Skip to content

bpftop - Live eBPF Program Monitor Cheatsheet

bpftop - Live eBPF Program Monitor Cheatsheet

bpftop (by Netflix) is a terminal UI that provides a real-time view of all running eBPF programs on a host. For each program it shows the average execution time, events per second, and estimated CPU utilization, updating live — so you can see which eBPF programs are running, how often they fire, and how much overhead they add. As eBPF spreads across observability, networking, and security tooling, bpftop answers “what eBPF is running and what is it costing me?”

Requirements

  • Linux kernel with eBPF run-time statistics support
  • Root privileges (reads kernel BPF stats)
  • bpftop enables kernel.bpf_stats_enabled while running (and restores it on exit)

Installation

MethodCommand
Install script`curl -sSfL https://raw.githubusercontent.com/Netflix/bpftop/main/install.sh
Cargocargo install bpftop
Binarydownload from the GitHub Releases page
Verifybpftop --version

Running

CommandDescription
sudo bpftopLaunch the live TUI
bpftop --helpShow options
bpftop --versionVersion

bpftop must run as root because it reads kernel BPF statistics and toggles bpf_stats_enabled.

The Display

ColumnMeaning
IDBPF program ID
NameProgram name
TypeProgram type (kprobe, tracepoint, XDP, cgroup, …)
Period Avg Runtime (ns)Average time per execution in the last period
Total Avg Runtime (ns)Average since stats were enabled
Events/secInvocation rate
Est. CPU %Estimated CPU utilization of this program

Interactive Keys

KeyAction
/ Move the selection
EnterOpen a detailed graph for the selected program
SortOrder by runtime / events / CPU (column)
qQuit (restores prior bpf_stats_enabled state)

What to Look For

ObservationInterpretation
High Est. CPU % on one programAn eBPF program adding real overhead
High events/secA hot hook firing very frequently
Rising avg runtimeA program getting more expensive over time
Unexpected programseBPF you did not knowingly install

Why It Matters

eBPF underpins tools like Cilium/Tetragon, Falco, Tracee, Pixie, and many profilers. Each loads programs into the kernel. bpftop gives a single place to see the aggregate footprint and catch a misbehaving or overly-hot program before it degrades the host.

Common Workflows

# See what eBPF is running and its cost right now
sudo bpftop

# Validate the overhead of a newly deployed eBPF security agent
sudo bpftop   # watch the agent's programs' Est. CPU % under load

# Investigate a mysterious CPU regression that tracing tools cause
sudo bpftop   # sort by Est. CPU %, drill into the top program
Aspectbpftopbpftoolbtop / htop
FocusLive per-eBPF-program metricsInspect/manage BPF objectsWhole-system processes
Real-time costYes (runtime, events, CPU)Static listingProcess CPU/mem
UITUI with graphsCLITUI
Best forMonitoring eBPF overheadManaging BPF programs/mapsGeneral monitoring

Resources