functions; stack size is limited to 512 bytes.

Efficiency : JIT compilation and in‑kernel execution avoid user‑space data copies, providing near‑native event handling speed.

Standard : BPF helpers, BTF, and PERF MAP offer standardized interfaces and data models.

Powerful : Extends registers, introduces BPF maps, and expands from packet filtering to kernel functions, user functions, tracepoints, perf events, and security controls.

How to Use eBPF?

Write an eBPF program in C.

Compile it with LLVM to BPF bytecode.

Load the bytecode into the kernel via the bpf system call.

The kernel verifies and runs the bytecode, storing state in BPF maps.

User‑space queries the maps to retrieve program state.

A complete eBPF program consists of a user‑space component (handling loading, attaching, and map management) and a kernel‑space component (restricted to helper calls and safe memory access via bpf_probe_read).

eBPF Program Classification and Usage Scenarios

List supported program types:

bpftool feature probe | grep program_type

eBPF program_type socket_filter is available

eBPF program_type kprobe is available

eBPF program_type sched_cls is available

eBPF program_type sched_act is available

eBPF program_type tracepoint is available

eBPF program_type xdp is available

eBPF program_type perf_event is available

eBPF program_type cgroup_skb is available

eBPF program_type cgroup_sock is available

eBPF program_type lwt_in is available

eBPF program_type lwt_out is available

eBPF program_type lwt_xmit is available

eBPF program_type sock_ops is available

eBPF program_type sk_skb is available

eBPF program_type cgroup_device is available

eBPF program_type sk_msg is available

eBPF program_type raw_tracepoint is available

eBPF program_type cgroup_sock_addr is available

eBPF program_type lwt_seg6local is available

eBPF program_type lirc_mode2 is NOT available

eBPF program_type sk_reuseport is available

eBPF program_type flow_dissector is available

eBPF program_type cgroup_sysctl is available

eBPF program_type raw_tracepoint_writable is available

eBPF program_type cgroup_sockopt is available

eBPF program_type tracing is available

eBPF program_type struct_ops is available

eBPF program_type ext is available

eBPF program_type lsm is available

Typical usage categories:

Tracing – tracepoints, kprobes, perf events for monitoring and debugging.

Networking – XDP, sock_ops, cgroup_sock_addr, sk_msg for packet filtering, redirection, and load balancing.

Security and Others – LSM for security, flow_dissector, lwt_in for specialized tasks.

Implementation Principles of eBPF

eBPF operates in the kernel through five cooperating modules:

BPF Verifier : Builds a directed acyclic graph of the program, checks for unreachable or unsafe instructions.

BPF JIT : Compiles BPF bytecode to native machine code for efficient execution.

Register/Stack Storage : Provides 64‑bit registers, a program counter, and a 512‑byte stack for program state.

BPF Helpers : Kernel‑provided functions that eBPF programs may call, varying by program type.

BPF Maps & Context : Large storage structures accessible from user‑space to exchange data with eBPF programs.

Key system call:

int bpf(int cmd, union bpf_attr *attr, unsigned int size);

Important commands include BPF_PROG_LOAD (load program) and various BPF_MAP_* commands (manage maps).

Program loading flow:

Load program via BPF_PROG_LOAD, receiving a file descriptor.

Attach the program to an event (e.g., kprobe) using bpf attach operations, which internally create a perf event and bind the BPF program via PERF_EVENT_IOC_SET_BPF.

Map operations manipulate BPF maps, allowing user‑space to read/write program state.

Current Development Status of eBPF

Kernel Support

Supported on Linux kernels ≥ 4.14.

Ecosystem

Infrastructure

Linux Kernel

LLVM

Development Toolkits

Go: cilium/ebpf , libbpfgo

C/C++: libbpf

eBPF Applications

BCC – github.com/iovisor/bcc

bpftrace – github.com/iovisor/bpftrace

Cilium – github.com/cilium/cilium (network optimization & security)

Falco – github.com/falcosecurity/falco (runtime security)

Katran – github.com/facebookincubator/katran (high‑performance L4 load balancing)

Hubble – github.com/cilium/hubble (observability)

Kindling – github.com/CloudDectective-Harmonycloud/kindling

Pixie – github.com/pixie-io/pixie

kubectl‑trace – github.com/iovisor/kubectl-trace

L3AF – github.com/l3af-project/l3afd

Ply – github.com/iovisor/ply

Tracee – github.com/aquasecurity/tracee

Reference sites:

https://ebpf.io/projects

https://github.com/zoidbergwill/awesome-ebpf

Conclusion

Effective use of eBPF requires deep understanding of the software stack to select appropriate instrumentation points that correlate with real‑world problems. Its strengths—full coverage, non‑intrusive deployment, and programmability—make it a powerful tool for modern observability, security, and performance engineering.