eBPF summit 2022  (28-29 September)
Register Now!

Major Applications

  • bcc

    Toolkit and library for efficient BPF-based kernel tracing
    BCC is a toolkit for creating efficient kernel tracing and manipulation programs built upon eBPF, and includes several useful command-line tools and examples. BCC eases writing of eBPF programs for kernel instrumentation in C, includes a wrapper around LLVM, and front-ends in Python and Lua. It also provides a high-level library for direct integration into applications.
  • Cilium

    eBPF-based Networking, Security, and Observability
    Cilium is an open source project that provides eBPF-powered networking, security and observability. It has been specifically designed from the ground up to bring the advantages of eBPF to the world of Kubernetes and to address the new scalability, security and visibility requirements of container workloads.
  • bpftrace

    High-level tracing language for Linux eBPF
    bpftrace is a high-level tracing language for Linux eBPF. Its language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace uses LLVM as a backend to compile scripts to eBPF bytecode and makes use of BCC as a library for interacting with the Linux eBPF subsystem as well as existing Linux tracing capabilities and attachment points.
  • Falco

    Cloud Native Runtime Security
    Falco is a behavioral activity monitor designed to detect anomalous activity in applications. Falco audits a system at the Linux kernel layer with the help of eBPF. It enriches gathered data with other input streams such as container runtime metrics and Kubernetes metrics, and allows to continuously monitor and detect container, application, host, and network activity.
  • Katran

    A high performance layer 4 load balancer
    Katran is a C++ library and eBPF program to build a high-performance layer 4 load balancing forwarding plane. Katran leverages the XDP infrastructure from the Linux kernel to provide an in-kernel facility for fast packet processing. Its performance scales linearly with the number of NIC's receive queues and it uses RSS friendly encapsulation for forwarding to L7 load balancers.
  • Pixie

    Scriptable observability for Kubernetes
    Pixie is an open source observability tool for Kubernetes applications. Pixie uses eBPF to automatically capture telemetry data without the need for manual instrumentation. Developers can use Pixie to view the high-level state of their cluster (service maps, cluster resources, application traffic) and also drill down into more detailed views (pod state, flame graphs, individual full body application requests).

Emerging Applications

  • Pyroscope

    Continuous Profiling Platform
    Pyroscope is an open source project centered around continuous profiling, particularly in a Kubernetes context. It leverages eBPF as its core technology along with a custom storage engine to offer system-wide continuous profiling with minimal overhead as well as efficient storage and querying capabilities. We support Linux 4.9 and up thanks to CO-RE and libbpf.
  • eCapture

    SSL/TLS capture tool using eBPF
    eCapture is a tool that can capture plaintext without a CA certificate. It supports TLS encryption libraries such as openssl/gnutls/nspr etc. The userspace code is written in Go and uses cilium/ebpf. It can work on Linux Kernel 4.18 and later, and supports CO-RE features. At the same time, it also works without BTF.
  • Parca

    Continuous Profiling Platform
    Track memory, CPU, I/O bottlenecks broken down by method name, class name, and line number over time. Without complex overhead, in any language or framework. Using Parca's UI the data can be globally explored and analyzed using various visualizations to quickly and efficiently identify bottlenecks in code. Parca uses eBPF to collect profiling data and uses libbpf-go to interact with the kernel.
  • Hubble

    Network, Service & Security Observability for Kubernetes using eBPF
    Hubble is a fully distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner.
  • Tracee

    Linux Runtime Security and Forensics using eBPF
    Tracee uses eBPF technology to detect and filter operating system events, helping you expose security insights, detect suspicious behavior, and capture forensic indicators.
  • Tetragon

    eBPF-based Security Observability & Runtime Enforcement
    Tetragon provides eBPF-based transparent security observability combined with real-time runtime enforcement. The deep visibility is achieved without requiring application changes and is provided at low overhead thanks to smart Linux in-kernel filtering and aggregation logic built directly into the eBPF-based kernel-level collector. The embedded runtime enforcement layer is capable of performing access control on kernel functions, system calls and at other enforcement levels.
  • kubectl trace

    Schedule bpftrace programs on your Kubernetes cluster
    kubectl-trace is a kubectl plugin that allows for scheduling the execution of bpftrace(8) programs in Kubernetes clusters. kubectl-trace does not require installation of any components directly onto a Kubernetes cluster in order to execute bpftrace programs. When pointed to a cluster, it schedules a temporary job called trace-runner that executes bpftrace.
  • Inspektor Gadget

    Introspecting and debugging Kubernetes applications using eBPF "gadgets"
    Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes resources and applications. It manages the packaging, deployment and execution of eBPF programs in a Kubernetes cluster, including many based on BCC tools, as well as some developed specifically for use in Inspektor Gadget. It automatically maps low-level kernel primitives to high-level Kubernetes resources, making it easier and quicker to find the relevant information.
  • BumbleBee

    OCI compliant eBPF tooling
    BumbleBee simplifies building eBPF tools and allows you to package, distribute, and run eBPF programs using OCI images. It allows you to just focus on the eBPF portion of your code and BumbleBee automates away the boilerplate, including the userspace code.
  • pwru

    eBPF-based Linux kernel network packet tracer
    pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.
  • ply

