High-performance Linux monitoring with eBPF

Cite

Chaos Computer Club e.V.

Acosta, Alfonso

Formal Metadata

Title

High-performance Linux monitoring with eBPF

Title of Series

All Systems Go! - The Userspace Linux Conference 2017

Number of Parts

Author

Acosta, Alfonso

Contributors

All Systems Go!

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/37929 (DOI)

Publisher

Chaos Computer Club e.V.

Release Date

2017

Language

English

Producer

All Systems Go!

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Extended Berkeley Packet Filter (eBPF) allows for high-performance introspection of the Linux kernel execution. eBPF is widely available (part of the mainline kernel and enabled by most distributions), flexible (any kernel code path can be probed) and safe (driven from userspace and statically verified). In this talk, I will introduce eBPF, explaining how it can be used to track TCP connections in real time. On the way I will demonstrate it is possible to access eBPF from languages other than C (Golang) and remove undesirable runtime dependencies (LLVM compiler and kernel-headers). At Weaveworks we are using eBPF for the connection-tracker of the Weave Scope visualization tool.