Understanding the bpftool Command (with examples)

Understanding the bpftool Command (with examples)

The bpftool command is a powerful utility for inspecting and managing eBPF (extended Berkeley Packet Filter) programs and maps in the Linux kernel. eBPF is a technology that allows you to safely and efficiently run sandboxed programs in the Linux kernel without changing kernel source code or adding extra modules. It’s widely used for performance monitoring, security applications, and network traffic analysis. The bpftool command provides a range of subcommands, each designed to interact with different aspects of eBPF programs, maps, networking subsystems, and more.

Use case 1: List information about loaded eBPF programs

Code:

bpftool prog list

Motivation:

Listing the loaded eBPF programs is crucial for system administrators and developers to understand what eBPF code is currently active in the kernel. This information helps in debugging, auditing, and optimizing system performance. When multiple programs are loaded, it becomes essential to verify their status and identify any potential conflicts or obsolete entries.

Explanation:

  • prog: The subcommand prog is short for “program,” indicating that the command will operate on eBPF programs.
  • list: This argument specifies that you want to list all loaded eBPF programs currently in the kernel.

Example output:

18: xdp  name xdp_prog1  tag 383fb86a...
19: socket_filter  name sk_filter_prog2  tag 8c2c4f4c...

Use case 2: List eBPF program attachments in the kernel networking subsystem

Code:

bpftool net list

Motivation:

Monitoring eBPF program attachments in a networking context is essential for network administrators looking to optimize network performance, implement security policies, or troubleshoot network issues. eBPF programs can attach to various points in the networking stack, such as classification, filtering, or redirection engines, and knowing their attachments helps maintain an efficient network.

Explanation:

  • net: This argument refers to the networking subsystem of the kernel, focusing on eBPF programs attached to network operations.
  • list: As with the previous use case, this argument requests a list of all attachments.

Example output:

10: xdp id 2 _ifindex 3  driver

Code:

bpftool link list

Motivation:

Link management is integral to various applications of eBPF, such as tracking data flow and enforcing policies at the network interface level. Listing active links informs system administrators of the current bindings between eBPF programs and kernel hooks, providing clarity on active eBPF interactions and facilitating efficient resource allocation.

Explanation:

  • link: The command’s subcomponent that offers operations on eBPF links, representing dynamic connections between programs and kernel attach points.
  • list: This denotes the operation of displaying all active links.

Example output:

18: xdp  program 10 linked to device 3

Use case 4: List all raw_tracepoint, tracepoint, kprobe attachments in the system

Code:

bpftool perf list

Motivation:

For developers and performance engineers, exploring all instrumentation points like tracepoints and kprobes is essential for conducting performance profiling, debugging, and system analysis. This use case shows how bpftool can reveal these powerful observability and tracing constructs.

Explanation:

  • perf: An abbreviation for “performance,” indicating the command’s focus on tracing and performance-related information.
  • list: Requests a display of all perf-related attachments, such as tracepoints and kprobes.

Example output:

10: kprobe name kprobe_name  flags 0x0
11: tracepoint name tracepoint_name  flags 0x0

Use case 5: List BPF Type Format (BTF) data

Code:

bpftool btf list

Motivation:

The BPF Type Format (BTF) is a critical enhancement that enriches eBPF efficiency and debuggability by storing type information. Developers utilize this feature to investigate and comprehend BTF information, enabling them to build and deploy more efficient and reliable eBPF programs.

Explanation:

  • btf: Indicates operations related to the BPF Type Format, which provides metadata about eBPF programs.
  • list: Directs the command to output all stored BTF data.

Example output:

1: /sys/kernel/btf/vmlinux

Use case 6: List information about loaded maps

Code:

bpftool map list

Motivation:

Maps are fundamental storage and communication mechanisms in eBPF, facilitating data passing between kernel and user space. Listing eBPF maps assists users in monitoring the current state of these structures, optimizing storage usage, and ensuring the correctness of data exchanges.

Explanation:

  • map: Focused on eBPF maps, these are data structures used for storing information.
  • list: Requests all currently loaded maps to be printed.

Example output:

5: array_map  name my_map  fd 4

Use case 7: Probe a network device “eth0” for supported eBPF features

Code:

bpftool feature probe dev eth0

Motivation:

Network tuning and troubleshooting often require insight into which eBPF features a network device supports. Probing “eth0” reveals compatible features, assisting in adjusting network configurations, planning eBPF-based solutions, and ensuring feature compatibility across kernel versions.

Explanation:

  • feature: A command component used to retrieve supported eBPF features.
  • probe: Initiates a probing operation to gather feature information.
  • dev eth0: Refers to the device—eth0 in this case—that is being probed for supported features.

Example output:

jits: yes  map_types: array, hash, lru_hash, lpm_trie, ...

Use case 8: Run commands in batch mode from a file

Code:

bpftool batch file myfile

Motivation:

Batch processing allows users to automate routine tasks, manage multiple eBPF programs simultaneously, and enforce complex configurations without manual intervention. Executing a series of bpftool commands from a file streamlines workflow and boosts productivity in environments requiring frequent configurations.

Explanation:

  • batch: Enables batch processing mode to run multiple commands in sequence.
  • file myfile: Specifies an input file (myfile) containing commands to be executed.

Example output (depends on myfile content):

# Executing commands from myfile...

Conclusion:

Through various use cases, bpftool stands out as an indispensable tool for interacting with eBPF programs, maps, links, and other components. By leveraging its commands, users can perform comprehensive inspections, manage eBPF-driven features efficiently, and maintain an optimal and secure Linux kernel performance. Whether you’re a system administrator, developer, or security professional, understanding and utilizing bpftool commands can significantly enhance your capabilities in the Linux ecosystem.

Related Posts

How to Use the Command img2webp (with examples)

How to Use the Command img2webp (with examples)

The img2webp command-line tool is a utility designed to convert various image formats into the WebP format, which is known for its efficiency in compressing images without compromising quality.

Read More
How to Use the Command 'glab auth' (with Examples)

How to Use the Command 'glab auth' (with Examples)

The glab auth command is a part of the GitLab CLI tool known as glab, which facilitates interactions with GitLab projects and repositories directly from the command line.

Read More
Managing Golang Versions with goenv (with examples)

Managing Golang Versions with goenv (with examples)

The goenv tool is a command-line utility designed to simplify the management of different versions of the Go programming language, commonly known as Golang.

Read More