bpftop - Live eBPF Program Monitor Cheatsheet
bpftop (by Netflix) is a terminal UI that provides a real-time view of all running eBPF programs on a host. For each program it shows the average execution time, events per second, and estimated CPU utilization, updating live — so you can see which eBPF programs are running, how often they fire, and how much overhead they add. As eBPF spreads across observability, networking, and security tooling, bpftop answers “what eBPF is running and what is it costing me?”
Requirements
- Linux kernel with eBPF run-time statistics support
- Root privileges (reads kernel BPF stats)
- bpftop enables
kernel.bpf_stats_enabled while running (and restores it on exit)
Installation
Running
| Command | Description |
|---|
sudo bpftop | Launch the live TUI |
bpftop --help | Show options |
bpftop --version | Version |
bpftop must run as root because it reads kernel BPF statistics and toggles bpf_stats_enabled.
The Display
| Column | Meaning |
|---|
| ID | BPF program ID |
| Name | Program name |
| Type | Program type (kprobe, tracepoint, XDP, cgroup, …) |
| Period Avg Runtime (ns) | Average time per execution in the last period |
| Total Avg Runtime (ns) | Average since stats were enabled |
| Events/sec | Invocation rate |
| Est. CPU % | Estimated CPU utilization of this program |
Interactive Keys
| Key | Action |
|---|
↑ / ↓ | Move the selection |
Enter | Open a detailed graph for the selected program |
| Sort | Order by runtime / events / CPU (column) |
q | Quit (restores prior bpf_stats_enabled state) |
What to Look For
| Observation | Interpretation |
|---|
| High Est. CPU % on one program | An eBPF program adding real overhead |
| High events/sec | A hot hook firing very frequently |
| Rising avg runtime | A program getting more expensive over time |
| Unexpected programs | eBPF you did not knowingly install |
Why It Matters
eBPF underpins tools like Cilium/Tetragon, Falco, Tracee, Pixie, and many profilers. Each loads programs into the kernel. bpftop gives a single place to see the aggregate footprint and catch a misbehaving or overly-hot program before it degrades the host.
Common Workflows
# See what eBPF is running and its cost right now
sudo bpftop
# Validate the overhead of a newly deployed eBPF security agent
sudo bpftop # watch the agent's programs' Est. CPU % under load
# Investigate a mysterious CPU regression that tracing tools cause
sudo bpftop # sort by Est. CPU %, drill into the top program
| Aspect | bpftop | bpftool | btop / htop |
|---|
| Focus | Live per-eBPF-program metrics | Inspect/manage BPF objects | Whole-system processes |
| Real-time cost | Yes (runtime, events, CPU) | Static listing | Process CPU/mem |
| UI | TUI with graphs | CLI | TUI |
| Best for | Monitoring eBPF overhead | Managing BPF programs/maps | General monitoring |
Resources