# eBPF Explained: Use Cases, Concepts, and Architecture
URL:: https://tigera.io/learn/guides/ebpf
Author:: Tigera
## Highlights
> Here are some of the important use cases for eBPF. ([View Highlight](https://read.readwise.io/read/01fsy1hk27vpgyr8vnjf450asp))
> Security ([View Highlight](https://read.readwise.io/read/01fsy1hm7jfjjjt52sdytnjhqq))
> Typically, entirely independent systems have handled different aspects of system call filtering, process context tracing, and network-level filtering. On the other hand, eBPF facilitates the combination of control and visibility over all aspects. This allows you to develop security systems that operate with more context and an improved level of control. ([View Highlight](https://read.readwise.io/read/01fsy1hv2q0hs156hzb355h0zw))
> Networking ([View Highlight](https://read.readwise.io/read/01fsy1hvzvagxg5e32041akrpj))
> The combination of efficiency and programmability makes eBPF a good candidate for all networking solutions’ packet processing requirements. The programmability of eBPF provides a means of adding additional protocol parsers, and smoothly programs any forwarding logic to address changing requirements without ever exiting the Linux kernel’s packet processing context. The effectiveness offered by the JIT compiler offers execution performance near that of natively compiled in-kernel code. ([View Highlight](https://read.readwise.io/read/01fsy1j85mnxtr0ta2hn9fyfm8))
> Tracing and Profiling ([View Highlight](https://read.readwise.io/read/01fsy1jcm289w4kmmegjmbvbd4))
> The ability to attach eBPF programs to trace points in addition to kernel and user application probe points enables visibility into the runtime behavior of applications as well as the system. ([View Highlight](https://read.readwise.io/read/01fsy1jgd1fx7dmrv902yj7g8y))
> Observability and Monitoring ([View Highlight](https://read.readwise.io/read/01fsy1jm4dejd3nd4cdwen665r))
> Rather than relying on gauges and static counters exposed by the operating system, eBPF allows for the generation of visibility events and the collection and in-kernel aggregation of custom metrics based on a broad range of potential sources. ([View Highlight](https://read.readwise.io/read/01fsy1jqyekc6v5089hpg2n9th))
> This increases the depth of visibility that might be attained and decreases the overall system overhead dramatically. This is achieved by collecting only the required visibility data and by producing histograms and similar data structures at the source of the event, rather than depending on the export of samples. ([View Highlight](https://read.readwise.io/read/01fsy1js7g3vpsdj76kgec3qfm))
> eBPF is an extension of its precursor, BPF. BPF is a tool used for writing packer-filtering code via an in-kernel VM. A group of engineers started to build on the BPF backend to offer a similar series of features as dtrace, which eventually evolved into eBPF. Although initially released in limited capacity in 2014 with Linux 3.18, you need at least Linux 4.4 or above to make full use of eBPF. ([View Highlight](https://read.readwise.io/read/01fsy1kd6s243axfmckm0ynxt3))
> The diagram below is a simplified illustration of eBPF architecture. Prior to being loaded into the kernel, the eBPF program needs to pass a particular series of requirements. Verification includes executing the eBPF program in the virtual machine.
>  ([View Highlight](https://read.readwise.io/read/01fsy1kvh1qnm7vrpjtgnm8qjm))
> In many cases, you might use eBPF indirectly through a project like bpftrace or Cilium. These projects offer abstractions on top of eBPF, so you don’t have to write the program directly. You can specify definitions based on intent, which eBPF then implements. ([View Highlight](https://read.readwise.io/read/01fsy1mg999t05804h5kqp12q4))
> eBPF Basic Concepts and Architecture ([View Highlight](https://read.readwise.io/read/01fsy1mpj6aenq8hpg3jwa2frf))
> Predefined Hooks ([View Highlight](https://read.readwise.io/read/01fsy1mr4n3c6vsz18scf6wkwk))
> Program Verification ([View Highlight](https://read.readwise.io/read/01fsy1mtd252mxy67zvnnprta8))
> Once a hook is identified, the BPF system call can be used to load the corresponding eBPF program into the Linux kernel. This usually involves using an eBPF library. When a program is loaded into the kernel, it has to be verified to ensure it is safe to run. ([View Highlight](https://read.readwise.io/read/01fsy1mwmvsxgs7q8k87jvan6g))
> eBPF Maps ([View Highlight](https://read.readwise.io/read/01fsy1n0576xqfn2d2zt0mqs4p))
> An eBPF program must be able to store its state and share collected data. eBPF maps can help programs retrieve and store information according to a range of data structures. Users can access eBPF maps via system calls, from both eBPF programs and applications. ([View Highlight](https://read.readwise.io/read/01fsy1n1ft2xa6n5r0agaj0k5j))
> Map types include hash tables or arrays, ring buffer, stack trace, least-recently used, longest prefix match, and more. ([View Highlight](https://read.readwise.io/read/01fsy1n4av3s2wct320vcmjceq))
> Helper Calls ([View Highlight](https://read.readwise.io/read/01fsy1n5atp6wpjz170h2rpwn3))
> Helper calls allow programs to generate random numbers, receive current time and date, access eBPF maps, manipulate forwarding logic and network packets, and more. ([View Highlight](https://read.readwise.io/read/01fsy1nafc538gkzwc29hb3pp7))
