eBPF Trend Analysis
The evolution of eBPF (extended Berkeley Packet Filter) has been one of the most significant developments in Linux system observability and networking over the past decade. As we look at the landscape in early 2025, several key trends have emerged that showcase eBPF’s growing influence and future directions.
0. Overall Momentum
Security and Observability Convergence
The integration of security tooling with observability has become increasingly prominent. Modern security solutions are leveraging eBPF’s ability to safely inspect system calls, network traffic, and application behavior without modifying the kernel or applications. This convergence has led to more sophisticated runtime threat detection and real-time policy enforcement capabilities.
Cloud Native Integration
Kubernetes and container orchestration platforms have embraced eBPF as a fundamental building block. Network policies, service mesh implementations, and container security tools are increasingly built on eBPF primitives, offering better performance and more granular control compared to traditional approaches.
Performance Optimization
The overhead of eBPF programs has been continuously decreasing thanks to improvements in the JIT compiler and verifier. New optimizations in the kernel have made it possible to run more complex eBPF programs with minimal impact on system performance, opening doors for more sophisticated use cases.
Cross-Platform Support
While eBPF originated in Linux, efforts to bring eBPF capabilities to other operating systems have gained momentum. Projects like eBPF for Windows have matured, enabling consistent observability and security solutions across heterogeneous environments.
Programming Model Evolution
The developer experience around eBPF has significantly improved. High-level languages and frameworks have abstracted away much of the complexity, making eBPF programming more accessible to a broader range of developers. Tools like libbpf-bootstrap and modern CO-RE (Compile Once – Run Everywhere) support have simplified the development workflow.
Below is a detailed analysis of the key trends and future directions of eBPF in early 2025.
1. Academic Research Trends
1.1 Publication Counts Over Time
An analysis of Google Scholar and IEEE Xplore from 2014 to 2023 shows a clear rise in eBPF-related publications. The table below is a rough estimate of the number of publications explicitly mentioning “extended BPF” or “eBPF” in the title, abstract, or keywords each year. We include a column for the approximate total citations of those papers.
| Year | Number of Publications | Estimated Total Citations |
|---|---|---|
| 2014 | ~2 | < 10 |
| 2015 | ~5 | ~30 |
| 2016 | ~12 | ~100 |
| 2017 | ~20 | ~220 |
| 2018 | ~35 | ~550 |
| 2019 | ~50 | ~1,200 |
| 2020 | ~65 | ~2,000 |
| 2021 | ~80 | ~3,500 |
| 2022 | ~95 | ~5,000 |
| 2023 | ~110 | ~7,500+ |
- Key Observations:
- Starting from just ~2 publications in 2014, the field has grown steadily each year.
- By 2020, there were ~65 publications with ~2,000 total citations, showing increasing academic impact.
- By 2023, reached ~110 publications with over 7,500 citations, demonstrating mainstream academic adoption.
- Topics include verifier correctness, advanced debugging, SDN, performance analysis, and real-time intrusion detection.
2. Industry Adoption
2.1 Major Open-Source Projects on GitHub
Before highlighting specific projects, it is helpful to see year-by-year growth of eBPF-related repositories on GitHub. Because GitHub does not offer official historical counts, these figures are approximate snapshots gleaned from periodic searches, archives, and retrospective queries. They should be seen as best-effort estimates rather than definitive totals:
| Year | Approx. Number of eBPF-Labeled GitHub Repos | Notes / Methodology |
|---|---|---|
| 2016 | < 20 | Early references to eBPF often used “BPF” generally; only a handful of repos explicitly labeled “eBPF.” |
| 2017 | ~70 | Growth fueled by the initial popularity of bcc (BPF Compiler Collection) and a few early Cilium, Falco prototypes. |
| 2018 | ~150 | Rapid increase as more developers labeled projects with the “eBPF” tag. Influenced by blogs/conference talks introducing eBPF for XDP. |
| 2019 | ~300 | Cilium, Falco, and other major eBPF-based projects gained traction; more third-party integrations started to appear. |
| 2020 | ~600 | Surge in eBPF usage for Kubernetes security/observability, plus the release of new bcc/bpftrace tools. |
| 2021 | ~1,200 | Cloud providers and larger enterprises increasingly adopting eBPF; many specialized repos for tracing, security, and performance. |
| 2022 | ~1,500 | eBPF became a common keyword in the cloud-native ecosystem; the ecosystem of supporting tools expanded significantly. |
| 2023 | ~1,800 | Ongoing adoption in observability/security contexts; GitHub labeling “eBPF” expanded to more experimental and domain-specific projects. |
| 2024 | ~2,000+ | As of early 2025, a fresh GitHub search can exceed 2,000 results across public repos explicitly referencing or tagging eBPF. |
- Observations about eBPF-labeled repos:
- Steady Increase: From fewer than 20 repositories in 2016, the count has grown to well over 2,000 by 2024.
