Understanding the bpftool Command (with examples)
- Linux
- December 17, 2024
The bpftool
command is a powerful utility for inspecting and managing eBPF (extended Berkeley Packet Filter) programs and maps in the Linux kernel. eBPF is a technology that allows you to safely and efficiently run sandboxed programs in the Linux kernel without changing kernel source code or adding extra modules. It’s widely used for performance monitoring, security applications, and network traffic analysis. The bpftool
command provides a range of subcommands, each designed to interact with different aspects of eBPF programs, maps, networking subsystems, and more.
Use case 1: List information about loaded eBPF
programs
Code:
bpftool prog list
Motivation:
Listing the loaded eBPF programs is crucial for system administrators and developers to understand what eBPF code is currently active in the kernel. This information helps in debugging, auditing, and optimizing system performance. When multiple programs are loaded, it becomes essential to verify their status and identify any potential conflicts or obsolete entries.
Explanation:
prog
: The subcommandprog
is short for “program,” indicating that the command will operate on eBPF programs.list
: This argument specifies that you want to list all loaded eBPF programs currently in the kernel.
Example output:
18: xdp name xdp_prog1 tag 383fb86a...
19: socket_filter name sk_filter_prog2 tag 8c2c4f4c...
Use case 2: List eBPF
program attachments in the kernel networking subsystem
Code:
bpftool net list
Motivation:
Monitoring eBPF program attachments in a networking context is essential for network administrators looking to optimize network performance, implement security policies, or troubleshoot network issues. eBPF programs can attach to various points in the networking stack, such as classification, filtering, or redirection engines, and knowing their attachments helps maintain an efficient network.
Explanation:
net
: This argument refers to the networking subsystem of the kernel, focusing on eBPF programs attached to network operations.list
: As with the previous use case, this argument requests a list of all attachments.
Example output:
10: xdp id 2 _ifindex 3 driver
Use case 3: List all active links
Code:
bpftool link list
Motivation:
Link management is integral to various applications of eBPF, such as tracking data flow and enforcing policies at the network interface level. Listing active links informs system administrators of the current bindings between eBPF programs and kernel hooks, providing clarity on active eBPF interactions and facilitating efficient resource allocation.
Explanation:
link
: The command’s subcomponent that offers operations on eBPF links, representing dynamic connections between programs and kernel attach points.list
: This denotes the operation of displaying all active links.
Example output:
18: xdp program 10 linked to device 3
Use case 4: List all raw_tracepoint
, tracepoint
, kprobe
attachments in the system
Code:
bpftool perf list
Motivation:
For developers and performance engineers, exploring all instrumentation points like tracepoints and kprobes is essential for conducting performance profiling, debugging, and system analysis. This use case shows how bpftool
can reveal these powerful observability and tracing constructs.
Explanation:
perf
: An abbreviation for “performance,” indicating the command’s focus on tracing and performance-related information.list
: Requests a display of all perf-related attachments, such as tracepoints and kprobes.
Example output:
10: kprobe name kprobe_name flags 0x0
11: tracepoint name tracepoint_name flags 0x0
Use case 5: List BPF Type Format (BTF)
data
Code:
bpftool btf list
Motivation:
The BPF Type Format (BTF) is a critical enhancement that enriches eBPF efficiency and debuggability by storing type information. Developers utilize this feature to investigate and comprehend BTF information, enabling them to build and deploy more efficient and reliable eBPF programs.
Explanation:
btf
: Indicates operations related to the BPF Type Format, which provides metadata about eBPF programs.list
: Directs the command to output all stored BTF data.
Example output:
1: /sys/kernel/btf/vmlinux
Use case 6: List information about loaded maps
Code:
bpftool map list
Motivation:
Maps are fundamental storage and communication mechanisms in eBPF, facilitating data passing between kernel and user space. Listing eBPF maps assists users in monitoring the current state of these structures, optimizing storage usage, and ensuring the correctness of data exchanges.
Explanation:
map
: Focused on eBPF maps, these are data structures used for storing information.list
: Requests all currently loaded maps to be printed.
Example output:
5: array_map name my_map fd 4
Use case 7: Probe a network device “eth0” for supported eBPF
features
Code:
bpftool feature probe dev eth0
Motivation:
Network tuning and troubleshooting often require insight into which eBPF features a network device supports. Probing “eth0” reveals compatible features, assisting in adjusting network configurations, planning eBPF-based solutions, and ensuring feature compatibility across kernel versions.
Explanation:
feature
: A command component used to retrieve supported eBPF features.probe
: Initiates a probing operation to gather feature information.dev eth0
: Refers to the device—eth0
in this case—that is being probed for supported features.
Example output:
jits: yes map_types: array, hash, lru_hash, lpm_trie, ...
Use case 8: Run commands in batch mode from a file
Code:
bpftool batch file myfile
Motivation:
Batch processing allows users to automate routine tasks, manage multiple eBPF programs simultaneously, and enforce complex configurations without manual intervention. Executing a series of bpftool commands from a file streamlines workflow and boosts productivity in environments requiring frequent configurations.
Explanation:
batch
: Enables batch processing mode to run multiple commands in sequence.file myfile
: Specifies an input file (myfile
) containing commands to be executed.
Example output (depends on myfile
content):
# Executing commands from myfile...
Conclusion:
Through various use cases, bpftool
stands out as an indispensable tool for interacting with eBPF programs, maps, links, and other components. By leveraging its commands, users can perform comprehensive inspections, manage eBPF-driven features efficiently, and maintain an optimal and secure Linux kernel performance. Whether you’re a system administrator, developer, or security professional, understanding and utilizing bpftool
commands can significantly enhance your capabilities in the Linux ecosystem.