When I first saw the title of Brendan Gregg’s blog post—reproduced above—I had a small frisson of annoyance. BPF (aka Berkeley Packet Filter) has been around since 1992 as the kernel interface to tcpdump and here was Gregg appropriating the name for some other piece of software. I needn’t have worried. Gregg was, in fact, talking about the Berkeley Packet Filter but in its extended form as implemented in the Linux kernel. Actually, it’s been extended so much that it no longer has much to do with Berkeley, packets, or filtering. It implements a fairly powerful virtual machine that runs in the kernel.
Gregg recently gave a talk on BPF for the Ubuntu Masters Conference in which he describes the (extended) system and why it’s a new type of software. Rather than being a user application or kernel module, applications written for BPF run in user space but have access to kernel facilities through a special BPF API. There are many advantages to this approach including ease of implementation and safety.
Gregg works for Netflix and mostly uses BPF to instrument the kernel. He describes several examples in the talk that illustrates some of the things one can do with it. The system is a little complicated so your best bet is to watch the video for the details. If you’re really interested, Gregg has a book (out as an ebook, coming this month as a dead tree book) that describes the system in detail. It’s an interesting talk and definitely worth watching. Gregg’s post at the above link also has a pointer to the talk’s slides. The video is about 31 minutes so you’ll need to schedule some time.
Update added before publishing
ZDNet has an article on BPF and Gregg’s talk. If you’re interested in this technology, it’s worth reading after you watch the video.