Working with eBPF
BPF stands for Berkeley Packet Filter and eBPF for Extended BPF. BPF was introduced back in 1992 to improve the performance of packet capture tools. Back in 2013, Alexei Starovoitov did a major rewrite of BPF that was included in the Linux kernel in 2014 and replaced BPF. With this rewrite, BPF, which is now called eBPF, became more versatile and can be used for a variety of tasks other than network packet capture.
eBPF software can be programmed in BCC, bpftrace, or using LLVM. The LLVM compiler can compile BPF programs into BPF bytecode using a supported programming language such as C or the LLVM intermediate representation. As both ways are difficult to program because of the use of low-level code, using BCC or bpftrace makes things simpler for the developer.
What is eBPF?
It is really difficult to describe precisely what eBPF can do because it has so many capabilities. It is much easier to describe how we can use eBPF. eBPF can be used in three main...
