A very opinionated set of awesome resources about eBPF.

• McCanne S., Jacobson V., Dec 1992, The BSD Packet Filter: A New Architecture for User-level Packet Capture
• Corbet J., June 2021, Spectre revisits BPF, LWN.net
• Corbet J., Apr 2011, A JIT for packet filters, LWN.net
• Corbet J., Jan 2012, Yet another new approach to seccomp, LWN.net
• Starovoitov A., Sept 2013, extended BPF, LKML.org
• Starovoitov A., Aug 2022, Kernel Recipes 2022 - The untold story of BPF
• Fastabend J., Dec 2022, Isovalent, How the Hive Came to Bee - The History of eBPF
• Suchakra Sharma, IO Visor Documentation, BPF Internals - I
• Suchakra Sharma, IO Visor Documentation, BPF Internals - II
• Kernel Documentation, BPF Documentation
• Kernel Documentation, BPF Type Format (BTF)
• Kernel Documentation, Linux Socket Filtering aka Berkeley Packet Filter (BPF)
• Kernel Documentation, BPF Design QA
• Kernel Documentation, Using the Linux Kernel Tracepoints
• Linux manual page, bpf(2)
• Linux manual page, tc-bpf(8)
• Linux manual page, bpf-helpers(7)
• Cilium Documentation: BPF and XDP Reference Guide
• Cilium Documentation: eBPF Datapath
• IO Visor Documentation, Unofficial eBPF spec
• IO Visor Documentation, BPF Features by Linux Kernel Version
• Wikipedia, Berkeley Packet Filter
• eBPF: What is it, Best Practices, and Use Cases, Groundcover
• Short C., Aug 2022, Intro to eBPF, chrisshort.net
• Mulligan B., Borkmann D., Apr 2023, The Silent Platform Revolution: How eBPF Is Fundamentally Transforming Cloud-Native Platforms, InfoQ
• Podobnik T. J., Sep 2024, Loops and Iterators in eBPF, eBPFChirp
• Podobnik T. J., Dec 2024, eBPF Stateful Programs and State Synchronization Problem, eBPFChirp
• Podobnik T. J., Jul 2025, Testing eBPF Program Compatibility Across Kernels with LVM and GitHub Actions, eBPFChirp
• Podobnik T. J., Dubey S., Jun 2025, Building a Real-Time Process Monitor with eBPF and Go
• Isovalent eBPF Docs

• Chaignon P., Jan 2025, eBPF Research Papers, Paul Chaignon's blog
• Rice L., Fastabend J., Sept 2024, eBPF: Yes, it’s Turing Complete!, Isovalent Blog
• Edge J., Sept 2019, Kernel runtime security instrumentation, LWN.net
• Fleming M., May 2018, Using user-space tracepoints with BPF, LWN.net
• Fleming M., Dec 2017, A thorough introduction to eBPF, LWN.net
• Corbet J., Dec 2018, Bounded loops in BPF programs, LWN.net
• Corbet J., May 2014, BPF: the universal in-kernel virtual machine, LWN.net
• Corbet J., Jul 2014, Extending extended BPF, LWN.net
• Corbet J., Sept 2014, The BPF system call API, version 14, LWN.net
• Goswami S., Apr 2005, An introduction to KProbes, LWN.net
• Halim N., Sept 2022, Medium, A Deep Dive into eBPF: Writing an Efficient DNS Monitoring
• Ratiu A., Apr 2019, Collabora, An eBPF overview, part 1: Introduction
• Ratiu A., Apr 2019, Collabora, An eBPF overview, part 2: Machine & bytecode
• Securing Linux with a Faster and Scalable IPtables
• Sanjeev Rampal, Donald Hunter, May 2023, eBPF 201: Supercharging Your eBPF Dev Process for Cloud Native Apps

• Oct 2018, Load XDP programs using the ip (iproute2) command
• Oct 2022, Writing an eBPF/XDP load-balancer in Rust, Kong Blog
• Hendriks L., Jul 2020, RIPE Labs, Journeying into XDP: Part 0, RIPE Labs
• Carpay T., Oct 2020, RIPE Labs, Journeying into XDP Part 1: Augmenting DNS, RIPE Labs
• Hendriks L., Jul 2020, RIPE Labs, Journeying into XDP Part 2: XDPerimenting with DNS Telemetry, RIPE Labs