    A dynamic tracer for Linux
    ply is a dynamic tracer for Linux which is built upon eBPF. It has been designed with embedded systems in mind, is written in C and all that ply needs to run is libc and a modern Linux kernel with eBPF support, meaning, it does not depend on LLVM for its program generation. It has a C-like syntax for writing scripts and is heavily inspired by awk(1) and dtrace(1).
  • wachy

    UI for interactive eBPF-based userspace performance debugging
    Wachy is a profiler that uses eBPF to trace arbitrary compiled binaries and functions at runtime. It aims to make eBPF uprobe-based debugging much easier to use by displaying traces in a UI next to the source code, and allowing interactive drilldown analysis.
  • KubeArmor

    Container-aware Runtime Security Enforcement System
    KubeArmor is a container-aware runtime security enforcement system that restricts the behavior (such as process execution, file access, networking operation, and resource utilization) of containers at the system level, using LSMs and eBPF.
  • Merbridge

    Use eBPF to speed up your Service Mesh like crossing an Einstein-Rosen Bridge
    Merbridge is designed to make traffic interception and forwarding more efficient for service mesh. With Merbridge, developers can use eBPF instead of iptables to accelerate their service mesh without any additional operations or code changes. Currently, Merbridge already supports Istio, Linkerd, and Kuma.
  • DeepFlow

    Highly Automated Observability Platform powered by eBPF
    DeepFlow is a highly automated observability platform built for cloud native developers. Based on eBPF, DeepFlow innovatively implements an automated distributed tracing mechanism: AutoTracing. Microservice processes, service mesh sidecars, and network interfaces along the way are included as tracing spans, for every distributed transaction, without any code instrumentation. DeepFlow can automatically generate golden RED metrics for any process in cloud native environment.
  • Pulsar

    A modular runtime security framework for the IoT
    Pulsar is an event-driven framework for monitoring the activity of Linux devices. It allows you to collect runtime activity events from the Linux kernel through its modules and evaluate each event against your own set of security policies. Powered by eBPF and written in Rust, Pulsar is lightweight and safe by design.
  • L3AF

    Complete lifecycle management of eBPF programs
    L3AF is a platform to launch and manage eBPF programs in distributed environments. L3AF empowers users to compose multiple eBPF programs together to solve unique problems in different environments. Using the APIs provided by L3AF, these eBPF programs can be reconfigured, updated, inspected, and reordered on-the-fly. L3AF also provides configurable metrics for the eBPF programs it has launched.
  • LoxiLB

    eBPF based cloud-native load-balancer for 5G Edge
    LoxiLB is an open-source cloud-native "external" service load-balancer for cloud-native 5G/edge workloads written from scratch using eBPF as its core-engine and based on Go Language. LoxiLB turns Kubernetes network load balancing for 5G/Edge services into high speed, flexible and programmable LB services.
  • Kepler

    Kubernetes-based Efficient Power Level Exporter
    Kepler (Kubernetes-based Efficient Power Level Exporter) is a Prometheus exporter. It uses eBPF to probe CPU performance counters and Linux kernel tracepoints. These data and stats from cgroup and sysfs are fed into ML models to estimate energy consumption by Pods.
  • Apache SkyWalking

    APM, Application Performance Monitoring System
    Apache SkyWalking is an application performance monitor tool for distributed systems, especially designed for microservices, cloud native and container-based (Kubernetes) architectures. SkyWalking Rover is an agent in the SkyWalking ecosystem, as a metrics collector and profiler powered by eBPF to diagnose CPU, I/O and L4/L7(TLS) network performance. Also, Rover provides add-on events for spans in the distributed tracing.

Frequently Asked Questions

Are these projects under the eBPF Foundation?

  • This page lists a number of open source projects that use eBPF as the underlying core technology. These projects are not under the eBPF Foundation but are listed here as a survey of the eBPF project landscape today.

Add your project

  1. Make sure that the project is meeting the requirements to be listed. See below.
  2. Open a pull request and provide the required information. Use one of the already listed projects as a template. The ordering of applications is based on the number of Github stars (high to low), updated on a quaterly basis.
  3. The pull request will be reviewed by the community and merged by one of the maintainers. If you have any questions, feel free to ask on Slack.

Are you maintaining a listed project?

  • If you are maintaining one of the listed projects and would like to adjust the content. Get in touch on Slack or open a pull request directly.

Requirements for a project to be listed

Projects can be listed on this page as "Major" or "Emerging". The requirements for being listed as "Emerging" are:

  • The project must be open source. All source code must be licensed under an open source license. Any documentation must be licensed under an open license.
  • The project must be using eBPF as its underlying core technology, in other words, a project would lose its purpose if the eBPF parts are removed.
  • The project must be open to collaboration and have a governance model following open-source best-practices.

In order to be listed as a "Major" project, a project must meet all of the requirements above, plus:

  • The project must have more than 50 contributors.
  • The project must be actively maintained.
  • The project must be used in production-like environments with a significant amount of users. Since this information may not be easily discoverable from a link to the project, such information should be included in the pull request description.