The eBPF Ecosystem: Tools, Frameworks, and Production Solutions#

The eBPF ecosystem has evolved from a kernel feature to a rich collection of tools, frameworks, and production-ready solutions. This guide explores the entire ecosystem, helping you choose the right tools for your use case.

Tool Categories Overview#

1
graph TD
2
    A[eBPF Tools] --> B[Development Tools]
3
    A --> C[Tracing & Profiling]
4
    A --> D[Networking]
5
    A --> E[Security]
6
    A --> F[Observability]
7

8
    B --> G[bcc]
9
    B --> H[libbpf]
10
    B --> I[bpftrace]
11

12
    C --> J[perf]
13
    C --> K[flamegraph]
14

15
    D --> L[Cilium]
16
    D --> M[Calico eBPF]
17
    D --> N[Katran]
18

19
    E --> O[Falco]
20
    E --> P[Tetragon]
21

22
    F --> Q[Pixie]
23
    F --> R[Parca]

Core Development Tools#

1. BCC (BPF Compiler Collection)#

BCC makes eBPF programming accessible with Python and C++ frontends.

Installation#

1
# Ubuntu/Debian
2
sudo apt-get install bpfcc-tools linux-headers-$(uname -r)
3

4
# Fedora
5
sudo dnf install bcc bcc-tools kernel-devel
6

7
# From source
8
git clone https://github.com/iovisor/bcc.git
9
# Follow build instructions

Example: Process Execution Tracker#

1
#!/usr/bin/python
2
from bcc import BPF
3

4
# BPF program
5
prog = """
6
#include <uapi/linux/ptrace.h>
7
#include <linux/sched.h>
8

9
struct data_t {
10
    u32 pid;
11
    u32 ppid;
12
    char comm[TASK_COMM_LEN];
13
    char filename[256];
14
};
15

16
BPF_PERF_OUTPUT(events);
17

18
int trace_exec(struct pt_regs *ctx,
19
    const char __user *filename,
20
    const char __user *const __user *__argv,
21
    const char __user *const __user *__envp) {
22

23
    struct data_t data = {};
24
    struct task_struct *task;
25

26
    data.pid = bpf_get_current_pid_tgid() >> 32;
27

28
    task = (struct task_struct *)bpf_get_current_task();
29
    data.ppid = task->real_parent->tgid;
30

31
    bpf_get_current_comm(&data.comm, sizeof(data.comm));
32
    bpf_probe_read_user(&data.filename, sizeof(data.filename), filename);
33

34
    events.perf_submit(ctx, &data, sizeof(data));
35
    return 0;
36
}
37
"""
38

39
# Initialize BPF
40
b = BPF(text=prog)
41
b.attach_kprobe(event="__x64_sys_execve", fn_name="trace_exec")
42

43
# Process events
44
def print_event(cpu, data, size):
45
    event = b["events"].event(data)
46
    print(f"PID: {event.pid} PPID: {event.ppid} "
47
          f"COMM: {event.comm.decode()} "
48
          f"EXEC: {event.filename.decode()}")
49

50
# Loop with callback
51
b["events"].open_perf_buffer(print_event)
52
while True:
53
    b.perf_buffer_poll()

BCC Tools Collection#

1
# List available tools
2
ls /usr/share/bcc/tools/
3

4
# Popular tools
5
sudo biolatency      # Block I/O latency histogram
6
sudo biosnoop        # Block I/O operations
7
sudo cachestat       # Page cache hit/miss stats
8
sudo execsnoop       # Trace process execution
9
sudo opensnoop       # Trace open() syscalls
10
sudo tcpconnect      # Trace TCP connections
11
sudo tcpretrans      # TCP retransmissions

2. bpftrace - High-Level Tracing Language#

bpftrace provides a domain-specific language for eBPF, inspired by DTrace and awk.

Installation#

1
# Ubuntu/Debian
2
sudo apt-get install bpftrace
3

4
# Build from source for latest features
5
git clone https://github.com/iovisor/bpftrace
6
cd bpftrace && mkdir build && cd build
7
cmake -DCMAKE_BUILD_TYPE=Release ..
8
make -j$(nproc)
9
sudo make install

One-Liner Examples#

1
# Count syscalls by program
2
sudo bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'
3

4
# Show files opened by process
5
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("%s %s\n", comm, str(args->filename)); }'
6

7
# TCP accept() backlog
8
sudo bpftrace -e 'kretprobe:inet_csk_accept { @[comm] = count(); }'
9

10
# Block I/O latency
11
sudo bpftrace -e 'kprobe:blk_account_io_start { @start[arg0] = nsecs; }
12
    kprobe:blk_account_io_done /@start[arg0]/ {
13
        @usecs = hist((nsecs - @start[arg0]) / 1000); delete(@start[arg0]); }'

