Episode 197 - Getting your hands dirty with eBPF and Kprobes

# Episode 197 - Getting your hands dirty with eBPF and Kprobes {%youtube JMnG5Hfr0pk %} Please spend a few minutes to complete the [Cilium User Survey](http://cs.co/cilium-survey25) ## Events * [CiliumCon CfP Sunday](https://events.linuxfoundation.org/kubecon-cloudnativecon-europe/co-located-events/ciliumcon/#sponsor) * [KubeCon NA in one week!]() * [eBPF Summit (Hackathon Edition!) (submissions end of November)](https://ebpf-summit-2025.devpost.com/) ## Kprobes! So what is a [Kprobe](https://docs.kernel.org/trace/kprobes.html)! > Kprobes enables you to dynamically break into any kernel routine and collect debugging and performance information non-disruptively. > There are currently two types of probes: kprobes, and kretprobes (also called return probes). A kprobe can be inserted on virtually any instruction in the kernel. A return probe fires when a specified function returns. Kprobes have been around since around 2005 ! -> [details](https://lwn.net/Articles/132196/) ### How Does a Kprobe Work? > When a kprobe is registered, Kprobes makes a copy of the probed instruction and replaces the first byte(s) of the probed instruction with a breakpoint instruction (e.g., int3 on i386 and x86_64). > When a CPU hits the breakpoint instruction, a trap occurs, the CPU’s registers are saved, and control passes to Kprobes via the notifier_call_chain mechanism. Originally you would load them as a kernel module! Example: https://gitlab.cs.fau.de/sa83dova/linux/-/blob/4a6908a3a050aacc9c3a2f36b276b46c0629ad91/samples/kprobes/kprobe_example.c Understanding which functions you can attach to! `cat /proc/kallsyms` Or cleaner: `bpftrace -l *input*` ### Understanding kernel functions and function signatures Linux source code is our guide! https://elixir.bootlin.com/linux/v6.14.6/source/drivers/tty/n_tty.c#L1424 https://docs.kernel.org/driver-api/tty/n_tty.html ## Kprobes vs FEntry/Fexit > fentry (function entry) and fexit (function exit) are the modern way to trace kernel functions in eBPF. They were introduced in kernel 5.5 for x86 processors and 6.0 for ARM processors. Think of them as the faster, more efficient successors to kprobes.