Using eBPF Monitoring to Know What to Measure and Why

# Using eBPF Monitoring to Know What to Measure and Why ![rw-book-cover](https://containerjournal.com/wp-content/uploads/2020/06/canstockphoto5912981.jpg) URL:: https://containerjournal.com/topics/container-management/using-ebpf-monitoring-to-know-what-to-measure-and-why Author:: Odysseas Lamtzidis ## Highlights > It’s interesting to underline that eBPF doesn’t offer any new functionality, but using older technology would require the developer to get into assembly, rendering the effort particularly demanding. ([View Highlight](https://read.readwise.io/read/01g86eb9ch8pj1m1mvs1cywkwg)) > eBPF programs run inside the kernel; they are attached to a code path and whenever that code path is traversed, the program executes. This decoupling of the kernel and eBPF program increases the development time as the developer doesn’t have to recompile the kernel each time the eBPF program is changed. eBPF is useful for both packet processing as well as performance analysis and monitoring, as eBPF programs can be attached to tracepoints, kprobes and even perf events. As you may have already guessed, attaching user-space programs inside the kernel can cause serious security and stability issues; thus, a series of tests are performed on each eBPF program before it’s loaded. ([View Highlight](https://read.readwise.io/read/01g86ebnwx2hfhnq11ab2eqfvz)) > [![](https://containerjournal.com/wp-content/uploads/2020/10/bcc_tracing_tools_2016.png)](https://containerjournal.com/wp-content/uploads/2020/10/bcc_tracing_tools_2016.png) ([View Highlight](https://read.readwise.io/read/01g86ec3aez0fc5vrn3tphnme8)) > Another interesting example is [Cilium](https://github.com/cilium/cilium), which uses eBPF to provide secure network connectivity and load balancing, leveraging the ability of eBPF to filter and drop packets based on rules. Interestingly, eBPF can trace kernel functions, but can’t drop their execution, while it can for incoming network packets. For observability, ntop and InfluxData have [partnered](https://www.influxdata.com/blog/it-monitoring-in-the-era-of-containers-tapping-into-ebpf-observability/) to offer eBPF monitoring for containers, while [Netdata](https://www.netdata.cloud/blog/linux-ebpf-monitoring-with-netdata/) is offering out-of-the-box eBPF monitoring for system and application monitoring. ([View Highlight](https://read.readwise.io/read/01g86ed1wbtrx1egqhx58sh1ab)) --- Title: Using eBPF Monitoring to Know What to Measure and Why Author: Odysseas Lamtzidis Tags: readwise, articles date: 2024-01-30 --- # Using eBPF Monitoring to Know What to Measure and Why ![rw-book-cover](https://containerjournal.com/wp-content/uploads/2020/06/canstockphoto5912981.jpg) URL:: https://containerjournal.com/topics/container-management/using-ebpf-monitoring-to-know-what-to-measure-and-why Author:: Odysseas Lamtzidis ## AI-Generated Summary eBPF enables users to trace application activity down to a very low level for better performance analysis Let's say you're a doctor. You know that the ## Highlights > It’s interesting to underline that eBPF doesn’t offer any new functionality, but using older technology would require the developer to get into assembly, rendering the effort particularly demanding. ([View Highlight](https://read.readwise.io/read/01g86eb9ch8pj1m1mvs1cywkwg)) > eBPF programs run inside the kernel; they are attached to a code path and whenever that code path is traversed, the program executes. This decoupling of the kernel and eBPF program increases the development time as the developer doesn’t have to recompile the kernel each time the eBPF program is changed. eBPF is useful for both packet processing as well as performance analysis and monitoring, as eBPF programs can be attached to tracepoints, kprobes and even perf events. As you may have already guessed, attaching user-space programs inside the kernel can cause serious security and stability issues; thus, a series of tests are performed on each eBPF program before it’s loaded. ([View Highlight](https://read.readwise.io/read/01g86ebnwx2hfhnq11ab2eqfvz)) > [![](https://containerjournal.com/wp-content/uploads/2020/10/bcc_tracing_tools_2016.png)](https://containerjournal.com/wp-content/uploads/2020/10/bcc_tracing_tools_2016.png) ([View Highlight](https://read.readwise.io/read/01g86ec3aez0fc5vrn3tphnme8)) > Another interesting example is [Cilium](https://github.com/cilium/cilium), which uses eBPF to provide secure network connectivity and load balancing, leveraging the ability of eBPF to filter and drop packets based on rules. Interestingly, eBPF can trace kernel functions, but can’t drop their execution, while it can for incoming network packets. For observability, ntop and InfluxData have [partnered](https://www.influxdata.com/blog/it-monitoring-in-the-era-of-containers-tapping-into-ebpf-observability/) to offer eBPF monitoring for containers, while [Netdata](https://www.netdata.cloud/blog/linux-ebpf-monitoring-with-netdata/) is offering out-of-the-box eBPF monitoring for system and application monitoring. ([View Highlight](https://read.readwise.io/read/01g86ed1wbtrx1egqhx58sh1ab))