network:
- every TCP connection (src, dst, bytes, duration)
- DNS queries and response times
- TLS handshake failures
- HTTP request/response cycles application:
- function call latencies (uprobes)
- memory allocations
- lock contention
- GC pauses security:
- syscall audit trails
- privilege escalations
- suspicious file access
- container escape attempts performance:
- CPU scheduling delays
- I/O wait time per process
- disk latency histograms
- page fault patterns
network:
- every TCP connection (src, dst, bytes, duration)
- DNS queries and response times
- TLS handshake failures
- HTTP request/response cycles application:
- function call latencies (uprobes)
- memory allocations
- lock contention
- GC pauses security:
- syscall audit trails
- privilege escalations
- suspicious file access
- container escape attempts performance:
- CPU scheduling delays
- I/O wait time per process
- disk latency histograms
- page fault patterns
network:
- every TCP connection (src, dst, bytes, duration)
- DNS queries and response times
- TLS handshake failures
- HTTP request/response cycles application:
- function call latencies (uprobes)
- memory allocations
- lock contention
- GC pauses security:
- syscall audit trails
- privilege escalations
- suspicious file access
- container escape attempts performance:
- CPU scheduling delays
- I/O wait time per process
- disk latency histograms
- page fault patterns
# Install bpftrace
sudo apt install bpftrace # Trace every HTTP response larger than 1MB
sudo bpftrace -e '
uprobe:/usr/lib/libssl.so:SSL_write {
@http_writes[pid] = count();
@http_bytes[comm] = sum(arg2);
}
'
# Install bpftrace
sudo apt install bpftrace # Trace every HTTP response larger than 1MB
sudo bpftrace -e '
uprobe:/usr/lib/libssl.so:SSL_write {
@http_writes[pid] = count();
@http_bytes[comm] = sum(arg2);
}
'
# Install bpftrace
sudo apt install bpftrace # Trace every HTTP response larger than 1MB
sudo bpftrace -e '
uprobe:/usr/lib/libssl.so:SSL_write {
@http_writes[pid] = count();
@http_bytes[comm] = sum(arg2);
}
' - Adds memory overhead
- Needs to be updated
- Gets out of date
- Breaks with kernel upgrades
- Needs instrumentation code - Auto-instruments every service in your K8s cluster
- No code changes, no sidecars
- Full HTTP, MySQL, Postgres, DNS tracing
- Open source - Network observability + security policy enforcement
- Replaces kube-proxy
- Hubble UI for service-to-service traffic visualization - Runtime security detection
- "Alert if a process inside a container spawns a shell"
- Writes rules in YAML - Continuous profiling via eBPF
- See CPU flame graphs across your entire fleet
- Identify the most expensive code paths - Security-focused eBPF tracing
- Detects privilege escalations, cryptojacking, suspicious syscalls - Zero app code changes
- Near-zero overhead (kernel-level efficiency)
- Unified view across languages (Go, Python, Java, Rust, all seen the same way)
- No agent lifecycle to manage - Requires Linux 4.14+ (5.0+ preferred)
- Steep learning curve for custom probes
- Limited visibility into in-process logic (you see syscalls, not business logic)
- eBPF verifier rejects programs for subtle reasons - Network debugging: "Why is service A slow to reach service B?"
- Security auditing: "What containers are making unexpected syscalls?"
- Performance profiling: "Where is the cluster CPU time actually going?"
- Incident forensics: "Reconstruct the syscall timeline during the outage" - Business logic observability you still need OpenTelemetry for spans
- Application errors your logs and exception tracking still matter
- Multi-region correlation eBPF is node-local - Deploy Pixie in a dev cluster (1-line install)
- Open the UI, watch real-time HTTP traffic
- Try a bpftrace one-liner to trace a specific syscall
- Read the Cilium + Hubble docs
- Replace one agent-based tool with its eBPF equivalent
