How eBPF Transformed Linux: From BPF Roots to Modern Observability

eBPF History

Before eBPF, BPF (Berkeley Packet Filter) was created in 1992 by Van Jacobson for packet filtering in Unix kernels. It provided a simple virtual machine but was limited in functionality. Tools like libpcap and tcpdump were built on BPF.

eBPF was introduced in Linux 3.18 (2014) to overcome BPF’s limitations. It offers a richer instruction set, just‑in‑time compilation, and can run complex, dynamic programs for networking, security, and performance optimization.

Kernel Compatibility

eBPF requires Linux 4.1 or newer; kernels older than 4.1 cannot run eBPF programs. For kernels before 4.9, CO‑RE (Compile‑Once‑Run‑Everywhere) is unavailable, so developers may need to provide kernel upgrade packages.

Permissions and Safety

Loading eBPF programs needs root or CAP_SYS_ADMIN capability. Before execution, the eBPF verifier checks that programs contain no loops, stay within the maximum instruction count, have no unreachable code, and do not jump outside program bounds.

kprobe vs uprobe

kprobe instruments kernel functions; uprobe instruments user‑space functions. kprobe is simpler and less dependent on external libraries, but may require reassembly of split system calls and cannot handle TLS. uprobe can capture user‑space context, is TLS‑compatible, but is sensitive to library versions and adds call‑overhead.

Performance Overhead

Benchmarks of a Golang HTTP‑1 program show that when request latency exceeds 1 ms, the overhead of both kprobe and uprobe is negligible. High‑frequency functions should still be traced sparingly.

Tracing Capabilities

eBPF can trace specific function arguments and return values by attaching to named or address‑based hooks. The list of available hook points can be queried with

/sys/kernel/debug/tracing/available_filter_functions

.

Event‑Loss Risks

kprobe and uprobe events themselves are not lost, but the perf‑event ring buffer used by eBPF can drop events if write speed exceeds read speed. Similarly, eBPF maps have size limits; when full, new data cannot be written, leading to loss and performance degradation.

Outlook

eBPF continues to expand its role in networking, observability, and security, with growing adoption by major tech companies and the open‑source community. Future extensions are expected to enable more innovative network and system tools.