Complex Script Example#

1
#!/usr/bin/env bpftrace
2

3
// trace_slowqueries.bt - MySQL slow query tracer
4

5
BEGIN {
6
    printf("Tracing MySQL queries slower than 100ms... Hit Ctrl-C to end.\n");
7
}
8

9
uprobe:/usr/sbin/mysqld:*dispatch_command* {
10
    @query_start[tid] = nsecs;
11
    @query[tid] = str(arg2);
12
}
13

14
uretprobe:/usr/sbin/mysqld:*dispatch_command* /@query_start[tid]/ {
15
    $duration_ms = (nsecs - @query_start[tid]) / 1000000;
16

17
    if ($duration_ms > 100) {
18
        printf("%s: slow query (%d ms): %s\n",
19
               strftime("%H:%M:%S", nsecs),
20
               $duration_ms,
21
               @query[tid]);
22
    }
23

24
    delete(@query_start[tid]);
25
    delete(@query[tid]);
26
}
27

28
END {
29
    clear(@query_start);
30
    clear(@query);
31
}

3. libbpf - Modern eBPF Development#

libbpf is the official library for eBPF program development with CO-RE support.

Project Structure#

1
my_project/
2
├── src/
3
│   ├── my_prog.bpf.c    # eBPF program
4
│   ├── my_prog.c        # User-space code
5
│   └── my_prog.h        # Shared headers
6
├── vmlinux.h            # Generated kernel headers
7
└── Makefile

Generating vmlinux.h#

1
# Generate vmlinux.h for CO-RE
2
bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h

Modern eBPF Program with CO-RE#

1
#include "vmlinux.h"
2
#include <bpf/bpf_helpers.h>
3
#include <bpf/bpf_tracing.h>
4
#include <bpf/bpf_core_read.h>
5

6
char LICENSE[] SEC("license") = "Dual BSD/GPL";
7

8
struct {
9
    __uint(type, BPF_MAP_TYPE_RINGBUF);
10
    __uint(max_entries, 256 * 1024);
11
} rb SEC(".maps");
12

13
struct event {
14
    u32 pid;
15
    u8 comm[16];
16
    u64 mntns_id;
17
    u8 filename[256];
18
};
19

20
SEC("tracepoint/syscalls/sys_enter_openat")
21
int trace_openat_enter(struct trace_event_raw_sys_enter* ctx) {
22
    struct event *e;
23
    struct task_struct *task;
24

25
    e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
26
    if (!e)
27
        return 0;
28

29
    // Get PID and comm
30
    e->pid = bpf_get_current_pid_tgid() >> 32;
31
    bpf_get_current_comm(&e->comm, sizeof(e->comm));
32

33
    // Get mount namespace ID using CO-RE
34
    task = (struct task_struct *)bpf_get_current_task();
35
    BPF_CORE_READ_INTO(&e->mntns_id, task, nsproxy, mnt_ns, ns.inum);
36

37
    // Read filename
38
    bpf_probe_read_user_str(&e->filename, sizeof(e->filename),
39
                            (void *)ctx->args[1]);
40

41
    bpf_ringbuf_submit(e, 0);
42
    return 0;
43
}

Production Networking Solutions#

1. Cilium - eBPF-based Networking and Security#

Cilium provides networking, observability, and security for Kubernetes.

Installation#

1
# Install Cilium CLI
2
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz
3
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
4

5
# Install on Kubernetes
6
cilium install
7
cilium status --wait

Network Policy Example#

1
apiVersion: cilium.io/v2
2
kind: CiliumNetworkPolicy
3
metadata:
4
  name: api-protection
5
spec:
6
  endpointSelector:
7
    matchLabels:
8
      app: api-server
9
  ingress:
10
    - fromEndpoints:
11
        - matchLabels:
12
            app: frontend
13
      toPorts:
14
        - ports:
15
            - port: "443"
16
              protocol: TCP
17
          rules:
18
            http:
19
              - method: "GET"
20
                path: "/api/v1/users"
21
              - method: "POST"
22
                path: "/api/v1/users"
23
                headers:
24
                  - "Content-Type: application/json"

Hubble - Cilium’s Observability Layer#

1
# Enable Hubble
2
cilium hubble enable --ui
3

4
# Port forward to access UI
5
cilium hubble ui
6

7
# CLI examples
8
hubble observe --namespace production
9
hubble observe --verdict DROPPED
10
hubble observe --http-status 5xx

2. Calico eBPF Mode#

Calico offers eBPF dataplane for high-performance networking.

1
# Enable eBPF mode
2
kubectl patch felixconfiguration default --type='merge' \
3
  -p '{"spec":{"bpfEnabled":true}}'
4

5
# Verify eBPF mode
6
kubectl get nodes -o yaml | grep 'projectcalico.org/bpfMode'

3. Katran - Facebook’s L4 Load Balancer#

High-performance L4 load balancer using XDP.

