Fueling innovative software
July 15-18, 2019
Portland, OR

Linux extended Berkeley Packet Filters

Lorenzo Fontana (Sysdig), David Calavera (Netlify)
9:00am12:30pm Monday, July 15, 2019
The Next Architecture
Location: C120-122
Secondary topics:  Cloud Native
Average rating: ****.
(4.00, 3 ratings)

Who is this presentation for?

  • SREs, developers, and software engineers




Since the Linux kernel 4.x series, a lot of enhancements have reached the mainline of the extended Berkeley Packet Filter (eBPF) ecosystem, giving users the capability to do a lot more than just network stuff. But understanding the eBPF ecosystem can be hard.

Lorenzo Fontana and David Calavera offer an initial overview of eBPF programs and explain how to hook them to programs running inside Kubernetes clusters in order to answer targeted questions at the cluster level about very specific, fine-grained situations: Has that function in my program been called? For a given function, which arguments have been passed to it? What it did return? Which TCP packets are being retransmitted? Which queries are running slow? What are the insights on programming language events/GC? Has that file been opened?


  • Introduction
  • Kernel tracing backends
    • Uprobes
    • Kprobes
    • Static tracepoints
    • USDT
    • XDP
  • BPF in kernel virtual machine
  • BCC
  • Gobpf
  • BPF and Kubernetes
  • Clang bpf backend
  • Hands-on exercise: Extract variable values from a Go program using an uprobe
  • Hands-on exercise: Understand TCP retransmits from the kernel using kprobes and static tracepoints
  • How to observe the observers? genuinetools/bpfps
  • How to write a simple firewall using XDP
  • Traffic shaping using traffic control and an eBPF program
  • Hands-on exercise: seccomp filters using bpf programs

Materials or downloads needed in advance

  • A laptop running Linux (4.18+) or a virtual machine
Photo of Lorenzo Fontana

Lorenzo Fontana


Lorenzo Fontana is an open source software engineer at Sysdig, where he primarily works on Falco, a Cloud Native Computing Foundation (CNCF) project that does container runtime security and anomaly detection. He’s passionate about distributed systems, software-defined networking, the Linux kernel, and performance analysis. He’s the maintainer of the IO Visors Project’s kubectl-trace.

Photo of David Calavera

David Calavera


David Calavera is the CTO of Netlify, where he and his team are building the best platform for deploying and automating modern web projects. Previously, he was a core member of the Docker Engine project, where he helped developers build the container engine that started the container revolution. David also built enterprise tools for GitHub and has contributed to numerous open source projects such us Go, JRuby, and many others.