Convert Figma logo to code with AI

zoidyzoidzoid logoawesome-ebpf

A curated list of awesome projects related to eBPF.

4,158
356
4,158
8

Top Related Projects

20,418

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

20,022

eBPF-based Networking, Security, and Observability

3,578

Linux Runtime Security and Forensics using eBPF

7,328

Cloud Native Runtime Security

2,114

Automated upstream mirror for libbpf stand-alone build.

High-level tracing language for Linux

Quick Overview

Awesome-eBPF is a curated list of resources related to eBPF (extended Berkeley Packet Filter) technology. It serves as a comprehensive collection of tools, tutorials, articles, and projects centered around eBPF, which is a powerful and flexible technology for Linux kernel programming and observability.

Pros

  • Extensive collection of eBPF resources in one place
  • Regularly updated with new tools and information
  • Well-organized into categories for easy navigation
  • Includes both beginner-friendly and advanced resources

Cons

  • May be overwhelming for newcomers due to the large amount of information
  • Some listed resources might become outdated over time
  • Lacks detailed explanations or comparisons of listed tools
  • Primarily focuses on listing resources rather than providing in-depth tutorials

Note: As this is not a code library but a curated list of resources, the code examples and getting started instructions sections are not applicable.

Competitor Comparisons

20,418

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

Pros of bcc

  • Comprehensive toolkit for eBPF-based Linux tracing and monitoring
  • Extensive collection of pre-built tools for various use cases
  • Active development and community support

Cons of bcc

  • Steeper learning curve for beginners
  • Requires more system resources due to its comprehensive nature
  • May be overkill for simple eBPF tasks

Code Comparison

bcc example:

from bcc import BPF

b = BPF(text='int kprobe__sys_clone(void *ctx) { bpf_trace_printk("Hello, World!\\n"); return 0; }')
b.trace_print()

awesome-ebpf doesn't provide code examples directly, as it's a curated list of eBPF resources.

Summary

bcc is a full-featured eBPF toolkit with a wide range of tools and capabilities, suitable for advanced users and complex tracing scenarios. awesome-ebpf, on the other hand, serves as a comprehensive resource list for eBPF-related projects, tools, and learning materials, making it an excellent starting point for those exploring the eBPF ecosystem.

While bcc offers powerful functionality out of the box, awesome-ebpf provides a broader overview of the eBPF landscape, helping users discover various tools and resources, including bcc itself. The choice between them depends on whether you need a specific toolkit or a curated list of eBPF resources.

20,022

eBPF-based Networking, Security, and Observability

Pros of Cilium

  • Full-featured networking, security, and observability solution for containers and Kubernetes
  • Active development with frequent updates and a large community
  • Comprehensive documentation and extensive feature set

Cons of Cilium

  • Steeper learning curve due to its complexity
  • Requires more resources to run compared to a simple list of resources
  • May be overkill for users only interested in eBPF-specific information

Code Comparison

Cilium (Go):

func (d *Daemon) compileBase() error {
    var args []string
    prog := d.conf.BpfDir + "/bpf_netdev.c"
    args = append(args, []string{"-c", prog}...)
    args = append(args, bpf.GetCompilerFlags()...)
    _, err := exec.Command(compiler, args...).CombinedOutput()
    return err
}

Awesome-eBPF (Markdown):

## Tools

- [bcc](https://github.com/iovisor/bcc) - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
- [bpftrace](https://github.com/iovisor/bpftrace) - High-level tracing language for Linux eBPF
- [gobpf](https://github.com/iovisor/gobpf) - Go bindings for creating BPF programs

Summary

Cilium is a comprehensive networking solution leveraging eBPF, while Awesome-eBPF is a curated list of eBPF resources. Cilium offers a full-featured platform but requires more investment, whereas Awesome-eBPF provides a simple starting point for exploring eBPF tools and projects.

3,578

Linux Runtime Security and Forensics using eBPF

Pros of Tracee

  • Comprehensive runtime security and observability tool, not just a curated list
  • Actively maintained and developed by Aqua Security
  • Provides real-time threat detection and forensics capabilities

Cons of Tracee

  • More complex to set up and use compared to a simple resource list
  • Focused specifically on runtime security, not a broad eBPF resource
  • Requires more system resources to run

Code Comparison

Tracee (main functionality):

func main() {
    cfg := config.New()
    tracee, err := tracee.New(cfg)
    if err != nil {
        log.Fatalf("error creating tracee: %v", err)
    }
    tracee.Run()
}

Awesome-ebpf (README content):

# Awesome eBPF

A curated list of awesome projects related to eBPF.