1
// Simplified Katran logic
2
SEC("xdp")
3
int katran_lb(struct xdp_md *ctx) {
4
    void *data_end = (void *)(long)ctx->data_end;
5
    void *data = (void *)(long)ctx->data;
6

7
    // Parse headers
8
    struct parsing_context pctx = {};
9
    if (parse_packet(data, data_end, &pctx) < 0)
10
        return XDP_PASS;
11

12
    // Lookup VIP
13
    struct vip_key vkey = {
14
        .address = pctx.dst,
15
        .port = pctx.port,
16
        .proto = pctx.proto
17
    };
18

19
    struct vip_meta *vmeta = bpf_map_lookup_elem(&vip_map, &vkey);
20
    if (!vmeta)
21
        return XDP_PASS;
22

23
    // Select real server
24
    __u32 hash = get_packet_hash(&pctx);
25
    __u32 real_idx = hash % vmeta->num_reals;
26

27
    // Encapsulate and forward
28
    return encap_and_forward(ctx, real_idx);
29
}

Security Tools#

1. Falco - Runtime Security#

Falco uses eBPF to detect anomalous behavior in applications.

Installation and Usage#

1
# Install Falco
2
curl -s https://falco.org/repo/falcosecurity-3672BA8F.asc | apt-key add -
3
echo "deb https://download.falco.org/packages/deb stable main" | \
4
  tee -a /etc/apt/sources.list.d/falcosecurity.list
5
apt-get update -y
6
apt-get install -y falco
7

8
# Custom rules
9
cat > /etc/falco/rules.d/custom.yaml <<EOF
10
- rule: Unauthorized Process in Container
11
  desc: Detect unauthorized process execution in containers
12
  condition: >
13
    container and proc.name != "<authorized_processes>"
14
    and not proc.name in (known_system_procs)
15
  output: >
16
    Unauthorized process in container
17
    (user=%user.name command=%proc.cmdline container=%container.name)
18
  priority: WARNING
19
EOF
20

21
# Run Falco with eBPF
22
falco --modern-bpf

2. Tetragon - Runtime Security Enforcement#

Tetragon provides eBPF-based security observability and enforcement.

1
# TracingPolicy example
2
apiVersion: cilium.io/v1alpha1
3
kind: TracingPolicy
4
metadata:
5
  name: file-monitoring
6
spec:
7
  kprobes:
8
    - call: "security_file_open"
9
      syscall: false
10
      args:
11
        - index: 0
12
          type: "file"
13
      selectors:
14
        - matchArgs:
15
            - index: 0
16
              operator: "Equal"
17
              values:
18
                - "/etc/passwd"
19
                - "/etc/shadow"
20
          matchActions:
21
            - action: Sigkill

Observability Platforms#

1. Pixie - Instant Kubernetes Observability#

1
# Install Pixie
2
px deploy
3

4
# Use Pixie CLI
5
px run px/cluster      # Cluster overview
6
px run px/http_data    # HTTP traffic analysis
7
px run px/pod          # Pod resource usage

2. Parca - Continuous Profiling#

1
# Deploy Parca
2
kubectl apply -f https://github.com/parca-dev/parca/releases/latest/download/kubernetes-manifest.yaml
3

4
# Configure profiling
5
apiVersion: parca.dev/v1alpha1
6
kind: ParcaConfig
7
metadata:
8
  name: parca-config
9
spec:
10
  mode: "pull"
11
  interval: "10s"
12
  profiles:
13
  - name: "cpu"
14
    path: "/debug/pprof/profile"

Specialized Tools#

1. pwru - Packet Where Are You#

Trace packet journey through the kernel:

1
# Install pwru
2
go install github.com/cilium/pwru@latest
3

4
# Trace packets
5
sudo pwru --filter-dst-ip 10.0.0.1 --filter-dst-port 80

2. ecapture - SSL/TLS Text Capture#

Capture SSL/TLS text without certificates:

1
# Capture OpenSSL
2
sudo ecapture tls -i eth0 -w captured.pcap
3

4
# Capture specific process
5
sudo ecapture tls -p 1234

3. kubectl-trace - eBPF Tracing for Kubernetes#

1
# Install
2
kubectl krew install trace
3

4
# Run bpftrace in pod
5
kubectl trace run pod/nginx -n default \
6
  -e 'kprobe:do_sys_open { printf("%s opened %s\n", comm, str(arg1)); }'

Language Bindings and Frameworks#

1. Go - ebpf-go#

1
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go counter counter.c
2

3
package main
4

5
import (
6
    "log"
7
    "github.com/cilium/ebpf/link"
8
    "github.com/cilium/ebpf/rlimit"
9
)
10

