{"id":20228494,"url":"https://github.com/64j0/starting-ebpf","last_synced_at":"2026-05-14T05:41:04.675Z","repository":{"id":177439480,"uuid":"656893804","full_name":"64J0/starting-eBPF","owner":"64J0","description":"Starting my journey through eBPF (Extended Berkeley Packet Filter)","archived":false,"fork":false,"pushed_at":"2024-08-21T14:26:59.000Z","size":658,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-24T01:42:21.494Z","etag":null,"topics":["ebpf"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/64J0.png","metadata":{"files":{"readme":"README.org","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-21T21:40:59.000Z","updated_at":"2024-08-21T14:27:10.000Z","dependencies_parsed_at":"2024-11-14T07:41:20.455Z","dependency_job_id":null,"html_url":"https://github.com/64J0/starting-eBPF","commit_stats":null,"previous_names":["64j0/starting-ebpf"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/64J0%2Fstarting-eBPF","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/64J0%2Fstarting-eBPF/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/64J0%2Fstarting-eBPF/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/64J0%2Fstarting-eBPF/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/64J0","download_url":"https://codeload.github.com/64J0/starting-eBPF/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241670158,"owners_count":20000327,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ebpf"],"created_at":"2024-11-14T07:30:47.737Z","updated_at":"2025-11-30T10:04:16.880Z","avatar_url":"https://github.com/64J0.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"#+TITLE: Starting eBPF\n#+AUTHOR: 64J0\u003chttps://github.com/64J0\u003e\n\nThis repository is used to keep track of the programs I write while starting to\nlearn about eBPF (Extended Berkeley Packet Filter) technology.\n\nThe main reference for this journey is the book [[https://github.com/lizrice/learning-ebpf][Learning eBPF]] from Liz Rice,\nleveraging this book's exercises and examples.\n\n** What is eBPF?\n\neBPF is a revolutionary kernel technology that allows developers to write custom\ncode that can be loaded into the kernel dynamically, changing the way the kernel\nbehaves.\n\nThis tool provides us the flexibility to build bespoke tools or customized\npolicies. eBPF-based tools can observe any event across the kernel, and hence\nacross all applications running on a (virtual) machine, whether they are\ncontainerized or not.\n\nJust a few of the things you can do with eBPF include:\n\n+ Performance tracing of pretty much any aspect of a system;\n+ High-performance networking, with built-in visibility;\n+ Detecting and (optionally) preventing malicious activity.\n\n#+BEGIN_QUOTE\n[!IMPORTANT]\nBecause eBPF is continually evolving, the features available to you depend on\nthe kernel version you're running.\n#+END_QUOTE\n\n*** eBPF safety\n\nSince eBPF programs can be loaded into and removed from the kernel dynamically,\nand a kernel code crash can potentially take down the machine and everything\nrunning on it, it's important to have some guarantee that the code we're using\nis correct to some extent.\n\nWith this in mind, the ~eBPF verifier~ was created. The ~eBPF verifier~ is the\ntool that ensure that an eBPF program is loaded only if it's safe to run - it\nwon't crash the machine, or lock it up in a hard loop, and it won't allow data\nto be compromised.\n\n** Vagrant\n\nAs you can notice by checking this repository, I added a Vagrantfile to make it\neasier to create a VM for testing purposes. This Vagrantfile is based on [[https://aquasecurity.github.io/tracee/v0.9/tutorials/setup-development-machine-with-vagrant/][this\nreference]] from [[https://github.com/aquasecurity/tracee][aquasecurity/tracee]].\n\nTo start the server, you can do:\n\n#+BEGIN_SRC bash :tangle no\n  # the vagrant version I'm using\n  vagrant --version\n  # Vagrant 2.4.1\n\n  # =====================\n  # start the vm\n  vagrant up\n\n  # =====================\n  # connect to the vm through ssh\n  vagrant ssh\n\n  # =====================\n  # stop the vm\n  vagrant halt\n  # if you want to destroy the VM completely\n  # vagrant destroy\n\n  # =====================\n  # restart the vm\n  vagrant up\n#+END_SRC\n\n** Helpers\n\n**** bpf/bpf_helpers.h installation\n\nI found the solution to this problem at this StackOverflow answer: [[https://stackoverflow.com/a/55438649][link]].\n\nBasically, if you're using a Linux distribution that uses apt as the package\nmanager:\n\n#+BEGIN_SRC bash\n  # update packages list\n  sudo apt update\n\n  # install libbpf-dev\n  sudo apt install libbpf-dev\n\n  # verify that it was installed\n  # check /usr/include/bpf/bpf_helpers.h\n#+END_SRC\n\n**** bpftool not found for kernel ...\n\nIf this messages appears to you when trying to use the ~bpftool~ command, you\ncan simply install it from the source, as explained at this comment: [[https://github.com/lizrice/lb-from-scratch/issues/1#issuecomment-1537098872][link]].\n\n#+BEGIN_SRC bash\n  rm /usr/sbin/bpftool\n\n  apt update \u0026\u0026 apt install -y git\n  cd / \u0026\u0026 git clone --recurse-submodules https://github.com/libbpf/bpftool.git\n\n  cd bpftool/src\n  make install\n\n  ln -s /usr/local/sbin/bpftool /usr/sbin/bpftool\n#+END_SRC\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F64j0%2Fstarting-ebpf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F64j0%2Fstarting-ebpf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F64j0%2Fstarting-ebpf/lists"}