- Influence of Major Projects: Jumps in 2018–2019 and 2020–2021 correlate with bcc, Cilium, Falco, bpftrace, etc., as developers created or labeled new repos.
- Domain-Specific Tools: By 2021 onward, more specialized repos emerged (database monitoring, HPC instrumentation, IoT edge, etc.).
- Data Limitations: Older repos may have retroactively added “eBPF,” some eBPF-related work is labeled only “BPF” or “XDP,” and private repos are absent from counts.
Separately, there are several flagship eBPF-based tools whose GitHub star counts illustrate community mindshare (as of early 2025):
| Project | GitHub Stars | Description |
|---|---|---|
| bcc | ~16,000 | BPF Compiler Collection—fundamental eBPF tools & examples |
| bpftrace | ~6,000 | High-level tracing language built on eBPF; often used alongside bcc |
| Cilium | ~14,000 | Kubernetes-native networking & security layer leveraging eBPF |
| Falco | ~7,000 | Runtime security platform that can use eBPF sensors |
| Pixie | ~4,000 | Observability platform collecting in-kernel data via eBPF |
- bcc remains a staple for eBPF development and has grown steadily.
- bpftrace offers a more user-friendly, high-level syntax for kernel and process tracing via eBPF.
- Cilium, essential for container networking and security, jumped from a few thousand stars in 2018–2019 to ~14,000.
2.2 Conferences & Community Engagement
- eBPF Summit Attendance:
- 2020 (Inaugural): ~300 attendees (virtual).
- 2021: ~800 attendees.
- 2022: ~1,500 attendees (hybrid).
- 2023: 2,000+ attendees (hybrid).
- 2024: 3,000+ attendees (estimated).
- FOSDEM / KubeCon Sessions:
- FOSDEM 2023 had 5 dedicated eBPF talks (up from 1–2 in earlier years).
- KubeCon 2023–2024 saw 15+ sessions specifically highlighting eBPF (service mesh, network policy, kernel tracing, etc.).
- LSF/MM/BPF Conference:
- The LSF/MM/BPF conference (Linux Storage, Filesystem, Memory Management, and BPF) has had a dedicated BPF track since ~2019–2020, typically hosting ~10–15 BPF-related proposals each year (verifier design, new helpers, advanced kernel integration topics).
- Linux Plumbers Conference eBPF Track:
- The Linux Plumbers Conference introduced a dedicated eBPF microconference around 2020–2021, which has grown to ~100+ participants in some sessions by 2023–2024. Talks focus on eBPF subsystem changes, performance tuning, and new features.
Major cloud providers (AWS, Azure, Google Cloud) also leverage eBPF internally for advanced networking, observability, and distributed tracing, reflecting an industry-wide shift to harness in-kernel programmability.
3. Linux Kernel Community Development
3.1 Subsystem Size and Growth
From its initial merge in Linux v3.18 (late 2014), the BPF subsystem has grown dramatically. This includes all BPF code: the verifier, JIT backends, helpers, BTF (BPF Type Format), etc.
| Kernel Version | Release Year | Approx. BPF Subsystem LoC | Verifier LoC (verifier.c + btf.c) |
|---|---|---|---|
| v3.18 | 2014 | ~5,000 | ~2,000 |
| v4.9 | 2016 | ~15,000 | ~4,000 |
| v4.18 | 2018 | ~25,000 | ~5,000 (pre-BTF) |
| v5.2 | 2019 | ~35,000 | ~8,000 |
| v5.12 | 2021 | ~55,000 | ~12,000 |
| v6.12 | 2023 | ~70,000+ | ~20,000 |
| v6.15+ | 2024–2025 | ~80,000+ (est.) | ~22,000+ (est.) |
- Initially, the verifier code made up ~40% of the entire BPF subsystem. Over time, it dipped closer to 20%, then rose again after BTF-based type checking arrived.
- Overall, the BPF subsystem has ballooned from ~5k LoC in v3.18 to ~70k–80k LoC, making it one of the fastest-evolving parts of the kernel.
Verifier Complexity
- Paul Chaigno’s “Complexity of the BPF Verifier” analysis shows how the verifier has grown from a few thousand lines to over 20k by v6.12.
- Top 10 most complex functions exhibit high cyclomatic complexity (e.g.,
do_misc_fixupsat ~167). - Complexity arises from new features (bounded loops, spin locks, pointer/reference tracking, kfunc calls, deeper BTF integration).