11
func main() {
12
    // Remove memory limit
13
    if err := rlimit.RemoveMemlock(); err != nil {
14
        log.Fatal(err)
15
    }
16

17
    // Load pre-compiled programs
18
    spec, err := loadCounter()
19
    if err != nil {
20
        log.Fatal(err)
21
    }
22

23
    coll, err := ebpf.NewCollection(spec)
24
    if err != nil {
25
        log.Fatal(err)
26
    }
27
    defer coll.Close()
28

29
    // Attach to tracepoint
30
    tp, err := link.Tracepoint("syscalls", "sys_enter_open",
31
                                coll.Programs["count_open"])
32
    if err != nil {
33
        log.Fatal(err)
34
    }
35
    defer tp.Close()
36
}

2. Rust - aya#

1
#![no_std]
2
#![no_main]
3

4
use aya_bpf::{
5
    macros::{kprobe, map},
6
    maps::HashMap,
7
    programs::ProbeContext,
8
};
9

10
#[map]
11
static mut COUNTS: HashMap<u32, u64> = HashMap::with_max_entries(1024, 0);
12

13
#[kprobe(name="count_opens")]
14
pub fn count_opens(ctx: ProbeContext) -> u32 {
15
    match try_count_opens(ctx) {
16
        Ok(ret) => ret,
17
        Err(ret) => ret,
18
    }
19
}
20

21
fn try_count_opens(ctx: ProbeContext) -> Result<u32, u32> {
22
    let pid = ctx.pid();
23

24
    unsafe {
25
        let count = COUNTS.get(&pid).unwrap_or(&0);
26
        COUNTS.insert(&pid, &(count + 1), 0)?;
27
    }
28

29
    Ok(0)
30
}

Tool Selection Guide#

When to Use What?#

Use Case	Tool	Why
Quick debugging	bpftrace	One-liners, rapid iteration
Custom tools	BCC	Python convenience
Production programs	libbpf	Performance, CO-RE
Kubernetes networking	Cilium	Complete solution
Security monitoring	Falco/Tetragon	Purpose-built
Continuous profiling	Parca	Low-overhead profiling
Load balancing	Katran/XDP	Line-rate performance

Decision Tree#

1
graph TD
2
    A[What do you need?] --> B{Type}
3
    B --> C[Debugging/Analysis]
4
    B --> D[Production System]
5
    B --> E[Security]
6

7
    C --> F{Complexity}
8
    F --> G[Simple] --> H[bpftrace]
9
    F --> I[Complex] --> J[BCC]
10

11
    D --> K{Domain}
12
    K --> L[Networking] --> M[Cilium/Calico]
13
    K --> N[Observability] --> O[Pixie/Parca]
14
    K --> P[Custom] --> Q[libbpf]
15

16
    E --> R{Focus}
17
    R --> S[Detection] --> T[Falco]
18
    R --> U[Enforcement] --> V[Tetragon]

Best Practices#

1. Development Workflow#

1
# 1. Prototype with bpftrace
2
sudo bpftrace -e 'kprobe:vfs_read { @[comm] = count(); }'
3

4
# 2. Develop with BCC
5
python bcc_prototype.py
6

7
# 3. Production with libbpf
8
make production_ebpf

2. Testing Strategy#

Unit test eBPF programs with mock data
Integration test with different kernel versions
Load test for performance validation
Security audit for privilege escalation

3. Monitoring eBPF Programs#

1
# Monitor loaded programs
2
sudo bpftool prog list
3

4
# Check program stats
5
sudo bpftool prog profile id <id> duration 10
6

7
# Monitor map usage
8
watch -n 1 'sudo bpftool map dump id <id> | wc -l'

Future of eBPF Tools#

Emerging Trends#

eBPF for Windows: Microsoft’s eBPF implementation
Hardware Offload: SmartNIC eBPF support
WASM Integration: Portable eBPF programs
AI-Assisted Development: LLM-generated eBPF code

Upcoming Tools#

bpftime: User-space eBPF runtime
eunomia-bpf: Simplified eBPF development
Inspektor Gadget: Container-aware eBPF tools

Conclusion#

The eBPF ecosystem offers tools for every use case, from quick debugging to production-grade infrastructure. Start with high-level tools like bpftrace, gradually move to frameworks like libbpf, and leverage production solutions like Cilium for specific domains.

The key is choosing the right tool for your needs and understanding the trade-offs between ease of use, performance, and flexibility.

Getting Started Resources#

Awesome eBPF - Curated list of eBPF resources
eBPF.io - Official eBPF portal
BCC Tutorial - BCC programming guide
bpftrace Reference - Complete bpftrace guide

This completes our eBPF series! Start experimenting with these tools and join the growing eBPF community.