## Contents

- [Projects](#projects)
- [Learning Resources](#learning-resources)

Summary

Tracee is a full-fledged eBPF-based security tool, while Awesome-ebpf is a curated list of eBPF resources. Tracee offers active security features but requires more setup, whereas Awesome-ebpf provides a simple reference for eBPF-related projects and learning materials. The choice between them depends on whether you need a security tool or a resource compilation.

7,328

Cloud Native Runtime Security

Pros of Falco

  • Full-fledged runtime security tool, not just a curated list
  • Provides real-time threat detection and alerting capabilities
  • Actively maintained and supported by a large community

Cons of Falco

  • More complex to set up and configure compared to a simple list
  • Requires system resources to run continuously
  • May have a steeper learning curve for beginners

Code Comparison

Falco rule example:

- rule: Detect Suspicious File Access
  desc: Detect attempts to access sensitive files
  condition: open_read and sensitive_files
  output: "Sensitive file opened for reading (user=%user.name file=%fd.name)"
  priority: WARNING

awesome-ebpf doesn't contain code, as it's a curated list of resources.

Summary

Falco is a comprehensive runtime security tool that leverages eBPF technology, while awesome-ebpf is a curated list of eBPF resources. Falco offers active threat detection and alerting, but requires more setup and resources. awesome-ebpf serves as a starting point for learning about eBPF technologies but doesn't provide direct security functionality. The choice between them depends on whether you need an active security solution or a reference for eBPF learning and development.

2,114

Automated upstream mirror for libbpf stand-alone build.

Pros of libbpf

  • Provides a comprehensive C/C++ library for working with eBPF
  • Offers low-level access to eBPF functionality
  • Actively maintained and widely used in production environments

Cons of libbpf

  • Steeper learning curve for beginners
  • Requires more in-depth knowledge of eBPF internals
  • Limited to C/C++ development

Code Comparison

libbpf example:

#include <bpf/bpf.h>
#include <bpf/libbpf.h>

int main() {
    struct bpf_object *obj = bpf_object__open("program.o");
    bpf_object__load(obj);
    // ...
}

awesome-ebpf doesn't provide code examples as it's a curated list of eBPF resources.

Summary

libbpf is a powerful library for working directly with eBPF in C/C++, offering fine-grained control and performance. It's ideal for experienced developers building low-level eBPF applications.

awesome-ebpf, on the other hand, is a curated list of eBPF resources, tools, and projects. It's excellent for learning about the eBPF ecosystem and discovering various tools and libraries, including libbpf itself.

Choose libbpf for direct eBPF development in C/C++, or use awesome-ebpf to explore the broader eBPF landscape and find the right tools for your needs.

High-level tracing language for Linux

Pros of bpftrace

  • Provides a high-level tracing language for eBPF
  • Offers a comprehensive set of built-in functions and probes
  • Actively maintained with regular updates and improvements

Cons of bpftrace

  • Focused solely on tracing, not a general-purpose eBPF tool
  • Steeper learning curve for users new to eBPF concepts
  • May have performance overhead compared to lower-level eBPF programs

Code Comparison

bpftrace example:

#!/usr/bin/env bpftrace
BEGIN {
    printf("Tracing TCP connects. Hit Ctrl-C to end.\n");
}
kprobe:tcp_connect {
    printf("TCP connect: %s\n", comm);
}

awesome-ebpf doesn't contain code examples as it's a curated list of eBPF resources. However, it provides links to various eBPF projects and tools, including bpftrace.

Summary

bpftrace is a powerful, high-level tracing tool for eBPF, offering a user-friendly language for writing tracing scripts. It's actively maintained and provides a rich set of built-in functions. However, it's specialized for tracing and may have a steeper learning curve.

awesome-ebpf, on the other hand, is a curated list of eBPF resources, tools, and projects. It serves as a comprehensive reference for the eBPF ecosystem but doesn't provide direct functionality like bpftrace does.

Choose bpftrace for specific tracing needs, and use awesome-ebpf as a starting point to explore the broader eBPF landscape.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Awesome eBPF Awesome

A curated list of awesome projects related to eBPF.

