eBPF Tutorial by Example: Learning CO-RE eBPF Step by Step
This is a development tutorial for eBPF based on CO-RE (Compile Once, Run Everywhere). It provides practical eBPF development practices from beginner to advanced, including basic concepts, code examples, and real-world applications. Unlike BCC, we use frameworks like libbpf, Cilium, libbpf-rs, and eunomia-bpf for development, with examples in languages such as C, Go, and Rust.
This tutorial does not cover complex concepts and scenario introductions. Its main purpose is to provide examples of eBPF tools (very short, starting with twenty lines of code!) to help eBPF application developers quickly grasp eBPF development methods and techniques. The tutorial content can be found in the directory, with each directory being an independent eBPF tool example.
For the complete source code of the tutorial, please refer to the repo https://github.com/eunomia-bpf/bpf-developer-tutorial on GitHub. If you find this tutorial helpful, please give us a star!
Table of Contents
Getting Started Examples
This section contains simple eBPF program examples and introductions. It primarily utilizes the eunomia-bpf
framework to simplify development and introduces the basic usage and development process of eBPF.
- lesson 0-introduce Introduction to Core Concepts and Tools
- lesson 1-helloworld Hello World, Framework and Development
- lesson 2-kprobe-unlink Monitoring unlink System Calls with kprobe
- lesson 3-fentry-unlink Monitoring unlink System Calls with fentry
- lesson 4-opensnoop Capturing Opening Files and Filter with Global Variables
- lesson 5-uprobe-bashreadline Capturing readline Function Calls with Uprobe
- lesson 6-sigsnoop Capturing Signal Sending and Store State with Hash Maps
- lesson 7-execsnoop Capturing Process Execution, Output with perf event array
- lesson 8-exitsnoop Monitoring Process Exit Events, Output with Ring Buffer
- lesson 9-runqlat Capturing Scheduling Latency and Recording as Histogram
- lesson 10-hardirqs Capturing Interrupts with hardirqs or softirqs
Advanced Documents and Examples
We start to build complete eBPF projects mainly based on libbpf
and combine them with various application scenarios for practical use.
- lesson 11-bootstrap Develop User-Space Programs with libbpf and Trace exec() and exit()
- lesson 12-profile Using eBPF Program Profile for Performance Analysis
- lesson 13-tcpconnlat Statistics of TCP Connection Delay with libbpf
- lesson 14-tcpstates Recording TCP Connection Status and TCP RTT
- lesson 15-javagc Capturing User-Space Java GC Duration Using USDT
- lesson 16-memleak Monitoring Memory Leaks
- lesson 17-biopattern Count Random/Sequential Disk I/O
- lesson 18-further-reading More Reference Materials: papers, projects
- lesson 19-lsm-connect Security Detection and Defense using LSM
- lesson 20-tc tc Traffic Control
- lesson 21-xdp Programmable Packet Processing with XDP
In-Depth Topics
This section covers advanced topics related to eBPF, including using eBPF programs on Android, possible attacks and defenses using eBPF programs, and complex tracing. Combining the user-mode and kernel-mode aspects of eBPF can bring great power (as well as security risks).
GPU:
- lesson 47-cuda-events Tracing CUDA GPU Operations
- lesson xpu/npu-kernel-driver Tracing Intel NPU Kernel Driver Operations
- lesson xpu/gpu-kernel-driver Monitoring GPU Driver Activity with Kernel Tracepoints
Scheduler:
- lesson 44-scx-simple Introduction to the BPF Scheduler
- lesson 45-scx-nest Implementing the
scx_nest
Scheduler
Networking:
- lesson 23-http L7 Tracing with eBPF: HTTP and Beyond via Socket Filters and Syscall Tracepoints
- lesson 29-sockops Accelerating Network Request Forwarding with Sockops
- lesson 41-xdp-tcpdump Capturing TCP Information with XDP
- lesson 42-xdp-loadbalancer XDP Load Balancer
- lesson 46-xdp-test Building a High-Performance XDP Packet Generator
Tracing:
- lesson 30-sslsniff Capturing SSL/TLS Plain Text Data Using uprobe
- lesson 31-goroutine Using eBPF to Trace Go Routine States
- lesson 33-funclatency Measuring Function Latency with eBPF
- lesson 37-uprobe-rust Tracing User Space Rust Applications with Uprobe
- lesson 39-nginx Using eBPF to Trace Nginx Requests
- lesson 40-mysql Using eBPF to Trace MySQL Queries
- lesson 48-energy Energy Monitoring for Process-Level Power Analysis
Security:
- lesson 24-hide Hiding Process or File Information
- lesson 25-signal Using bpf_send_signal to Terminate Malicious Processes in eBPF
- lesson 26-sudo Privilege Escalation via File Content Manipulation
- lesson 27-replace Transparent Text Replacement in File Reads
- lesson 28-detach Running eBPF After Application Exits: The Lifecycle of eBPF Programs
- lesson 34-syscall Modifying System Call Arguments with eBPF
Features:
- lesson 35-user-ringbuf Asynchronously Send to Kernel with User Ring Buffer
- lesson 36-userspace-ebpf Userspace eBPF Runtimes: Overview and Applications
- lesson 38-btf-uprobe Expanding eBPF Compile Once, Run Everywhere(CO-RE) to Userspace Compatibility
- lesson 43-kfuncs Extending eBPF Beyond Its Limits: Custom kfuncs in Kernel Modules
- features bpf_wq BPF Workqueues for Asynchronous Sleepable Tasks
- features bpf_iters BPF Iterators for Kernel Data Export
- features bpf_arena BPF Arena for Zero-Copy Shared Memory
Other:
- lesson 49-hid Fixing Broken HID Devices Without Kernel Patches
Android:
- lesson 22-android Using eBPF Programs on Android
Continuously updating...