Installing eBPF Tools on Linux: BCC, bpftrace, and bpftool Usage
In this article, you'll learn what eBPF is, why it's so powerful, and how to install and use BCC, bpftrace, and bpftool to trace, monitor, and troubleshoot your Linux system.
β Ravi Saive
When you run a program on Linux, your kernel is constantly making decisions, managing memory, handling network packets, scheduling processes, and doing thousands of other operations per second.
Traditionally, if you wanted to understand what's actually happening inside the kernel, you'd need to modify kernel code, recompile it, reboot your system, or rely on limited tools like strace that only shows you system calls from userspace.
eBPF (extended Berkeley Packet Filter) changes this entirely, which lets you run custom programs directly inside the kernel in a safe, sandboxed environment, which means you can trace anything, such as profile performance bottlenecks, monitor security events, and even modify network packets, all without changing a single line of kernel code or rebooting your machine.
Think of eBPF as giving you a pair of high-powered binoculars pointed directly into your kernel's operations, where you can watch individual function calls, track how long operations take, see exactly which processes are accessing files, monitor network connections as they happen, all with near-zero overhead.
But here's the thing: while eBPF itself is incredibly powerful, writing raw eBPF programs requires deep knowledge of kernel internals and isn't exactly straightforward, that's where BCC, bpftrace, and bpftool come in.
These tools give you different ways to harness eBPF's power, from ready-made tracing scripts to custom one-liners to low-level program inspection.
In this guide, we'll install all three tools and walk through practical examples that show you what each one does best, so by the end, you'll know exactly which tool to reach for when you need to peek inside your kernel.
Understanding the eBPF Toolchain
Before we start installing things, let's clarify what each tool actually does, because they serve different purposes and you'll use them in different situations.
BCC (BPF Compiler Collection)
BCC (BPF Compiler Collection) is a toolkit that includes dozens of pre-built tracing tools with names like execsnoop, tcpconnect, and biolatency, each is designed to answer a specific question about your system.
BCC programs are written in a mix of Python and C. The Python part handles userspace logic and output formatting, while the C code gets compiled into eBPF bytecode and loaded into the kernel.
If you want ready-made tools that just work or need to write complex tracing applications, BCC is your friend.
bpftrace
bpftrace takes a different approach, as it is designed for quick, ad-hoc analysis using a high-level scripting language that feels similar to awk or DTrace if you've used those.
Instead of writing full Python programs, you write concise one-liners or short scripts that bpftrace compiles into eBPF on the fly.
When you need to quickly check something, like "which processes are opening files right now" or "how long are these function calls taking", bpftrace is usually the fastest way to get your answer.
bpftool
bpftool is the low-level diagnostic tool, which doesn't help you write eBPF programs; instead, it shows you what's already running on your system.
You can list loaded eBPF programs, inspect maps where eBPF programs store data, look at attached programs, and dump program instructions.
Think of it as the systems administrator's tool for eBPF, the thing you use when you need to see what's actually happening under the hood.
Checking Kernel Requirements
eBPF isn't available on older kernels, so before we install anything, let's make sure your system can actually run these tools.