What Is eBPF-3 - Fork My Brain

# What Is eBPF? ![rw-book-cover](https://www.splunk.com/content/dam/splunk-blogs/images/en_us/2022/07/ebpf0.jpg) URL:: https://splunk.com/en_us/blog/learn/what-is-ebpf.html Author:: Stephen Watts ## Highlights > The Extended Berkeley Packet Filter (eBPF) is a kernel technology [that allows programs to run](https://ebpf.io/) without requiring changes to the kernel source code or the addition of new modules. It's a sandbox [virtual machine](https://www.splunk.com/en_us/about-splunk.html) (VM) inside the Linux kernel where programmers can run BPF bytecode that uses specified kernel resources. ([View Highlight](https://read.readwise.io/read/01g84ewpc2x8t332gs6xqn3z3m)) > Initially, eBPF’s main use was a way of increasing observability and security while filtering network packets. Today, its functionality has been extended to various use cases such as providing high-performance networking and load balancing in modern data centers and cloud-native environments. Its core capabilities include: > • Extracting granular security observability data with low overhead > • Assisting application developers in tracing applications > • Providing insights for performance troubleshooting and preventive application and container runtime security enforcement, among others ([View Highlight](https://read.readwise.io/read/01g84exdf39cxzns0bagx9d4fa)) > Programs are effectively sandboxed, which means kernel source code is safe and unaltered. The verification phase makes sure that resources aren't clogged up by programs that operate indefinitely. ([View Highlight](https://read.readwise.io/read/01g84eyfzxf3fw7ffsfy6qahaf)) > eBPF provides a single, powerful and easy-to-use framework for unified profiling and program tracing. When eBPF programs are attached to tracepoints in both the user and kernel spaces, it allows unprecedented visibility into the application runtime behavior, which could generate insights for troubleshooting. ([View Highlight](https://read.readwise.io/read/01g84eyvv8yn4kba9f3fhgyq9r)) --- Title: What Is eBPF? Author: Stephen Watts Tags: readwise, articles date: 2024-01-30 --- # What Is eBPF? ![rw-book-cover](https://www.splunk.com/content/dam/splunk-blogs/images/en_us/2022/07/ebpf0.jpg) URL:: https://splunk.com/en_us/blog/learn/what-is-ebpf.html Author:: Stephen Watts ## AI-Generated Summary eBPF can expose kernel telemetry that is otherwise unavailable. See how eBPF works, its benefits, and how to pair it with OpenTelemetry for reduced MTTD. ## Highlights > The Extended Berkeley Packet Filter (eBPF) is a kernel technology [that allows programs to run](https://ebpf.io/) without requiring changes to the kernel source code or the addition of new modules. It's a sandbox [virtual machine](https://www.splunk.com/en_us/about-splunk.html) (VM) inside the Linux kernel where programmers can run BPF bytecode that uses specified kernel resources. ([View Highlight](https://read.readwise.io/read/01g84ewpc2x8t332gs6xqn3z3m)) > Initially, eBPF’s main use was a way of increasing observability and security while filtering network packets. Today, its functionality has been extended to various use cases such as providing high-performance networking and load balancing in modern data centers and cloud-native environments. Its core capabilities include: > • Extracting granular security observability data with low overhead > • Assisting application developers in tracing applications > • Providing insights for performance troubleshooting and preventive application and container runtime security enforcement, among others ([View Highlight](https://read.readwise.io/read/01g84exdf39cxzns0bagx9d4fa)) > Programs are effectively sandboxed, which means kernel source code is safe and unaltered. The verification phase makes sure that resources aren't clogged up by programs that operate indefinitely. ([View Highlight](https://read.readwise.io/read/01g84eyfzxf3fw7ffsfy6qahaf)) > eBPF provides a single, powerful and easy-to-use framework for unified profiling and program tracing. When eBPF programs are attached to tracepoints in both the user and kernel spaces, it allows unprecedented visibility into the application runtime behavior, which could generate insights for troubleshooting. ([View Highlight](https://read.readwise.io/read/01g84eyvv8yn4kba9f3fhgyq9r))