Tooling

eBPF Tools

Programmable kernel observability and security — bpftrace, BCC, Cilium, Tetragon.

eBPF lets you safely run programs inside the Linux kernel — for observability, networking, and security. By 2026 it's mainstream production tech.

Tracing / profiling

  • bpftrace — high-level tracing language; one-liners that would be a week of C. The default for ad-hoc kernel tracing.
  • BCC (BPF Compiler Collection) — Python tools (execsnoop, tcpconnect, biolatency, runqlat, ...). Most production tooling lives here.
  • bpftool — kernel utility for managing eBPF programs.
  • kpatch / livepatch — kernel updates without reboot (kernel-side, not eBPF, but adjacent).

Performance / profiling

  • Pyroscope eBPF agent — continuous profiling without code changes.
  • Parca — eBPF-based whole-system profiling.
  • Pixie (CNCF) — auto-instruments k8s services with eBPF; deep visibility.
  • bcc/profile — sample stack traces.
  • Brendan Gregg's various toolsbcc/funcslower, perf-tools, etc.

Networking

  • Cilium — eBPF-native CNI for Kubernetes; replaces kube-proxy, supports ClusterMesh, Service Mesh. The default CNI in 2026 for new clusters.
  • Hubble — Cilium's observability layer; flow visibility.
  • Calico eBPF mode — alternative CNI with optional eBPF.
  • xdp-tools / katran (Meta) — XDP-based load balancers / DDoS mitigation.

Security / runtime

  • Falco (CNCF) — runtime security; alerts on syscall patterns ("shell spawned in container", etc.). The default.
  • Tetragon (Cilium) — runtime security observation + enforcement; eBPF-based; CNCF.
  • Tracee (Aqua) — runtime detection; YAML-defined detection rules.
  • eBPF for Windows — yes, eBPF on Windows is real now.

DDoS / firewall (XDP-based)

  • bpfilter — kernel project to replace iptables eBPF-style.
  • Cloudflare uses eBPF for huge swathes of its DDoS mitigation.

Kubernetes-specific

  • Cilium ClusterMesh — multi-cluster networking via eBPF.
  • Hubble — flow visibility in clusters.
  • Pixie — auto-instrumentation in k8s.
  • Inspektor Gadget (Microsoft) — k8s-native eBPF tracing tools.

What to use eBPF for

  • Performance tracing without rebuilding services.
  • Network policy enforcement (Cilium).
  • Service mesh without sidecars (Cilium Service Mesh).
  • Runtime security detection (Falco / Tetragon).
  • Continuous profiling (Parca / Pyroscope).
  • Custom observability for niche workloads.

What you don't need eBPF for

  • "Show me CPU usage" — htop / Netdata is enough.
  • "I want application metrics" — OpenTelemetry / Prometheus is enough.
  • "I want logs" — Loki / Vector / Fluent Bit is enough.

eBPF earns its keep when you need kernel-level observability or networking that ordinary tools can't reach.

Patterns to adopt

  • Use the high-level tools first. Pixie / Cilium / Pyroscope hide eBPF complexity well.
  • bpftrace one-liners for ad-hoc investigation; commit useful ones to a runbook.
  • Production runtime security with Falco or Tetragon is increasingly table-stakes for compliance.

Pick this if…

  • Default k8s CNI in 2026: Cilium.
  • Cluster runtime security: Falco or Tetragon.
  • Continuous profiling: Parca or Pyroscope eBPF agent.
  • Deep ad-hoc kernel tracing: bpftrace + BCC tools.
  • Service auto-instrumentation in k8s: Pixie.
  • Existing iptables-heavy network: Cilium replaces all of it.

On this page