• Wikipedia, Control-flow graph
• Yunhe Shi, David Gregg, Andrew Beatty, M. Anton Ertl, Virtual Machine Showdown: Stack Versus Registers
• Hongjiu Lu, May 1995, ELF: From The Programmer’s Perspective
• June 2019, Simple and Precise Static Analysis of Untrusted Linux Kernel Extensions
• The eXpress data path: fast programmable packet processing in the operating system kernel

• Rice L., Mar 2023, O'Reilly, Learning eBPF
• Rice L., Apr 2022, O'Reilly, What is eBPF?
• Calavera D., Fontana L., Sept 2019, O'Reilly, Linux Observability with BPF
• Gregg B., Dec 2019, Addison-Wesley, BPF Performance Tools
• Gregg B., Nov 2020, Addison-Wesley, Systems Performance: Enterprise and the Cloud
• Degioanni L., Grasso L., Aug 2022, O'Reilly, Practical Cloud Native Security with Falco
• Salazar J., Reka Ivanko N., Apr 2022, O'Reilly, Security Observability with eBPF

• Monnet Q., Apr 2020, eBPF assembly with LLVM, Whirl Offload
• Corbet J., Sept 2019, Compiling to BPF with GCC, LWN.net
• Edge J., Sept 2020, BPF in GCC, LWN.net
• Jiong Wang, Sept 2018, Netronome, Demystify eBPF JIT Compiler Webinar

• libbpf-bootstrap: demo BPF applications
• isovalent/game-of-life
• David Calavera, Lorenzo Fontana, BPF Workshop
• xdp-project/xdp-tutorial
• NLnetLabs/XDPeriments
• https://eunomia.dev/

• Nakryiko A., Feb 2020, BCC to libbpf conversion guide, Andrii Nakryiko's Blog
• Monnet Q., Sept 2021, Features of bpftool: the thread of tips and examples to work with eBPF objects, Whirl Offload
• Kerrisk M., Feb 2020, Linux Security and Isolation APIs Seccomp
• edgebitio/edgebit-agent
• 🔒 danielpacak/lazybpftool
• bpfd-dev/bpfd
• rust-bpf/rust-bcc
• Oct 2021, eCHO episode 25: eBPF, Rust and Aya
• Monnet Q., Feb 2020, Tools and mechanisms to debug BPF programs
• Rogers P., Aug 2023, BPFAgent: eBPF for Monitoring at DoorDash
• https://github.com/iovisor/bcc
• https://github.com/iovisor/bpftrace
• https://github.com/google/buzzer

I should have split these projects into categories, but for now it's just a list:

• Datadog Agent - Collects events and metrics from your hosts and sends them to Datadog.
  • Datadog Docs - Agent
• Grafana Beyla - Open source zero-code automatic instrumentation with eBPF and OpenTelemetry
• Grafana Pyroscope - Continuous profiling platform designed to surface performance insights from your applications
• Gerring S., Jul 2024, eBPF Network Vershitifier, Scott's Ramblings
• OpenTelemetry eBPF Profiler - Cross-language profiler for Linux via eBPF
  • 📤 Unboxing OpenTelemetry eBPF Profiler
• coroot/coroot
• Microsoft Retina - Kubernetes network observability platform
• kubearmor/KubeArmor
• kubescape/kubescape
• kubeshark/kubeshark
• kubeshark/tracer
• facebookincubator/dns
• Falco - Cloud Native Runtime Security
  • Falco Docs
  • 📤 Unboxing Falco
• Groundcover Caretta - Instant K8s service dependency map, right to your Grafana
  • Rot U., Jan 2023, Navigate your way to production bliss with Caretta, groundcover Blog
• deepflowio/deepflow
• inspektor-gadget/inspektor-gadget
• slimtoolkit/slim
• Tracee - Linux Runtime Security and Forensics using eBPF
• loxilb-io/loxilb
• oracle/bpftune
• oracle-samples/bysyscall
• Cilium Tetragon - eBPF-based Security Observability and Runtime Enforcement
  • Tetragon Docs
• Cilium eBPF - A pure-Go library to read, modify, load and attach eBPF programs
• ddosify/alaz
• keisku/gmon
• amiremohamadi/bpfsnake
• alegrey91/harpoon
• furkanonder/DnsTrace
• Anuj Srivastava, Oct 2022, Skyfall: eBPF agent for infrastructure observability
• Parca eBPF Agent
  • Parca Agent Design
  • Parca Server
  • Honduvilla Coto J., Aug 2022, System-wide profiling in Parca Agent, Polar Signals Blog
  • Honduvilla Coto J., Nov 2022, DWARF-based Stack Walking Using eBPF, Polar Signals Blog
  • Priyadarsini S., Jul 2022, Introduction to Parca - Part 1, Polar Signals Blog
  • Priyadarsini S., Jan 2023, Introduction to Parca - Part 2, Polar Signals Blog
• citronneur/pamspy - Credentials Dumper for Linux using eBPF
• pythops/oryx - TUI for sniffing network traffic using eBPF on Linux

