Abstract
After explaining the working of eBPF and its architecture, now we are going to try some eBPF programs to see and know what kind of operations and syscalls we can execute using it.
Using BCC ( # BPF Compiler Collection)
As already explained on the last 2 articles I wrote about eBPF,
BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above.
Kernel Configuration
In general, to use these features, a Linux kernel version 4.1 or newer is required. In addition, the kernel should have been compiled with the following flags set:
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
# [optional, for tc filters]
CONFIG_NET_CLS_BPF=m
# [optional, for tc actions]
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_JIT=y
# [for Linux kernel versions 4.1 through 4.6]
CONFIG_HAVE_BPF_JIT=y
# [for Linux kernel versions 4.7 and later]
CONFIG_HAVE_EBPF_JIT=y
# [optional, for kprobes]
CONFIG_BPF_EVENTS=y
# Need kernel headers through /sys/kernel/kheaders.tar.xz
CONFIG_IKHEADERS=y
There are a few optional kernel flags needed for running bcc networking examples on vanilla kernel:
CONFIG_NET_SCH_SFQ=m
CONFIG_NET_ACT_POLICE=m
CONFIG_NET_ACT_GACT=m
CONFIG_DUMMY=m
CONFIG_VXLAN=m
You can check the Kernel compile flags by copying & extracting the
/proc/config.gzand checking the containingconfigfile
Execute this command to check the flags on your Kernel.
cd /tmp && cp /proc/config.gz . && gzip -d config.gz && cat config
Installation
You can check the whole installation process here : BCC Install
Tracing Examples
:warning: : Using those scripts needs root permission to work properly
Trace a Block I/O size
using BiteHist.py
Trace block device I/O latency
using DiskSnoop.py
Trace IPv4 and IPv6 bind() system calls
using bindsnoop.py
Capturing Examples
Capture new processes via exec() syscalls.
using execsnoop.py
Those are the executed commands on my computer in loop for Polybar scipts**
Capturing open() syscalls (file opening)
using opensnoop.py
Capturing TCP active connections (connect())
using tcpconnect.py
And much more…
check the whole BCC Tools Pack BCC Tools
here is a picture explaining the different BCC Tracing tools / BPF programs.
So now, you do understand and know how BPF, eBPF and BPF programs work.
For better and more much scalable solutions, you will have to :
- Develop your own BPF programs and tools.
- Use Open Source projects already working with full functional structure for each fonctionality.
- Use paid products and solutions.
We’ll try exploring all of this on the next articles.
You might also like
What You Get After Running an SSH Honeypot for 30 days
After running an SSH honeypot on Ubuntu 24.04 for 30 days, it recorded 11,599 login attempts, revealing the persistent brute force activity and...
ALERT:Major Global Cyber Attacks and Critical Vulnerabilities Reported on July 15, 2025
Today's cyber threat landscape is marked by global ransomware activity, large-scale data breaches, and active exploitation of a critical SAP...
The Magic of Tailscale
Access all your devices securely with Tailscale’s zero-config VPN. It offers end-to-end encryption, cross-platform support, and seamless remote...
Hack the Hacker - How to Setup an SSH Honeypot
Discover how to set up an SSH honeypot to detect and analyze cyberattacks in real time. Learn to configure a fake SSH server that logs attacker...
Discussion
Leave a Comment
Guest comments will be reviewed before appearing on the site.
No comments yet. Be the first to start the discussion!