Published November 29, 2019 | Version v1
Journal article Open

Fast Packet Processing with eBPF and XDP: Concepts, Code, Challenges and Applications


Extended Berkeley Packet Filter (eBPF) is an instruction set and an execution environment inside the Linux kernel. It enables modification, interaction and kernel programmability at runtime. eBPF can be used to program the eXpress Data Path (XDP), a kernel network layer that processes packets closer to the NIC for fast packet processing. Developers can write programs in C or P4 languages and then compile to eBPF instructions, which can be processed by the kernel or by programmable devices (e.g. SmartNICs). Since its introduction in 2014, eBPF has been rapidly adopted by major companies such as Facebook, Cloudflare, and Netronome. Use cases include network monitoring, network traffic manipulation, load balancing, and system profiling. This work aims to present eBPF to an inexpert audience, covering the main theoretical and fundamental aspects of eBPF and XDP, as well as introducing the reader to simple examples to give insight into the general operation and use of both technologies.


All code in this paper was tested using kernel version 5.0. GitHub with step-by-step instructions on how to compile, load and run each example shown throughout this text, including a VM with all tools and dependencies necessary to develop eBPF programs are available on


Files (593.1 kB)

Name Size Download all
593.1 kB Preview Download