• Podobnik T. J., Jul 2025, Troubleshooting Container OOM Kills with eBPF, eBPFChirp
• Podobnik T. J., Oct 2024, Securing Kubernetes Workloads using LSM-BPF, eBPFChirp
• Calavera D., Dec 2018, Spy on your Kubernetes cluster with BPF, Medium

• Nakryiko A., Jul 2024, Evolution of stack trace captures with BPF, The Linux Foundation YT
• Grcevski N., Oct 2025, How eBPF Is Powering the Next Generation of Observability, The New Stack
• https://github.com/open-telemetry/opentelemetry-ebpf-instrumentation

• Letailleur T., Oct 2025, LinkPro: eBPF rootkit analysis, Synacktiv
• Lakshmanan R., Oct 2025, LinkPro Linux Rootkit Uses eBPF to Hide and Activates via Magic TCP Packets, The Hacker News
• Ilgayev A., Feb 2025, How We Optimized CI/MON eBPF Sensor to Handle Thousands of Events per Second, Cycode Blog
• Dinaburg A., Sept 2023, Pitfalls of relying on eBPF for security monitoring (and some solutions), Trail of Bits Blog
• Jun 2022, Bypassing eBPF-based Security Enforcement Tools, Form3 Blog
• Leonardo Di Donato, Elastic & KP Singh, Google, Oct 2021, LSM BPF Change Everything
• Rex Guo, Junyuan Zeng, DEF CON 29, Phantom Attack: Evading System Call Monitoring
• Zandi M., Dec 2021, BlackBerry Blog, Reverse Engineering Ebpfkit Rootkit With BlackBerry's Enhanced IDA Processor Tool
• Spyderbat, Aug2023, How eBPF Can Help Identify Container Escapes
• Spyderbat, Aug 2023, Using eBPF to Resolve GuardDuty DNS Alerts
• KP Singh, Google, Nov 2020, Security Auditing and Enforcement using eBPF, eBPF Summit 2020
• Juan José López Jaimez, Inge M., Aug 2024, A deep dive into CVE-2023-2163: How we found and fixed an eBPF Linux Kernel Vulnerability, Google Bug Hunters
• Kondah M., Jun 2024, Profiling Libraries With eBPF: Detecting Zero-Day Exploits and Backdoors, Deep Kondah
• The Risks of Using eBPF for Security, Vali Cyber
• Gadient A., Nov 2024, EBPF-Based Security Solutions: Exploring Weaknesses And Mitigation Techniques., Forbes

• Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux, Microsoft Defender Documentation

A set of informative answers and discussions from Stack Overflow:

• full path for open / openat relative filenames

• Green A., Oct 2025, eBPF Agents Explained for Non-Developers, Substack

• Bolin M. Sept 2018, How I ended up writing opensnoop in pure C using eBPF
• Jun 2024, Unleashing the power of frame pointers pt.1 - The execution environment, Maxgio's blog
• Aug 2024, Unleashing the power of frame pointers for profiling pt.2 - Writing a basic profiler
• Rice L., Apr 2024, Unleashing the Kernel with eBPF, QCon London
• Graf T., Oct 2016, Docker Distributed System Summit, Cilium - BPF & XDP for containers
• Graf T., Apr 2017, Cilium: Network and Application Security with BPF and XDP
• Borkmann D., Sept 2020, eBPF and Kubernetes: Little Helper Minions for Scaling Microservices
• Corbet J., Apr 2021, LWN.net, Toward signed BPF programs
• Landaverde M., Jul 2022, Introduction to CAP_BPF
• Gregg B., Nov 2017, USENiX, LISA17 - Linux Container Performance Analysis
• Wenbo Zhang, Dec 2020, Trace Linux System Calls with Least Impact on Performance in Production, PingCAP Engineering
• Wenbo Zhang, Dec 2020, Tips and Tricks for Writing Linux BPF Applications with libbpf, PingCAP Engineering
• Majkowski M., Mar 2018, eBPF, Sockets, Hop Distance and manually writing eBPF assembly
• Hossain R., Jul 2023, [Tutorial] How eBPF Improves Observability within Kubernetes, Loft Blog

• https://github.com/zoidyzoidzoid/awesome-ebpf