7–9 November 2016: Conference & Tutorials
9–10 November 2016: Training
Amsterdam, The Netherlands

The next Linux superpower: An eBPF primer

Sasha Goldshtein (Sela Group)
11:50–12:30 Tuesday, 8/11/2016
Metrics/monitoring Forum Audience level: Intermediate
Average rating: ****.
(4.86, 14 ratings)

Prerequisite knowledge

  • Experience developing, deploying, or monitoring applications and systems on Linux

What you'll learn

  • Understand how to use modern monitoring and dynamic tracing on Linux systems


Imagine you’re tackling an evasive performance issues in the field and your go-to monitoring checklist doesn’t seem to cut it. There are plenty of suspects, but they are moving around rapidly and you need more logs, more data, more in-depth information to make a diagnosis. Maybe you’ve heard about DTrace (or even used it) and are yearning for a similar toolkit, which can plug dynamic tracing into a system that wasn’t prepared or instrumented in any way.

You won’t have to wait much longer. eBPF (extended Berkeley Packet Filters) is a kernel technology that enables a plethora of diagnostic scenarios by introducing dynamic, safe, low-overhead, efficient programs that run in the context of your live kernel. Sure, BPF programs can attach to sockets; but more interestingly, they can attach to kprobes and uprobes, static kernel tracepoints, and even user-mode static probes. And modern BPF programs have access to a wide set of instructions and data structures, which means you can collect valuable information and analyze it on the fly without spilling it to huge files and reading them from user space.

Sasha Goldshtein introduces BCC (the BPF compiler collection), an open set of tools and libraries for dynamic tracing on Linux. Some tools are easy and ready to use, such as execsnoop, fileslower, and memleak; other tools such as trace and argdist require more sophistication but can be used as a Swiss Army knife for a variety of scenarios. Sasha spends most of the session demonstrating the power of modern dynamic tracing, from memory leaks to static probes in Ruby, Node, and Java programs and from slow file I/O to monitoring network traffic, before exploring how to build your own tools using the Python and Lua bindings to BCC and its LLVM backend.

Photo of Sasha Goldshtein

Sasha Goldshtein

Sela Group

Sasha Goldshtein is the CTO of Sela Group, a Microsoft C# MVP and Azure MRS, a Pluralsight author, and an international consultant and trainer. Sasha’s consulting work revolves mainly around distributed architecture, production debugging, and mobile application development. Sasha is the author of Introducing Windows 7 for Developers (Microsoft Press) and Pro .NET Performance (Apress). He is also a prolific blogger and the author of numerous training courses, including .NET Debugging, .NET Performance, Android Application Development, and Modern C++.