Getting Started with eBPF Programming: A Hands-On Guide#

Ready to write your first eBPF program? This hands-on guide will take you from zero to running eBPF programs, covering modern tools, practical examples, and best practices for eBPF development.

Prerequisites and Setup#

System Requirements#

1
# Check kernel version (need 4.4+, recommend 5.10+)
2
uname -r
3

4
# Check for BPF support
5
ls /sys/fs/bpf
6

7
# Check for BTF support (recommended)
8
ls /sys/kernel/btf/vmlinux

Installing Development Tools#

Ubuntu/Debian#

1
# Essential tools
2
sudo apt-get update
3
sudo apt-get install -y \
4
    clang llvm libbpf-dev \
5
    linux-headers-$(uname -r) \
6
    build-essential git
7

8
# Additional tools
9
sudo apt-get install -y \
10
    bpftrace bpfcc-tools \
11
    linux-tools-$(uname -r) \
12
    linux-tools-common

Fedora/RHEL#

1
sudo dnf install -y \
2
    clang llvm libbpf-devel \
3
    kernel-devel make git \
4
    bpftrace bcc-tools

Your First eBPF Program: Hello World#

1. Starting Simple with bpftrace#

The easiest way to start with eBPF is using bpftrace for one-liners:

1
# Hello World - trace all openat() system calls
2
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("Hello from eBPF! PID %d opened %s\n", pid, str(args->filename)); }'
3

4
# Count system calls by process
5
sudo bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'
6

7
# Trace TCP connections
8
sudo bpftrace -e 'kprobe:tcp_connect { printf("PID %d (%s) connecting\n", pid, comm); }'

2. Writing a C eBPF Program#

Create hello_ebpf.c:

1
#include <linux/bpf.h>
2
#include <linux/ptrace.h>
3
#include <bpf/bpf_helpers.h>
4
#include <bpf/bpf_tracing.h>
5

6
char LICENSE[] SEC("license") = "GPL";
7

8
struct {
9
    __uint(type, BPF_MAP_TYPE_RINGBUF);
10
    __uint(max_entries, 256 * 1024);
11
} events SEC(".maps");
12

13
struct event {
14
    __u32 pid;
15
    __u8 comm[16];
16
    __u64 ts;
17
};
18

19
SEC("tp/syscalls/sys_enter_open")
20
int hello_open(struct trace_event_raw_sys_enter *ctx) {
21
    struct event *e;
22

23
    e = bpf_ringbuf_reserve(&events, sizeof(*e), 0);
24
    if (!e)
25
        return 0;
26

27
    e->pid = bpf_get_current_pid_tgid() >> 32;
28
    e->ts = bpf_ktime_get_ns();
29
    bpf_get_current_comm(&e->comm, sizeof(e->comm));
30

31
    bpf_ringbuf_submit(e, 0);
32
    return 0;
33
}

3. User-Space Loader#

Create hello_user.c:

1
#include <stdio.h>
2
#include <unistd.h>
3
#include <signal.h>
4
#include <bpf/libbpf.h>
5
#include <bpf/bpf.h>
6
#include "hello_ebpf.skel.h"
7

8
static int libbpf_print_fn(enum libbpf_print_level level,
9
                          const char *format, va_list args) {
10
    return vfprintf(stderr, format, args);
11
}
12

13
static volatile bool exiting = false;
14

15
static void sig_handler(int sig) {
16
    exiting = true;
17
}
18

19
static int handle_event(void *ctx, void *data, size_t data_sz) {
20
    const struct event *e = data;
21
    printf("%-8u %-16s\n", e->pid, e->comm);
22
    return 0;
23
}
24

25
int main(int argc, char **argv) {
26
    struct hello_ebpf_bpf *skel;
27
    struct ring_buffer *rb = NULL;
28
    int err;
29

30
    // Set up libbpf errors and debug info callback
31
    libbpf_set_print(libbpf_print_fn);
32

33
    // Open, load, and attach BPF program
34
    skel = hello_ebpf_bpf__open_and_load();
35
    if (!skel) {
36
        fprintf(stderr, "Failed to open BPF skeleton\n");
37
        return 1;
38
    }
39

40
    err = hello_ebpf_bpf__attach(skel);
41
    if (err) {
42
        fprintf(stderr, "Failed to attach BPF skeleton\n");
43
        goto cleanup;
44
    }
45

46
    // Set up ring buffer
47
    rb = ring_buffer__new(bpf_map__fd(skel->maps.events),
48
                          handle_event, NULL, NULL);
49
    if (!rb) {
50
        err = -1;
51
        fprintf(stderr, "Failed to create ring buffer\n");
52
        goto cleanup;
53
    }
54