3.2 eBPF Program Types by Kernel Version
“Program types” define the context in which eBPF programs can run (e.g., XDP, cgroup hooks, tracepoints, LSM). Approximate counts of BPF_PROG_TYPE definitions in major kernel releases:
| Kernel Version | Release Date | Total BPF Program Types |
|---|---|---|
| v4.4 | Jan 10, 2016 | 5 |
| v4.9 | Dec 11, 2016 | 8 |
| v4.14 | Nov 12, 2017 | 14 |
| v4.19 | Oct 22, 2018 | 21 |
| v5.4 | Nov 24, 2019 | 25 |
| v5.10 | Dec 13, 2020 | 30 |
| v5.15 | Oct 31, 2021 | 31 |
| v6.1 | Dec 11, 2022 | 31 |
| v6.6 | Oct 29, 2023 | 32 |
| v6.12 | Sep 15, 2024 | 32 |
From a single program type (socket filter) in v3.18, eBPF has grown to 30+ distinct attach points for security, tracing, networking, device management, and more.
3.3 Growth of kfuncs
kfuncs—kernel functions callable directly by eBPF—significantly expand in-kernel scripting possibilities. Introduced around v5.15, these have proliferated each release:
| Kernel Version | Release Year | Est. # of kfuncs | Notable Additions |
|---|---|---|---|
| v5.15 | 2021 | ~5 | Early ring buffer APIs, initial memory ops |
| v5.17 | 2022 | ~15 | Extended networking ops, advanced memory helpers |
| v5.19 | 2022 | ~25 | More TCP/UDP mgmt, tracing ops |
| v6.0 | 2022 | ~35 | Data-structure manipulation APIs |
| v6.2 | 2023 | ~50 | Cgroup mgmt expansions, partial LSM integration |
| v6.4 | 2023 | ~60+ | Ongoing security & net protocol expansions |
| v6.5+ | 2024+ | Growing monthly | Commonly updated each release cycle |
Each addition reduces the need for specialized helpers. Developers can manipulate kernel data structures more flexibly, bridging user-space logic and kernel internals.
3.4 Mailing List Activity
Historically, discussions about eBPF have taken place on bpf, netdev, and xdp-newbies mailing lists. Over time, bpf@vger.kernel.org has become the principal list for eBPF subsystem patches, design proposals, and feature discussions. Below are approximate average monthly email volumes on the bpf mailing list, based on snapshots of list archives:
| Year | Approx. Avg. Emails/Month on bpf@ | Context |
|---|---|---|
| 2017 | ~100–150 | Predominantly narrower eBPF topics (basic XDP, some verifier patches, bpf-next submission cycles). |
| 2018 | ~200–250 | Increases as eBPF expands in usage (cgroup hooks, tracing, bpf-next merges with more feature sets). |
| 2019 | ~300–400 | Rapid growth from mainstream uptake (Cilium, Falco, more complex verifier enhancements). |
| 2020 | ~400–500 | eBPF emerges as a standard approach for container networking, kernel security, major patch sets. |
| 2021 | ~600–700 | Surges with new program types (struct_ops, cgroup_sockopt), kfunc proposals, and BTF expansions. |
| 2022 | ~700–800 | More advanced features (LSM eBPF, bpf_iter expansions), frequent performance/bug fixes. |
| 2023 | ~800–900 | Ongoing expansions to netfilter hooks, more complex kfunc sets, many multi-part patch threads. |
| 2024 | ~900–1,000 | Growing cross-collaboration with netdev; advanced features drive higher patch volume and reviews. |
- Across these years, the bpf mailing list has seen a steady rise in traffic, mirroring the growth in eBPF features and user base.
- Patches frequently introduce new kfuncs, program attach types, performance optimizations, or verifier improvements.
- The active contributor community includes developers from Meta, Google, Red Hat, Cloudflare, and numerous independent contributors.
4. Closing Observations
- Breadth of Use Cases: eBPF has evolved from a packet filter into a robust in-kernel runtime enabling advanced security, observability, and performance features.
- Verifier Complexity: The surge in lines of code and cyclomatic complexity underscores the challenge of safely supporting new features; ongoing reviews and research aim to keep eBPF secure.
- Sustained Momentum: With thousands of participants at eBPF conferences, hundreds of mailing list patches monthly, and an ever-growing body of research, eBPF remains a pivotal Linux technology.
5. Future Directions
5.1 AI/ML Integration
The fine-grained telemetry and real-time observability that eBPF provides make it an attractive data source for machine learning workflows. Already, some projects experiment with feeding eBPF-collected metrics (e.g., system call frequencies, network throughput, latency histograms) into ML algorithms for anomaly detection or automated performance tuning. Looking ahead:
- Adaptive Security: ML models could continuously learn “normal” system or application behavior from eBPF traces and flag deviations in real time, greatly enhancing intrusion detection systems (IDS) and runtime threat prevention.
- Intelligent Autoscaling: Container platforms might combine eBPF-based resource profiling with reinforcement learning to optimize autoscaling policies in dynamic, multi-tenant environments.
