Title: What is eBPF? (Extended Berkeley Packet Filter) | Kentik Description: The extended Berkeley Packet Filter (eBPF) makes it possible for Linux operating systems to securely filter data packets and efficiently collect observability data. Keywords: No keywords Text content: What is eBPF? (Extended Berkeley Packet Filter) | KentikSlide 1 of 1Optimize cloud cost, performance, and security—without compromise. Learn how.Optimize cloud cost, performance, and security—without compromise. Learn how.Optimize cloud cost, performance, and security—without compromise. Learn how.Table of ContentsBackground: Userland vs. kernel landSecurely programming filters for better accessThe benefits of eBPFeBPF and network observabilityUsing eBPF: How does the Berkeley Packet Filter work?Enhancing Kubernetes monitoring with eBPFHow can eBPF help with Kubernetes networking?Learn more about eBPF at Kentik LabsGet a DemoSee Kentik in action.CountryUnited States of AmericaCanada──────────AfghanistanÅland IslandsAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBoliviaBonaire, Sint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCambodiaCameroonCanadaCape VerdeCayman IslandsCentral African RepublicChadChileChristmas IslandCocos (Keeling) IslandsColombiaComorosCook IslandsCosta RicaCote d'IvoireCroatiaCubaCuraçaoCyprusCzech RepublicDemocratic Republic of the CongoDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatiniEthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHoly See (Vatican City State)HondurasHong KongHungaryIcelandIndiaIndonesiaIraqIrelandIslamic Republic of IranIsle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia, Federated States ofMoldova, Republic ofMonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth KoreaNorthern Mariana IslandsNorwayOmanPakistanPalauPanamaPapua New GuineaParaguayPeople's Republic of ChinaPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRepublic of the CongoRepublic of The GambiaReunionRomaniaRussian FederationRwandaSaint BarthélemySaint HelenaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth KoreaSouth SudanSpainSri LankaState of PalestineSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandSyrian Arab RepublicTaiwan, Province of ChinaTajikistanThailandThe Republic of North MacedoniaTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTürkiyeTurkmenistanTurks and Caicos IslandsTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUnited Republic of TanzaniaUnited States Minor Outlying IslandsUnited States of AmericaUruguayUzbekistanVanuatuVenezuelaVietnamVirgin Islands, BritishVirgin Islands, U.S.Wallis and FutunaWestern SaharaYemenZambiaZimbabweSign upBy completing this form, you agree to our Privacy Policy and Terms of Use.Ultimate Guide to Network ObservabilityGet Your CopyKentipediaWhat is eBPF? (Extended Berkeley Packet Filter)Table of ContentsBackground: Userland vs. kernel landSecurely programming filters for better accessThe benefits of eBPFeBPF and network observabilityUsing eBPF: How does the Berkeley Packet Filter work?Enhancing Kubernetes monitoring with eBPFHow can eBPF help with Kubernetes networking?Learn more about eBPF at Kentik LabseBPF, which stands for Extended Berkeley Packet Filter, is a technology that makes it possible to run special programs deep inside the Linux operating system in an isolated way. As it filters data packets from networks and embeds them into the kernel, the BPF also provides a network interface with security layers that ensures the packet data is reliable and accessible. Using this approach, teams can more easily and efficiently collect crucial observability data from Linux applications and network resources. Background: Userland vs. kernel land In a Linux system, most applications users can directly interact with what is known as “userland.” Because userland applications don’t have to integrate deeply with low-level system processes, they are easy to install and run. However, a major limitation of userland applications is that, because they don’t have low-level access to the Linux kernel, it is difficult for them to collect data directly from the operating system. Only processes that run in so-called “kernel land” have that level of access. Kernel land processes are typically limited to services that are critical to the operating system, such as those that manage hardware. Securely programming filters for better access Traditionally, developers bridged the gap between userland and kernel land by building features into the kernel that exposed certain types of data to userland applications in a secure way. The problem with this approach is that it requires modification of the kernel itself, which is a hugely