BPF, as in Berkeley Packet Filter, is an in-kernel virtual machine running programs passed from user space. Initially implemented on BSD, then Linux, the (now legacy) "classic BPF" or cBPF machine would be used with tools like tcpdump for filtering packets in the kernel to avoid useless copies to user space. More recently, the BPF infrastructure in Linux has been completely reworked and gave life to the "extended BPF", or eBPF, which gained new features (safety and termination checks, JIT-compiling for programs, persistent maps, a standard library, hardware offload support, etc.) and is now used for many tasks. Processing packets at a very low level (XDP), tracing and monitoring events on the system, or enforcing access control over cgroups are but a few examples to which eBPF brings performance, programmability and flexibility.

Recently Cilium launched a great website about eBPF called ebpf.io. It serves a similar purpose to this list, with an introduction to eBPF and links to related projects.

Note: eBPF is an exciting piece of technology, and its ecosystem is constantly evolving. We'd love help from you to keep this awesome list up to date, and improve its signal-to-noise ratio in anyway we can. Please feel free to leave any feedback.

Contents

Reference Documentation

eBPF Essentials

  • ebpf.io - A gateway to discover all the basics of eBPF, including a listing of the main related projects and of community resources.
  • Cilium's BPF and XDP Reference Guide - In-depth documentation about most features and aspects of eBPF.

Kernel Documentation

Manual Pages

  • bpf(2) - Manual page about the bpf() system call, used to manage BPF programs and maps from userspace.
  • tc-bpf(8) - Manual page about using BPF with tc, including example commands and samples of code.
  • bpf-helpers(7) man page - Description of the in-kernel helper functions forming the BPF standard library.

Other

Articles and Presentations

Generic eBPF Presentations and Articles

If you are new to eBPF, you may want to try the links described as "introductions" in this section.

BPF Internals

Kernel Tracing

XDP

AF_XDP

bpfilter

BTF

cBPF

Hardware Offload

Tutorials

Examples

  • linux/samples/bpf/ - In the kernel tree: some sample eBPF programs.
  • linux/tools/testing/selftests/bpf - In the kernel tree: Linux BPF selftests, with many eBPF programs.
  • prototype-kernel/kernel/samples/bpf - Jesper Dangaard Brouer's prototype-kernel repository contains some additional examples that can be compiled outside of kernel infrastructure.
  • iproute2/examples/bpf/ - Some networking programs to attach to the TC interface.
  • Netronome sample network applications - Provides basic but complete examples of eBPF applications also compatible with hardware offload.
  • bcc/examples - Examples coming along with the bcc tools, mostly about tracing.
  • bcc/tools - These tools themselves can be seen as example use cases for BPF programs, mostly for tracing and monitoring. bcc tools have been packaged for some Linux distributions.
  • MPLSinIP sample - A heavily commented sample demonstrating how to encapsulate & decapsulate MPLS within IP. The code is commented for those new to BPF development.
  • ebpf-samples - A collection of compiled (as ELF object files) samples gathered from several projects, primarily intended to serve as test cases for user space verifiers.
  • ebpf-kill-example - A fully documented and tested example of an eBPF probe that logs all force-kills and prints them out in user-space.
  • redbpf examples - Example programs for using RedBPF to write eBPF programs in Rust.
  • XDP/TC-eBPF example - Program that uses XDP/TC-eBPF to provide statefull firewalling and socket redirection.

eBPF Workflow: Tools and Utilities

bcc

  • bcc - Framework and set of tools - One way to handle BPF programs, in particular for tracing and monitoring. Also includes some utilities that may help inspect maps or programs on the system.
  • Lua front-end for BCC - Another alternative to C, and even to most of the Python code used in bcc.

iproute2

  • iproute2 - Package containing tools for network management on Linux. In particular, it contains tc, used to manage eBPF filters and actions, and ip, used to manage XDP programs. Most of the code related to BPF is in lib/bpf.c.
  • iproute2-next - The development tree, synchronised with net-next.

LLVM

  • LLVM - Contains several tools used in eBPF workflows. Snapshots of the latest versions for Ubuntu/Debian can be retrieved from here.