> Function and Tail Calls ([View Highlight](https://read.readwise.io/read/01fsy1nc8prgm6cztjd2b2t42m))
> These calls make eBPF programs composable. Function calls enable functions to be defined and called in a program. Tail calls enable the execution of other eBPF programs. They can also change the execution context. ([View Highlight](https://read.readwise.io/read/01fsy1nd9a4v707tqc4q51ecnr))
> eBPF eXpress Data Path (XDP) allows for high-speed packet processing in the BPF application. To ensure a quicker response to network functions, XDP readily launches a BPF program, typically as soon as a packet is obtained from the network interface. ([View Highlight](https://read.readwise.io/read/01fsy1ngwmrgnnmr1e0pq53kjv))
> BPF Compiler Collection (BCC) is a toolkit used to create effective manipulation and kernel tracing programs. It features various useful examples and tools. It requires Linux 4.1 or above. ([View Highlight](https://read.readwise.io/read/01fsy1nm7tap7hxpxss1esjcbv))
> eBPF BCC lets you attach eBPF programs to kprobes. This permits user-defined instrumentation on a functioning kernel image that can never hang or crash, and thus will not adversely affect the kernel. ([View Highlight](https://read.readwise.io/read/01fsy1nq37842p4xgrwckfee53))
> BCC makes BPF programs simple to write with kernel instrumentation in C (and features a C wrapper around LLVM), including front-ends in Lua and Python. It can be used, for example, for network traffic and performance analysis. ([View Highlight](https://read.readwise.io/read/01fsy1ns20gd1z8ykea9zymhw0))
---
Title: eBPF Explained: Use Cases, Concepts, and Architecture
Author: Tigera
Tags: readwise, articles
date: 2024-01-30
---
# eBPF Explained: Use Cases, Concepts, and Architecture
URL:: https://tigera.io/learn/guides/ebpf
Author:: Tigera
## AI-Generated Summary
Learn how extended Berkeley Packet Filter (eBPF) lets you run programs directly on the Linux kernel with huge benefits for security, networking, and observability.
## Highlights
> Here are some of the important use cases for eBPF. ([View Highlight](https://read.readwise.io/read/01fsy1hk27vpgyr8vnjf450asp))
> Security ([View Highlight](https://read.readwise.io/read/01fsy1hm7jfjjjt52sdytnjhqq))
> Typically, entirely independent systems have handled different aspects of system call filtering, process context tracing, and network-level filtering. On the other hand, eBPF facilitates the combination of control and visibility over all aspects. This allows you to develop security systems that operate with more context and an improved level of control. ([View Highlight](https://read.readwise.io/read/01fsy1hv2q0hs156hzb355h0zw))
> Networking ([View Highlight](https://read.readwise.io/read/01fsy1hvzvagxg5e32041akrpj))
> The combination of efficiency and programmability makes eBPF a good candidate for all networking solutions’ packet processing requirements. The programmability of eBPF provides a means of adding additional protocol parsers, and smoothly programs any forwarding logic to address changing requirements without ever exiting the Linux kernel’s packet processing context. The effectiveness offered by the JIT compiler offers execution performance near that of natively compiled in-kernel code. ([View Highlight](https://read.readwise.io/read/01fsy1j85mnxtr0ta2hn9fyfm8))
> Tracing and Profiling ([View Highlight](https://read.readwise.io/read/01fsy1jcm289w4kmmegjmbvbd4))
> The ability to attach eBPF programs to trace points in addition to kernel and user application probe points enables visibility into the runtime behavior of applications as well as the system. ([View Highlight](https://read.readwise.io/read/01fsy1jgd1fx7dmrv902yj7g8y))
> Observability and Monitoring ([View Highlight](https://read.readwise.io/read/01fsy1jm4dejd3nd4cdwen665r))
> Rather than relying on gauges and static counters exposed by the operating system, eBPF allows for the generation of visibility events and the collection and in-kernel aggregation of custom metrics based on a broad range of potential sources. ([View Highlight](https://read.readwise.io/read/01fsy1jqyekc6v5089hpg2n9th))
> This increases the depth of visibility that might be attained and decreases the overall system overhead dramatically. This is achieved by collecting only the required visibility data and by producing histograms and similar data structures at the source of the event, rather than depending on the export of samples. ([View Highlight](https://read.readwise.io/read/01fsy1js7g3vpsdj76kgec3qfm))
> eBPF is an extension of its precursor, BPF. BPF is a tool used for writing packer-filtering code via an in-kernel VM. A group of engineers started to build on the BPF backend to offer a similar series of features as dtrace, which eventually evolved into eBPF. Although initially released in limited capacity in 2014 with Linux 3.18, you need at least Linux 4.4 or above to make full use of eBPF. ([View Highlight](https://read.readwise.io/read/01fsy1kd6s243axfmckm0ynxt3))
> The diagram below is a simplified illustration of eBPF architecture. Prior to being loaded into the kernel, the eBPF program needs to pass a particular series of requirements. Verification includes executing the eBPF program in the virtual machine.