- Predictive Observability: By correlating eBPF data with performance counters, logs, and business-level metrics, organizations could anticipate workload bottlenecks or memory pressure before they degrade user experience.
- In-kernel ML: Specialized ML logic could be implemented directly into eBPF code, allowing for real-time, in-kernel training and inference without the need for a separate server and with minimal overhead.
As ML pipelines themselves become more sophisticated, real-time, in-kernel telemetry via eBPF is poised to give advanced training data streams for online learning algorithms, enabling faster, more targeted responses to anomalies.
5.2 eBPF Expansion into More Subsystems
From networking and tracing to security hooks, eBPF’s modular design continues to drive experimentation in new parts of the Linux kernel. In the coming years, we can expect:
-
Filesystem and Storage: eBPF programs that instrument I/O paths in real time, providing granular insights into read/write patterns, caching inefficiencies, and potential data corruption attempts.
• eBPF could also help optimize storage performance by allowing userspace applications to directly interact with the kernel’s block device layer, or implement highly customized IO schedulers etc., or even offload a portion of application logic into the kernel.
• Integration with
io_uringcould be a killer application for eBPF, which could open the door for an application-defined I/O data path into the kernel. This would provide a highly optimized I/O path for userspace applications. -
Memory Management: Fine-grained eBPF attach points could police page allocations, page cache control, huge pages allocation, and high-level memory usage per container or process, paving the way for adaptive memory tuning or advanced customizations.
-
Device Drivers and I/O: Similar to XDP for networking, direct attach points in driver stacks could improve performance by handling certain I/O logic in eBPF, bypassing parts of the kernel’s general-purpose code.
Meanwhile, specialized eBPF “kfuncs” (kernel functions callable from eBPF) continue to grow, letting developers interact even more directly with core kernel data structures. This approach can shorten the development cycle for new performance optimizations and advanced debugging use cases.
5.3 Standardization and Interoperability
As eBPF’s footprint expands, community members have begun exploring ways to ensure consistent APIs and behavior across kernel versions and even across operating systems:
- API Stability: While Linux leads eBPF’s development, projects like “eBPF for Windows” highlight the value of a more standardized interface. A stable kernel-side API could ease development of cross-platform eBPF tooling.
- Tooling and Library Ecosystem: Efforts to unify bcc, libbpf, and other libraries under standard schemas for packaging and deployment can further accelerate adoption. Mature frameworks and official conformance tests are likely to emerge to verify that eBPF programs run consistently on different kernel versions.
- Hardware Offloading: Some network interface cards (NICs) and SmartNICs already offload eBPF or eBPF-like programs directly into firmware. A standardized approach to offloading and verifying these programs could unlock significant performance gains in 5G/telecom and hyperscale data-center scenarios.
As more companies and open-source projects adopt eBPF, shared standards and reference implementations become essential to ensuring that new features don’t fragment the ecosystem.
5.4 Hardware Acceleration and HPC Use Cases
Although eBPF historically targets CPU-based execution in the Linux kernel, several research initiatives investigate offloading or accelerating eBPF logic on specialized hardware:
- SmartNIC and FPGA Offloading: Some deployments already leverage SmartNICs that parse and act on packet data in hardware for faster throughput. Extending these capabilities to more general eBPF programs could revolutionize in-kernel data-plane processing.
- High-Performance Computing (HPC): HPC clusters have demanding performance requirements, and eBPF can aid in capturing fine-grained metrics (network usage, job concurrency, interconnect performance) with minimal overhead. Future HPC frameworks may also tap eBPF for run-time tuning or fault diagnostics at scale.
As HPC and large-scale AI training clusters push the boundaries of performance, hardware-accelerated eBPF may become a key differentiator, providing faster instrumentation and the ability to incorporate advanced security features without sacrificing throughput.
The eBPF ecosystem continues to evolve at a rapid pace, driven by both established tech companies and innovative startups. Its impact on modern infrastructure software shows no signs of slowing down, making it an essential technology to watch in the coming years.
6. References & Sources
- Google Scholar: Approximate search counts for “eBPF” (2016–2024).
- GitHub Repositories: Yearly eBPF-labeled repo counts (2016–2024) plus star counts for bcc, bpftrace, Cilium, Falco, Pixie (as of early 2025).
- Mailing Lists: bpf, netdev, xdp-newbies (patches, monthly stats, design discussions).
- Paul Chaigno, “Complexity of the BPF Verifier” https://pchaigno.github.io/ebpf/2019/07/02/bpf-verifier-complexity.html
- Linux Kernel Source: Commit logs and release notes from v3.18 through v6.5+
- eBPF Summit, LSF/MM/BPF Conference, Linux Plumbers Conference eBPF Track, FOSDEM, KubeCon: Attendance stats and session counts (2020–2024).