    • clang is used to compile C to eBPF object file under the ELF format (clang v3.7.1+). The BPF backend was added with this commit.
    • llvm-objdump is used to dump the content of an object file in human-readable format, possibly with the initial C source code (llvm-objdump v4.0+).
    • llvm-mc is used to compile from LLVM intermediate representation to eBPF object file, so that one can compile from C to eBPF assembly, tinker with assembly, then compile to ELF file.

libbpf

  • libbpf - A C library used for handling BPF objects (programs and maps), and manipulating ELF object files containing them. It is shipped with the kernel and mirrored on GitHub.
  • libbpf-bootstrap - Scaffolding for BPF application development with libbpf and BPF CO-RE.

Go libraries

  • cilium/ebpf - Pure-Go library to read, modify and load eBPF programs and attach them to various hooks in the Linux kernel.
  • libbpfgo - eBPF library for Go, powered by libbpf.
  • gobpf - Go bindings for BCC for creating eBPF programs.

Aya

  • aya - A pure Rust library for writing, loading, and managing eBPF objects, with a focus on developer experience and operability. It supports writing eBPF programs in Rust and distributing library code over crates.io to share it between eBPF programs. Aya does not depend on libbpf.
  • aya-template - Templates for writing BPF applications in Aya that can be used with cargo generate.
  • Ebpfguard - Rust library for writing Linux security policies using eBPF.

zbpf

  • zbpf - A pure Zig framework for writing cross platform eBPF programs, powered by libbpf and Zig toolchain.

eunomia-bpf

  • eunomia-bpf - A compilation framework and runtime library to build, distribute, dynamically load, and run CO-RE eBPF applications in multiple languages and WebAssembly. It supports writing eBPF kernel code only (to build simple CO-RE libbpf eBPF applications), writing the kernel part in both BCC and libbpf styles, and writing userspace in multiple languages in a WASM module and distributing it with simple JSON data or WASM OCI images. The runtime is based on libbpf only and provides CO-RE to BCC-style eBPF programs without depending on the LLVM library.

oxidebpf

  • oxidebpf - A pure Rust library for managing eBPF programs, designed for security use cases. The featureset is more limited than other libraries but emphasizes stability across a wide range of kernels and backwards-compatible compile-once-run-most-places.

bpftool and Other Tools from the Kernel Tree

  • bpftool - Also some other tools in the kernel tree, under linux/tools/net/ for versions earlier than 4.15, or linux/tools/bpf/ after that:

    • bpftool - A generic utility that can be used to interact with eBPF programs and maps from userspace, for example to show, dump, load, disassemble, pin programs, or to show, create, pin, update, delete maps, or to attach and detach programs to cgroups.
    • bpf_asm - A minimal cBPF assembler.
    • bpf_dbg - A small debugger for cBPF programs.
    • bpf_jit_disasm - A disassembler for both BPF flavors and could be highly useful for JIT debugging.

User Space eBPF

  • uBPF - Written in C. Contains an interpreter, a JIT compiler for x86_64 architecture, an assembler and a disassembler.
  • A generic implementation - With support for FreeBSD kernel, FreeBSD user space, Linux kernel, Linux user space and macOS user space. Used for the VALE software switch's BPF extension module.
  • rbpf - Written in Rust. Interpreter for Linux, macOS and Windows, and JIT-compiler for x86_64 under Linux.
  • PREVAIL - A user space verifier for eBPF using an abstract interpretation layer, with support for loops.
  • oster - Written in Go. A tool for tracing execution of Go programs by attaching eBPF to uprobes.
  • wachy - A tracing profiler that aims to make eBPF uprobe-based debugging easier to use. This is done by displaying traces in a UI next to the source code and allowing interactive drilldown analysis.

eBPF on Other Platforms

  • eBPF for Windows - This project is a work-in-progress that allows using existing eBPF toolchains and APIs familiar in the Linux ecosystem to be used on top of Windows.

Testing in Virtual Environments

Projects Related to eBPF

Networking

Observability

  • InKeV: In-Kernel Distributed Network Virtualization for DCN
  • DEEP-mon - Helps with measuring power consumption for servers and uses eBPF programs for in-kernel aggregation of data.
  • pixie - Observability for Kubernetes using eBPF. Features include protocol tracing, application profiling, and support for distributed bpftrace deployments.
  • SkyWalking Rover - Apache SkyWalking is an open-source Application Performance Monitoring (APM) platform specially designed for distributed systems with microservices, cloud-native and container-based (Kubernetes) architectures. SkyWalking Rover is an eBPF-based profiler and metrics collector for C, C++, Golang, and Rust applications.
  • parca-agent - eBPF based always-on continuous profiler for analysis of CPU and memory usage, down to the line number and throughout time.
  • rbperf - Sampling profiler and tracer for Ruby.
  • Hubble - Network, service and security observability for Kubernetes using eBPF.
  • Caretta - Instant Kubernetes service dependency map generated by eBPF, right to a Grafana instance.
  • DeepFlow - Instant observability for cloud-native and AI applications based on eBPF.

