Skip to main content

eBPF Support

Overview

This paragraph describing eBPF (Extended Berkeley Packet Filter) is licensed under a Creative Commons Attribution 4.0 International License, as per https://github.com/cilium/ebpf.io/blob/master/LICENSE:

eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.

Agent eBPF Support

Prior to v4.3, the Lacework agent used libpcap to capture packets on interfaces.

Lacework agent v4.3 supports eBPF (Extended Berkeley Packet Filter) technology, which allows you to effectively monitor short-lived connections and processes, resulting in better visibility of your workloads. It also significantly improves the way the agent captures and attributes processes running inside containers. This results in highly accurate data in the Lacework Console and the polygraph.

eBPF support is contingent upon kernel versions that are newer than 4.16. You do not need to make any explicit configuration changes to leverage eBPF in the agent. On startup, the agent automatically detects the kernel version and if the version is 4.16 or later, it uses eBPF. If the agent detects older kernel versions, then it defaults to using BPF to attribute connection and process data.

Limitations

  • eBPF programs need newer kernels (v4.16 and later).
  • If there is no underlying eBPF support in the kernel or it is prohibited, the agent will continue operating without eBPF.
  • Agent v4.3 eBPF-based attribution is limited to TCP connections.