Dynamically program the kernel for efficient networking, observability, tracing, and security

Project Landscape What is eBPF

Programs are verified to safely execute
Hook anywhere in the kernel to modify functionality
JIT compiler for near native execution speed
Add OS capabilities at runtime

Organizations in every industry use eBPF in production

Google
Google uses eBPF for security auditing, packet processing, and performance monitoring
- Video
- Talk
Netflix
Netflix uses eBPF at scale for network insights
- Blog
- Video
Android
Android uses eBPF to monitor network usage, power, and memory profiling
- Docs
S&P Global
S&P Global uses eBPF through Cilium for networking across multiple clouds and on-prem
- Video
Shopify
Shopify uses eBPF through Falco for intrusion detection
- Video
Cloudflare
Cloudflare uses eBPF for network security, performance monitoring, and network observability
- Blog
- Talk

More case studies

Why eBPF?

What is eBPF

Performance
eBPF drastically improves processing by being JIT compiled and running directly in the kernel.
Security
eBPF programs are verified to not crash the kernel and can only be modified by privileged users.
Flexibility
Modify or add functionality and use cases to the kernel without having to restart or patch it.

What is eBPF

Premiere

Unlocking the Kernel

The eBPF Documentary provides an in-depth exploration on the origins of eBPF and showcases the stories, challenges, and rewards of this industry changing technology. You will hear from the best and brightest in the open source world, including key stakeholders from Meta, Intel, Isovalent, Google, Red Hat, and Netflix, who helped shape and build the tools that drove the success and adoption of eBPF.

eBPF Documentary Website

eBPF has resulted in a new generation of tooling that allows developers to easily diagnose problems, innovate quickly, and extend operating system functionality.

Mark Russinovich — Chief Technology Officer at Microsoft Azure, 2021

What’s possible with eBPF?

Networking
Speed packet processing without leaving kernel space. Add additional protocol parsers and easily program any forwarding logic to meet changing requirements.
Observability
Collection and in-kernel aggregation of custom metrics with generation of visibility events and data structures from a wide range of possible sources without having to export samples.
Tracing & Profiling
Attach eBPF programs to trace points as well as kernel and user application probe points giving powerful introspection abilities and unique insights to troubleshoot system performance problems.
Security
Combine seeing and understanding all system calls with a packet and socket-level view of all networking to create security systems operating on more context with a better level of control.