I recently started the OverTheWire wargames to sharpen my Linux skills. Here is a log of the steps I took, the challenges I faced, and the commands I used to solve the Bandit levels.

If this is your first time working with eBPF, I strongly recommend reading What is eBPF or Introduction to eBPF first first. Once you’ve got the basics, check out Setting up eBPF Development Environment to get your tools ready.

In this article, we are going to learn what tracepoints are, how tracepoints works, writing an eBPF program and loading it with bpftool. Buckle up, we’re going on a technical ride into the kernel.

Before writing any eBPF programs, it’s essential to set up a proper development environment. Equally important is understanding the overall eBPF workflow, from writing and compiling your eBPF code to loading it into the kernel and inspecting its output.

What is eBPF ?

eBPF (extended Berkeley Packet Filter) is a modern Linux kernel feature that lets you safely plug in small, sandboxed programs to extend or observe system behavior without modifying or reconfiguring the kernel or applications.