55
    // Set up signal handler
56
    signal(SIGINT, sig_handler);
57
    signal(SIGTERM, sig_handler);
58

59
    printf("%-8s %-16s\n", "PID", "COMM");
60
    printf("%-8s %-16s\n", "----", "----");
61

62
    // Poll ring buffer
63
    while (!exiting) {
64
        err = ring_buffer__poll(rb, 100);
65
        if (err == -EINTR) {
66
            err = 0;
67
            break;
68
        }
69
        if (err < 0) {
70
            printf("Error polling ring buffer: %d\n", err);
71
            break;
72
        }
73
    }
74

75
cleanup:
76
    ring_buffer__free(rb);
77
    hello_ebpf_bpf__destroy(skel);
78
    return err < 0 ? -err : 0;
79
}

4. Building and Running#

Create a Makefile:

1
CLANG ?= clang
2
CC ?= gcc
3
LIBBPF_SRC := /usr/include/bpf
4
ARCH := $(shell uname -m | sed 's/x86_64/x86/')
5

6
all: hello
7

8
hello_ebpf.o: hello_ebpf.c
9
  $(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(ARCH) \
10
    -I$(LIBBPF_SRC) -c hello_ebpf.c -o hello_ebpf.o
11

12
hello_ebpf.skel.h: hello_ebpf.o
13
  bpftool gen skeleton hello_ebpf.o > hello_ebpf.skel.h
14

15
hello: hello_user.c hello_ebpf.skel.h
16
  $(CC) -g -Wall -o hello hello_user.c -lbpf -lelf -lz
17

18
clean:
19
  rm -f *.o hello hello_ebpf.skel.h
20

21
.PHONY: all clean

Build and run:

1
make
2
sudo ./hello

Modern eBPF Development with CO-RE#

CO-RE (Compile Once - Run Everywhere)#

CO-RE enables writing portable eBPF programs that work across different kernel versions:

1
#include "vmlinux.h"
2
#include <bpf/bpf_helpers.h>
3
#include <bpf/bpf_core_read.h>
4

5
char LICENSE[] SEC("license") = "GPL";
6

7
// Use BPF_CORE_READ for portable field access
8
SEC("kprobe/tcp_connect")
9
int trace_tcp_connect(struct pt_regs *ctx) {
10
    struct sock *sk = (struct sock *)PT_REGS_PARM1(ctx);
11
    struct sock_common skc = {};
12

13
    // CO-RE-enabled read
14
    bpf_core_read(&skc, sizeof(skc), &sk->__sk_common);
15

16
    u16 sport = bpf_ntohs(skc.skc_num);
17
    u16 dport = bpf_ntohs(skc.skc_dport);
18

19
    bpf_printk("TCP connect: sport=%d dport=%d\n", sport, dport);
20
    return 0;
21
}

Practical Examples#

1. TCP Connection Tracker#

Track all TCP connections with detailed information:

1
struct tcp_event {
2
    __u32 saddr;
3
    __u32 daddr;
4
    __u16 sport;
5
    __u16 dport;
6
    __u32 pid;
7
    __u8 comm[16];
8
};
9

10
struct {
11
    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
12
} events SEC(".maps");
13

14
SEC("kprobe/tcp_connect")
15
int trace_connect(struct pt_regs *ctx) {
16
    struct sock *sk = (struct sock *)PT_REGS_PARM1(ctx);
17
    struct tcp_event event = {};
18

19
    // Read connection details
20
    bpf_probe_read(&event.saddr, sizeof(event.saddr),
21
                   &sk->__sk_common.skc_rcv_saddr);
22
    bpf_probe_read(&event.daddr, sizeof(event.daddr),
23
                   &sk->__sk_common.skc_daddr);
24
    bpf_probe_read(&event.sport, sizeof(event.sport),
25
                   &sk->__sk_common.skc_num);
26
    bpf_probe_read(&event.dport, sizeof(event.dport),
27
                   &sk->__sk_common.skc_dport);
28

29
    event.pid = bpf_get_current_pid_tgid() >> 32;
30
    bpf_get_current_comm(&event.comm, sizeof(event.comm));
31

32
    // Submit event
33
    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU,
34
                          &event, sizeof(event));
35
    return 0;
36
}

2. File Access Monitor#

Monitor file operations with path resolution:

1
struct file_event {
2
    __u32 pid;
3
    __u8 comm[16];
4
    __u8 filename[256];
5
    __u32 flags;
6
};
7

8
struct {
9
    __uint(type, BPF_MAP_TYPE_RINGBUF);
10
    __uint(max_entries, 256 * 1024);
11
} rb SEC(".maps");
12

13
SEC("tracepoint/syscalls/sys_enter_openat")
14
int trace_openat(struct trace_event_raw_sys_enter *ctx) {
15
    struct file_event *e;
16

17
    e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
18
    if (!e)
19
        return 0;
20

21
    e->pid = bpf_get_current_pid_tgid() >> 32;
22
    bpf_get_current_comm(&e->comm, sizeof(e->comm));
23

24
    // Read filename from user space
25
    const char *filename_ptr = (const char *)ctx->args[1];
26
    bpf_probe_read_user_str(&e->filename, sizeof(e->filename),
27
                            filename_ptr);
28

29
    e->flags = (u32)ctx->args[2];
30

31
    bpf_ringbuf_submit(e, 0);
32
    return 0;
33
}

3. Performance Profiler#

CPU sampling profiler with stack traces:

1
struct {
2
    __uint(type, BPF_MAP_TYPE_STACK_TRACE);
3
    __uint(max_entries, 10000);
4
} stacks SEC(".maps");
5

6
struct {
7
    __uint(type, BPF_MAP_TYPE_HASH);
8
    __uint(max_entries, 10000);
9
    __type(key, u32);
10
    __type(value, u64);
11
} counts SEC(".maps");
12

13
SEC("perf_event")
14
int do_sample(struct bpf_perf_event_data *ctx) {
15
    __u32 pid = bpf_get_current_pid_tgid() >> 32;
16

17
    // Skip kernel threads
18
    if (pid == 0)
19
        return 0;
20

21
    // Get stack ID
22
    __s32 stack_id = bpf_get_stackid(ctx, &stacks,
23
                                      BPF_F_USER_STACK);
24
    if (stack_id < 0)
25
        return 0;
26

27
    // Count this stack
28
    __u64 *count = bpf_map_lookup_elem(&counts, &stack_id);
29
    if (count)
30
        (*count)++;
31
    else {
32
        __u64 one = 1;
33
        bpf_map_update_elem(&counts, &stack_id, &one, BPF_ANY);
34
    }
35

36
    return 0;
37
}

Advanced Development Patterns#

1. Per-CPU Maps for High Performance#

1
struct {
2
    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
3
    __uint(max_entries, 1);
4
    __type(key, u32);
5
    __type(value, struct statistics);
6
} stats SEC(".maps");
7

8
SEC("xdp")
9
int count_packets(struct xdp_md *ctx) {
10
    u32 key = 0;
11
    struct statistics *s = bpf_map_lookup_elem(&stats, &key);
12
    if (!s)
13
        return XDP_PASS;
14

15
    // No locking needed - per-CPU storage
16
    s->packets++;
17
    s->bytes += (ctx->data_end - ctx->data);
18

19
    return XDP_PASS;
20
}

2. Tail Calls for Program Chaining#

1
struct {
2
    __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
3
    __uint(max_entries, 10);
4
} progs SEC(".maps");
5

6
SEC("xdp")
7
int dispatcher(struct xdp_md *ctx) {
8
    // Determine which program to call
9
    u32 prog_id = classify_packet(ctx);
10

11
    // Tail call to specific handler
12
    bpf_tail_call(ctx, &progs, prog_id);
13

14
    // Only reached if tail call fails
15
    return XDP_PASS;
16
}

3. BPF-to-BPF Function Calls#

1
static __always_inline int parse_ip_header(struct iphdr *ip,
2
                                          void *data_end) {
3
    if (ip + 1 > data_end)
4
        return -1;
5

6
    if (ip->version != 4)
7
        return -1;
8

9
    return 0;
10
}
11

12
SEC("xdp")
13
int process_packet(struct xdp_md *ctx) {
14
    void *data = (void *)(long)ctx->data;
15
    void *data_end = (void *)(long)ctx->data_end;
16

17
    struct ethhdr *eth = data;
18
    struct iphdr *ip = data + sizeof(*eth);
19

20
    if (parse_ip_header(ip, data_end) < 0)
21
        return XDP_DROP;
22

23
    // Process valid IP packet
24
    return XDP_PASS;
25
}

Testing and Debugging#

1. Using bpf_printk for Debugging#

1
SEC("kprobe/sys_open")
2
int trace_open(struct pt_regs *ctx) {
3
    char comm[16];
4
    bpf_get_current_comm(&comm, sizeof(comm));
5

6
    // Debug output (view with: sudo cat /sys/kernel/debug/tracing/trace_pipe)
7
    bpf_printk("DEBUG: %s called sys_open\n", comm);
8

9
    return 0;
10
}

2. BPF Verifier Debugging#

1
# Verbose verifier output
2
sudo bpftool prog load hello.o /sys/fs/bpf/hello verb
3

4
# Check loaded programs
5
sudo bpftool prog list
6

7
# Dump program instructions
8
sudo bpftool prog dump xlated id <prog_id>

3. Performance Analysis#

1
# Check program run time
2
sudo bpftool prog profile id <prog_id> duration 10
3

4
# Monitor map usage
5
sudo bpftool map list
6
sudo bpftool map dump id <map_id>

Production Best Practices#

1. Error Handling#

1
// Always check map lookups
2
struct data *d = bpf_map_lookup_elem(&my_map, &key);
3
if (!d)
4
    return 0;  // Handle gracefully
5

6
// Check bounds before access
7
if (ptr + sizeof(*ptr) > data_end)
8
    return XDP_DROP;

2. Resource Management#

1
// Limit loop iterations
2
#pragma unroll
3
for (int i = 0; i < MAX_ITERATIONS && i < 100; i++) {
4
    // Process...
5
}
6

7
// Use appropriate map sizes
8
struct {
9
    __uint(type, BPF_MAP_TYPE_LRU_HASH);
10
    __uint(max_entries, 10000);  // LRU eviction when full
11
} cache SEC(".maps");

3. Compatibility#

1
// Use CO-RE for field access
2
struct task_struct *task = (void *)bpf_get_current_task();
3
u32 pid = BPF_CORE_READ(task, tgid);
4

5
// Feature detection
6
if (bpf_core_field_exists(struct tcp_sock, snd_cwnd))
7
    cwnd = BPF_CORE_READ(tp, snd_cwnd);

Development Workflow#

1. Project Structure#

1
my_ebpf_project/
2
├── src/
3
│   ├── my_prog.bpf.c      # eBPF program
4
│   └── my_prog.c          # User-space loader
5
├── include/
6
│   └── my_prog.h          # Shared definitions
7
├── Makefile
8
└── README.md

2. Automated Build#

1
# Modern Makefile with BTF and CO-RE
2
CLANG := clang
3
BPFTOOL := bpftool
4
ARCH := $(shell uname -m | sed 's/x86_64/x86/')
5

6
.PHONY: all clean
7

8
all: my_prog
9

10
%.bpf.o: %.bpf.c
11
  $(CLANG) -g -O2 -target bpf \
12
    -D__TARGET_ARCH_$(ARCH) \
13
    -c $< -o $@
14

15
%.skel.h: %.bpf.o
16
  $(BPFTOOL) gen skeleton $< > $@
17

18
my_prog: src/my_prog.c src/my_prog.skel.h
19
  $(CC) -g -Wall -o $@ $< -lbpf -lelf -lz

3. CI/CD Integration#

1
# GitHub Actions example
2
name: Build eBPF
3
on: [push, pull_request]
4
jobs:
5
  build:
6
    runs-on: ubuntu-latest
7
    steps:
8
      - uses: actions/checkout@v2
9
      - name: Install deps
10
        run: |
11
          sudo apt-get update
12
          sudo apt-get install -y clang llvm libbpf-dev
13
      - name: Build
14
        run: make
15
      - name: Test
16
        run: sudo ./run_tests.sh

Next Steps#

Explore Examples: Study programs in the BCC repository
Read the Guide: BPF and XDP Reference Guide
Join Community: eBPF Slack and mailing lists
Build Something: Start with a real problem you want to solve

Common Pitfalls and Solutions#

Verifier Rejection#

1
// BAD: Unbounded loop
2
for (int i = 0; i < n; i++) { }
3

4
// GOOD: Bounded loop
5
for (int i = 0; i < n && i < 100; i++) { }

Stack Size Limits#

1
// BAD: Large stack allocation
2
char buffer[8192];
3

4
// GOOD: Use maps for large data
5
struct {
6
    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
7
    __uint(max_entries, 1);
8
    __type(key, u32);
9
    __type(value, struct large_buffer);
10
} buffers SEC(".maps");

Memory Access#

1
// BAD: Direct pointer arithmetic
2
struct iphdr *ip = eth + 1;
3

4
// GOOD: Proper bounds checking
5
struct iphdr *ip = (void *)eth + sizeof(*eth);
6
if ((void *)ip + sizeof(*ip) > data_end)
7
    return XDP_DROP;

Conclusion#

eBPF programming opens up incredible possibilities for system programming, but it requires understanding its constraints and patterns. Start simple with tools like bpftrace, gradually move to writing C programs with libbpf, and always prioritize safety and performance.

Remember: eBPF is powerful because it’s safe. The verifier is your friend—work with it, not against it!

Ready to dive deeper? Check out our next post on the eBPF ecosystem and advanced tools!