A restricted subset of C is compiled via clang to eBPF bytecode, and the Linux kernel contains a JIT (and of course a VM) to execute it.


bcc is a higher level toolkit for interacting with eBPF (including via Python). For example:

from bcc import BPF

        int kprobe__sys_clone(void *ctx) {
            bpf_trace_printk("Hello, World!\\n");
            return 0;

will attach a simple print callback whenever a new process is spawned (via clone(2)).

BPF-based tools

Brendan Gregg has a great diagram and post of the various BPF-using tools, and which part of the stack they trace.

More Tracing

Julia Evans’s Linux tracing systems & how they fit together is pretty great reading & reference for context beyond just BPF.

Category: programming