complex platform that is difficult to change in a secure way. An alternative solution was to create kernel modules that could collect data from the kernel. System administrators could load those modules into the kernel after the kernel was already running. This made it possible to gain low-level access without directly modifying the kernel. However, the drawback with this strategy is that loading kernel modules typically requires root-level access. Kernel modules may also introduce security and stability issues if they are not properly designed, and they increase the resource utilization of the operating system. The benefits of eBPF eBPF takes a different approach to gaining low-level access to the kernel. It provides a sandboxed environment (meaning they are mostly isolated from the rest of the system, even though they can interact with certain components based on the settings admins configure) in which admins can load programs that run directly in the kernel. Using this approach, teams that want to know what is happening deep inside the Linux operating system gain several benefits: Simplicity: Unlike directly modifying the kernel, loading eBPF programs is fast and easy. Security: Because eBPF programs are sandboxed from the operating system, they don’t create the security or performance challenges that kernel modules may pose. Efficiency: EBPF programs use minimal system resources, which means they don’t make a large performance impact on the operating system. eBPF and network observability eBPF has many potential use cases related to observability, such as monitoring the performance of hardware devices or helping to detect security issues. However, one of the areas where eBPF offers the very most value is in the realm of network observability. Modern applications are often deployed across a cluster of servers. They are also frequently hosted inside containers, serverless functions or similar types of infrastructure, which abstracts applications from the host operating system. Under these conditions, observing the network has conventionally required collecting and correlating data about network operations from a variety of servers. What’s more, it requires getting network data from individual containers that, in most cases, don’t log their networking operations to their host operating system, or even store network-related data persistently. To address these challenges, teams had to deploy a complex array of userland applications—often, a network monitoring agent on each server, as well as an agent that could collect networking data from each container through a service mesh, sidecar architecture or similar approach. eBPF offers a much simpler, more elegant solution to network observability. With eBPF, teams can run kernel-level programs that observe network operations for all containers running on a server. In this way, eBPF eliminates the need to deploy agents for each container separately. It also provides access to low-level networking data that may not be available from within a container, whose access to kernel-level resources is usually restricted (unless the container runs in privileged mode, which is not a recommended approach). In this way, eBPF helps address one of the core challenges of network observability in modern applications. It provides a secure, simple, and efficient means of understanding what is happening within all Linux-based endpoints. The Ultimate Guide to Network ObservabilityEverything you ever wanted to know about network observabilityRead Now Using eBPF: How does the Berkeley Packet Filter work? The following is a very short technical overview of eBPF. For a more detailed, technical explanation of eBPF and its applications in network monitoring and observability, see our blog post, “eBPF Explained: Why it’s Important for Observability”. If you want to create and run eBPF programs yourself, you can do so using open source tools like bpftrace and bcc, which make it easy to create and deploy programs into a Linux kernel using eBPF. Just make sure you have a Linux-based operating system that is running kernel version 4.4 or later. Earlier versions of Linux don’t support eBPF. You may also need to disable “lockdown mode” on your kernel using these commands: # echo 1 > /proc/sys/kernel/sysrq # echo x > /proc/sysrq-trigger However, a simpler way to take advantage of eBPF is to deploy an observability tool that uses eBPF under the hood to collect the data you need to understand what is happening in your systems. Increasingly, modern observability suites are incorporating eBPF to help monitor complex systems. Using a tool that leverages eBPF, you gain the benefits of eBPF without having