eBPF programs can extract kernel event data, and tracing programs like kprobes, fprobes, and tracepoints offer rich data for tasks such as performance monitoring and syscall argument tracing. Tracepoints hook to predefined kernel points and remain stable across versions, while raw tracepoints offer performance benefits but need to filter syscall IDs. Kprobes attach dynamically to any kernel function, but their stability depends on kernel versions. Fprobes are BTF-enabled, attach faster, and offer more functionality compared to kprobes, but require newer kernel versions.
Table of contents
TracepointRaw TracepointKernel Probe (kprobe)BTF-Enabled Raw TracepointFprobes (fentry/fexit)Code ExamplesSort: