eBPF Tutorial by Example: Learning CO-RE eBPF Step by Step with Tools

This is a development tutorial for eBPF based on CO-RE (Compile Once, Run Everywhere). It provides practical eBPF development practices from beginner to advanced, including basic concepts, code examples, and real-world applications. Unlike BCC, we use frameworks like libbpf, Cilium, libbpf-rs, and eunomia-bpf for development, with examples in languages such as C, Go, and Rust.

This tutorial does not cover complex concepts and scenario introductions. Its main purpose is to provide examples of eBPF tools (very short, starting with twenty lines of code!) to help eBPF application developers quickly grasp eBPF development methods and techniques. The tutorial content can be found in the directory, with each directory being an independent eBPF tool example.

For the complete source code of the tutorial, please refer to the repo https://github.com/eunomia-bpf/bpf-developer-tutorial on GitHub. If you find this tutorial helpful, please give us a star!

Table of Contents

• Introduction to basic concepts of eBPF and common development tools
• eBPF Hello World, basic framework and development process
• Monitoring and capturing unlink system calls using kprobe
• Monitoring and capturing unlink system calls using fentry
• Collection of system calls for capturing processes opening files, filtering process pid using global variables
• Capturing readline function calls of bash using uprobe
• Collection of system calls for capturing process signal sending, saving state using hash map
• Capturing process execution/exit time, printing output to user space using perf event array
• Monitoring process exit events using exitsnoop, printing output to user space using ring buffer
• A Linux kernel BPF program that summarizes scheduler run queue latency using histograms, displaying time length tasks wait to run on the CPU
• Capturing interrupt events using hardirqs or softirqs
• Developing user space programs and tracing exec() and exit() system calls using bootstrap
• Developing programs to measure TCP connection latency using libbpf-bootstrap
• Recording TCP connection state and TCP RTT using libbpf-bootstrap
• Capturing user space Java GC event duration using USDT
• Writing eBPF program Memleak to monitor memory leaks
• Writing eBPF program Biopattern to measure random/sequential disk I/O
• More reference materials: papers list, projects, blogs, etc.
• Performing security detection and defense using LSM
• Performing traffic control using eBPF and tc

Advanced Features and Advanced Topics of eBPF

• Using eBPF programs on Android
• Tracing HTTP requests or other layer 7 protocols using eBPF
• Capturing Plain Text Data of Various Libraries' SSL/TLS Using uprobe
• The Secure Path Forward for eBPF: Challenges and Innovations
• Accelerating network request forwarding using sockops
• Hiding process or file information using eBPF
• Terminating processes by sending signals using bpf_send_signal
• Adding sudo users using eBPF
• Replacing text read or written by any program using eBPF
• BPF lifecycle: Running eBPF programs continuously after the user space application exits using Detached mode

bcc tutorial

• BPF Features by Linux Kernel Version
• Kernel Configuration for BPF Features
• bcc Reference Guide
• Special Filtering
• bcc Tutorial".- bcc Python Developer Tutorial