Dynamically program the kernel for efficient networking, observability, tracing, and security
- Programs are verified to safely execute
- Hook anywhere in the kernel to modify functionality
- JIT compiler for near native execution speed
- Add OS capabilities at runtime
Organizations in every industry use eBPF in production
Google uses eBPF for security auditing, packet processing, and performance monitoring.
Netflix uses eBPF at scale for network insights.
Android uses eBPF to monitor network usage, power, and memory profiling.
- S&P Global
S&P Global uses eBPF through Cilium for networking across multiple clouds and on-prem.
Shopify uses eBPF through Falco for intrusion detection.
Cloudflare uses eBPF for network security, performance monitoring, and network observability.
Why eBPF?What is eBPF
eBPF drastically improves processing by being JIT compiled and running directly in the kernel.
eBPF programs are verified to not crash the kernel and can only be modified by privileged users.
Modify or add functionality and use cases to the kernel without having to restart or patch it.
What’s possible with eBPF?
Speed packet processing without leaving kernel space. Add additional protocol parsers and easily program any forwarding logic to meet changing requirements.
Collection and in-kernel aggregation of custom metrics with generation of visibility events and data structures from a wide range of possible source without having to export samples.
Tracing & Profiling
Attach eBPF programs to trace points as well as kernel and user application probe points giving powerful introspection abilities and unique insights to troubleshoot system performance problems.
Combine seeing and understanding all system calls with a packet and socket-level view of all networking to create security systems operating on more context with a better level of control