[lovelearning]

eBPF gives access to kernel-level information that's normally hidden from userland tools.

For example, I once wanted to find out which processes were sending out DNS queries.

It sounds like a simple problem but common tools like netstat or wireshark can't tell you the process which sent out a DNS query, only the sending port.

The reason is that the sending port is a short-lived randomly selected ephemeral port which the kernel opens, sends a quick chirp of data and closes within milliseconds. The sending process isn't traceable even using more complex tools like strace or auditd.

I used eBPF / bcc APIs to instrument a kernel-level function and data structures in UDP networking code and report the PID and port every time a DNS query is sent out.

It's like attaching a user-friendly debugger to large portions of the linux kernel.