>  ([View Highlight](https://read.readwise.io/read/01fsy1kvh1qnm7vrpjtgnm8qjm))
> In many cases, you might use eBPF indirectly through a project like bpftrace or Cilium. These projects offer abstractions on top of eBPF, so you don’t have to write the program directly. You can specify definitions based on intent, which eBPF then implements. ([View Highlight](https://read.readwise.io/read/01fsy1mg999t05804h5kqp12q4))
> eBPF Basic Concepts and Architecture ([View Highlight](https://read.readwise.io/read/01fsy1mpj6aenq8hpg3jwa2frf))
> Predefined Hooks ([View Highlight](https://read.readwise.io/read/01fsy1mr4n3c6vsz18scf6wkwk))
> Program Verification ([View Highlight](https://read.readwise.io/read/01fsy1mtd252mxy67zvnnprta8))
> Once a hook is identified, the BPF system call can be used to load the corresponding eBPF program into the Linux kernel. This usually involves using an eBPF library. When a program is loaded into the kernel, it has to be verified to ensure it is safe to run. ([View Highlight](https://read.readwise.io/read/01fsy1mwmvsxgs7q8k87jvan6g))
> eBPF Maps ([View Highlight](https://read.readwise.io/read/01fsy1n0576xqfn2d2zt0mqs4p))
> An eBPF program must be able to store its state and share collected data. eBPF maps can help programs retrieve and store information according to a range of data structures. Users can access eBPF maps via system calls, from both eBPF programs and applications. ([View Highlight](https://read.readwise.io/read/01fsy1n1ft2xa6n5r0agaj0k5j))
> Map types include hash tables or arrays, ring buffer, stack trace, least-recently used, longest prefix match, and more. ([View Highlight](https://read.readwise.io/read/01fsy1n4av3s2wct320vcmjceq))
> Helper Calls ([View Highlight](https://read.readwise.io/read/01fsy1n5atp6wpjz170h2rpwn3))
> Helper calls allow programs to generate random numbers, receive current time and date, access eBPF maps, manipulate forwarding logic and network packets, and more. ([View Highlight](https://read.readwise.io/read/01fsy1nafc538gkzwc29hb3pp7))
> Function and Tail Calls ([View Highlight](https://read.readwise.io/read/01fsy1nc8prgm6cztjd2b2t42m))
> These calls make eBPF programs composable. Function calls enable functions to be defined and called in a program. Tail calls enable the execution of other eBPF programs. They can also change the execution context. ([View Highlight](https://read.readwise.io/read/01fsy1nd9a4v707tqc4q51ecnr))
> eBPF eXpress Data Path (XDP) allows for high-speed packet processing in the BPF application. To ensure a quicker response to network functions, XDP readily launches a BPF program, typically as soon as a packet is obtained from the network interface. ([View Highlight](https://read.readwise.io/read/01fsy1ngwmrgnnmr1e0pq53kjv))
> BPF Compiler Collection (BCC) is a toolkit used to create effective manipulation and kernel tracing programs. It features various useful examples and tools. It requires Linux 4.1 or above. ([View Highlight](https://read.readwise.io/read/01fsy1nm7tap7hxpxss1esjcbv))
> eBPF BCC lets you attach eBPF programs to kprobes. This permits user-defined instrumentation on a functioning kernel image that can never hang or crash, and thus will not adversely affect the kernel. ([View Highlight](https://read.readwise.io/read/01fsy1nq37842p4xgrwckfee53))
> BCC makes BPF programs simple to write with kernel instrumentation in C (and features a C wrapper around LLVM), including front-ends in Lua and Python. It can be used, for example, for network traffic and performance analysis. ([View Highlight](https://read.readwise.io/read/01fsy1ns20gd1z8ykea9zymhw0))