Security

  • Falco - A cloud-native runtime security project used as a Kubernetes threat detection engine.
  • Sysmon for Linux - A security monitoring tool. It depends on SysinternalsEBPF.
  • Red Canary Linux Agent - Red Canary has started to incorporate eBPF to their Linux security sensor.
  • Tracee - A runtime security and forensics tool for Linux which uses eBPF technology to trace the system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.
  • redcanary-ebpf-sensor - A set of BPF programs that gather security relevant event data from the Linux kernel. The BPF programs are combined into a single ELF file from which individual probes can be selectively loaded, depending on the running operating system and kernel version.
  • bpflock - Lock Linux machines - An eBPF driven security tool for locking and auditing Linux machines.
  • Tetragon - Kubernetes-aware, eBPF-based security observability and runtime enforcement.

Tools

  • ply - A small but flexible open source dynamic tracer for Linux, with features similar to the bcc tools, but with a simpler language inspired by awk and DTrace.
  • bpftrace - A tool for tracing with its own high-level tracing language. It is flexible enough to be envisioned as a Linux replacement for DTrace and SystemTap.
    • bpftrace Cheat Sheet - Summary and cheat sheet for programming in bpftrace. Contains information about syntax, probe types, variables and functions.
  • kubectl trace - A kubectl plug-in for executing bpftrace programs in a Kubernetes cluster.
  • inspektor-gadget - A collection of eBPF-based tools to debug and inspect Kubernetes resources and applications.
  • bpfd - Framework for running BPF programs with rules on Linux as a daemon. Container aware.
  • BPFd - A distinct BPF daemon, trying to leverage the flexibility of the bcc tools to trace and debug remote targets, and in particular devices running with Android.
  • adeb - A Linux shell environment for using tracing tools on Android with BPFd.
  • greggd - System daemon to compile and load eBPF programs into the kernel, and forward program output to socket for metric aggregation.
  • FUSE - Considers using eBPF.
  • upf-bpf - An in-kernel solution based on XDP for 5G UPF.
  • redbpf - Tooling and framework to write eBPF code in Rust efficiently.
  • ebpf-explorer - A web interface to explore system's maps and programs.
  • ebpfmon - A TUI (terminal user interface) application for real time monitoring of eBPF programs.
  • bpfman - An eBPF Manager for Linux and Kubernetes. Includes a built-in program loader that supports program cooperation for XDP and TC programs, as well as deployment of eBPF programs from OCI images.
  • ptcpdump - A process-aware, eBPF-based tcpdump-like tool.

eBPF in Security

  • Embrace The Red: Offensive BPF! - A series of posts around the introduction into BPF with a focus to an offensive setting, and also how its misuse can be detected. Posts include discussions on the rootkit capabilities of eBPF, or on which tracing type is needed for different use cases.
  • eBPF: Block Linux Fileless Payload "Malware" Execution with BPF LSM - Blog post about how BPF can help detection and blocking fileless malware.
  • Blackhat 2021: With Friends Like eBPF, Who Needs Enemies? - Talk about an eBPF rootkit and how the capabilities of eBPF could be abused. The rootkit was also the object of a talk at Defcon, eBPF, I thought we were friends !.
  • ebpfkit - A rootkit that leverages multiple eBPF features to implement offensive security techniques.
  • ebpfkit-monitor - An utility to statically analyze eBPF bytecode or monitor suspicious eBPF activity at runtime. It was specifically designed to detect ebpfkit.
  • Bad BPF - A collection of malicious eBPF programs that make use of eBPF's ability to read and write user data in between the usermode program and the kernel.
  • TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.

The Code

Development and Community

Other Lists of Resources on eBPF

Acknowledgement

Thank you to Quentin Monnet and Daniel Borkmann for their original work on Dive into BPF: A List of Reading Material which became the basis for this list.

Contributing

Contributions welcome! Read the contribution guidelines first.

License

CC0

To the extent possible under law, zoidbergwill has waived all copyright and related or neighboring rights to this work.