BPF (Berkley Packet Filter) has many uses and is used extensively in the Linux world. It is used for observability, for controling packet capture with Wireshark, and for data processing in XDP. The cillium.io Linux uses BPF exclusively for network configuration.

However, using BPF once one thing and developing a portable, predictable BPF program that works with different kernel versions is an different story. Getting BPF to work is made even more challenging since many important details such as the ELF file format and kernel error messages are scarcely documented. In this talk, I'll take you through the process of creating a stable BPF program that grabs interesting bits out of TCP connections at high throughput. I'll discuss what you should do to get BPF to work, what you shouldn't.