to create and deploy eBPF programs yourself. You also enjoy the advantage of being able to analyze the data automatically, which eBPF itself does not help you do because it simply collects data and leaves it up to the user to shape and understand the data. Enhancing Kubernetes monitoring with eBPF Kubernetes relies heavily on Linux for its operation. In order to ensure that Kubernetes is running smoothly, it is important to monitor the performance of the underlying Linux operating system. As described previously, eBPF (extended Berkeley Packet Filter) is a Linux kernel technology that can be used to monitor and trace the performance of Kubernetes clusters. It allows code to be securely executed in the Linux kernel space, while maintaining process isolation. eBPF can be used to monitor the performance of Kubernetes nodes at the container level. It can be used to track the resource utilization of nodes, and to detect any performance bottlenecks that may be occurring. It can also be used to detect issues such as slow network performance, and to identify any software or hardware issues that may be causing the issue. eBPF can also be used to monitor the performance of applications running on Kubernetes clusters. It can be used to track the CPU and memory utilization of applications, and to detect any performance issues that are occurring. This can be especially useful when dealing with container-based systems, as it can provide visibility into the performance of individual containers. eBPF can be a powerful tool for monitoring and tracing the performance of Kubernetes clusters. It can help identify issues quickly and provides visibility into the performance of individual containers and applications. This can help ensure that applications are running smoothly, and that the Kubernetes cluster is running optimally. How can eBPF help with Kubernetes networking? Kubernetes networking is a system for connecting containers, pods, and services running on a cluster of hosts. It provides a single, secure, and persistent network for all the components that make up a Kubernetes-based system. (For a primer on Kubernetes networking, see our blog post ”Kubernetes Networking 101”.) eBPF can be used to inspect, filter, and monitor network traffic. By leveraging eBPF, Kubernetes networking can be enhanced by adding more granular and secure network visibility. This can be used to provide deep packet inspection, throttle traffic, and filter malicious traffic. eBPF can also provide more efficient and faster network performance by improving the way traffic is routed. Learn more about eBPF at Kentik Labs A practical example of using the extended Berkeley Packet filter can be found at Kentik Labs, Kentik’s open source hub for the developer, DevOps and site reliability engineering (SRE) community. The Convis (“container visibility”) project demonstrates use of the Linux extended BPF facility to attribute process and container information to network traffic. You can read more about Convis in this Kentik Labs blog post, “Convis - Open Source Container Visibility”.Updated: July 22, 2024The NetOps Guide to Network SecurityGuideKubernetes and Cross-cloud Service MeshesBlog PosteBPF Explained: Why it's Important for ObservabilityBlog PostSee all resourcesKentik is the network observability company.Get a Demo844-356-3278PlatformMulti-Cloud ObservabilityNetwork Monitoring System (NMS)SD-WAN MonitoringNetwork Security and ComplianceSynthetic MonitoringPeering and InterconnectionSubscriber IntelligenceKentik AINetwork TelemetryUniversal Data ExplorerObservability Data PipelineIntegrationsKentik Data EngineSolutionsReduce Cloud SpendMigrate To and From Any CloudImprove Cloud PerformanceOptimize Enterprise WANNetwork Performance MonitoringDeliver Exceptional Digital ExperiencesDetect and Mitigate DDoSHarden Zero-Trust Cloud Network PolicyInvestigate Security IncidentsVisualize All Cloud and Network TrafficTroubleshoot Any NetworkUnderstand Internet PerformanceConsolidate Legacy ToolsOptimize Peering and TransitPlan Network Capacity TechnologyAWSAzureBGPGoogle CloudKubernetesOCINew and NotableCloud doesn't have to mean compromiseEMA Radar Report for Network Operations ObservabilityCloud Latency MapLearnCase StudiesBlogResource LibraryTelemetry Now PodcastKentik Network Analysis CenterKentipediaProduct UpdatesDocumentationCompanyWhy KentikWho We ArePlans and PricingCustomersContact UsCareersPartnersKentik Slack CommunityPrivacy PolicyTerms of UseTrust CenterLegalSite MapCopyright © 2025 Kentik. All rights reserved.We use cookies to deliver our services.By using our website, you agree to the use of cookies as described in our Privacy Policy.I Agree