eBPF Tools
Programmable kernel observability and security — bpftrace, BCC, Cilium, Tetragon.
eBPF lets you safely run programs inside the Linux kernel — for observability, networking, and security. By 2026 it's mainstream production tech.
Tracing / profiling
- ★ bpftrace — high-level tracing language; one-liners that would be a week of C. The default for ad-hoc kernel tracing.
- ★ BCC (BPF Compiler Collection) — Python tools (
execsnoop,tcpconnect,biolatency,runqlat, ...). Most production tooling lives here. - bpftool — kernel utility for managing eBPF programs.
- kpatch / livepatch — kernel updates without reboot (kernel-side, not eBPF, but adjacent).
Performance / profiling
- ★ Pyroscope eBPF agent — continuous profiling without code changes.
- ★ Parca — eBPF-based whole-system profiling.
- Pixie (CNCF) — auto-instruments k8s services with eBPF; deep visibility.
- bcc/profile — sample stack traces.
- Brendan Gregg's various tools —
bcc/funcslower,perf-tools, etc.
Networking
- ★ Cilium — eBPF-native CNI for Kubernetes; replaces kube-proxy, supports ClusterMesh, Service Mesh. The default CNI in 2026 for new clusters.
- Hubble — Cilium's observability layer; flow visibility.
- Calico eBPF mode — alternative CNI with optional eBPF.
- xdp-tools / katran (Meta) — XDP-based load balancers / DDoS mitigation.
Security / runtime
- ★ Falco (CNCF) — runtime security; alerts on syscall patterns ("shell spawned in container", etc.). The default.
- ★ Tetragon (Cilium) — runtime security observation + enforcement; eBPF-based; CNCF.
- Tracee (Aqua) — runtime detection; YAML-defined detection rules.
- eBPF for Windows — yes, eBPF on Windows is real now.
DDoS / firewall (XDP-based)
- bpfilter — kernel project to replace iptables eBPF-style.
- Cloudflare uses eBPF for huge swathes of its DDoS mitigation.
Kubernetes-specific
- Cilium ClusterMesh — multi-cluster networking via eBPF.
- Hubble — flow visibility in clusters.
- Pixie — auto-instrumentation in k8s.
- Inspektor Gadget (Microsoft) — k8s-native eBPF tracing tools.
What to use eBPF for
- Performance tracing without rebuilding services.
- Network policy enforcement (Cilium).
- Service mesh without sidecars (Cilium Service Mesh).
- Runtime security detection (Falco / Tetragon).
- Continuous profiling (Parca / Pyroscope).
- Custom observability for niche workloads.
What you don't need eBPF for
- "Show me CPU usage" — htop / Netdata is enough.
- "I want application metrics" — OpenTelemetry / Prometheus is enough.
- "I want logs" — Loki / Vector / Fluent Bit is enough.
eBPF earns its keep when you need kernel-level observability or networking that ordinary tools can't reach.
Patterns to adopt
- Use the high-level tools first. Pixie / Cilium / Pyroscope hide eBPF complexity well.
- bpftrace one-liners for ad-hoc investigation; commit useful ones to a runbook.
- Production runtime security with Falco or Tetragon is increasingly table-stakes for compliance.
Pick this if…
- Default k8s CNI in 2026: Cilium.
- Cluster runtime security: Falco or Tetragon.
- Continuous profiling: Parca or Pyroscope eBPF agent.
- Deep ad-hoc kernel tracing: bpftrace + BCC tools.
- Service auto-instrumentation in k8s: Pixie.
- Existing iptables-heavy network: Cilium replaces all of it.