LinuxCommandLibrary

bpftool

Inspect and manage BPF programs and maps

TLDR

List information about loaded eBPF programs

$ bpftool prog list
copy

List eBPF program attachments in the kernel networking subsystem
$ bpftool net list
copy

List all active links
$ bpftool link list
copy

List all raw_tracepoint, tracepoint, kprobe attachments in the system
$ bpftool perf list
copy

List BPF Type Format (BTF) data
$ bpftool btf list
copy

List information about loaded maps
$ bpftool map list
copy

Probe a network device "eth0" for supported eBPF features
$ bpftool feature probe dev [eth0]
copy

Run commands in batch mode from a file
$ bpftool batch file [myfile]
copy

SYNOPSIS

bpftool [OPTIONS] OBJECT { COMMAND | help } [ARGS]
OBJECT:= bpf | map | prog | cgroup | net | link | tracepipe | gen | ...

PARAMETERS

--help
    Display help information and exit

--version
    Show bpftool version

--json[=format]
    Output in JSON format; format can be normal or compact

--pretty
    Pretty-print JSON output

-f, --format FORMAT
    Specify output format (e.g., table, csv, json)

--debug
    Dump internal data structures for debugging

--batch FILE
    Read and execute commands from FILE

--bulk-begin NUM
    Begin bulk processing with NUM commands

--bulk-end
    End bulk processing

DESCRIPTION

bpftool is a powerful command-line utility for loading, dumping, managing, and inspecting eBPF (extended Berkeley Packet Filter) programs, maps, and related kernel objects on Linux systems. eBPF enables safe, efficient execution of user-defined programs inside the kernel for tasks like network packet processing, tracing, security monitoring, and performance analysis without modifying kernel code.

It provides subcommands for various object types such as programs (prog), maps (map), BPF file descriptors (bpf), cgroups (cgroup), and more. Users can list loaded programs, dump map contents, attach/detach programs to hooks, generate skeletons for development, and perform batch operations. bpftool supports JSON output for scripting and pretty-printing for readability.

Common use cases include debugging eBPF applications, live kernel tracing with tools like bpftrace, and managing XDP programs for networking. It requires a modern Linux kernel (4.18+) with BTF (BPF Type Format) support and appropriate privileges like CAP_BPF or CAP_SYS_ADMIN.

CAVEATS

Requires kernel ≥4.18 with CONFIG_BPF_SYSCALL and BTF enabled; CAP_BPF or CAP_SYS_ADMIN privileges needed; some features kernel-version dependent; JSON output may vary by kernel BTF quality.

MAIN OBJECTS

bpf: Manage BPF file descriptors
map: List/dump/update maps
prog: Load/list/attach programs
cgroup: Attach to cgroups
net: Network/port info
link: Manage struct link objects

COMMON COMMANDS

list/show: Enumerate objects
dump: Dump raw data
pin: Persist to filesystem
load: Load from ELF/object
gen skeleton: Generate C skeleton

HISTORY

Introduced in Linux kernel 4.4 (2016) as part of eBPF tooling evolution; significantly expanded since kernel 4.18 with BTF support; actively maintained by Netronome/Isovalent/ Cilium teams (Daniel Borkmann, Jesper Dangaard Brouer); latest versions align with kernel 6.x eBPF enhancements.

SEE ALSO

tc(8), ip(8), perf(1), bpftrace(8), libbpf(3)

Copied to clipboard