bcc (BPF Compiler Collection)
Generated by GPT-5-miniExpansion Funnel Raw 71 → Dedup 0 → NER 0 → Enqueued 0
| bcc (BPF Compiler Collection) | |
|---|---|
| Name | bcc (BPF Compiler Collection) |
| Developer | Facebook, Inc. Google LLC Intel Corporation |
| Initial release | 2015 |
| Programming language | C (programming language) C++ Python (programming language) |
| Operating system | Linux kernel-based systems |
| License | MIT License |
bcc (BPF Compiler Collection) is an open-source toolkit for creating efficient kernel instrumentation and observability programs using extended Berkeley Packet Filter (eBPF). It provides high-level language frontends, a runtime, and examples that bridge users of Facebook, Inc., Google LLC, Intel Corporation, Netflix, Inc., and other organizations to the Linux kernel for tracing, networking, and security tasks. bcc enables researchers and operators to write programs in familiar languages and deploy them into kernel context with performance characteristics comparable to native C (programming language) while leveraging safety mechanisms of the Linux kernel eBPF verifier.
Overview
bcc packages compilers, libraries, and utilities to simplify authoring of eBPF programs for the Linux kernel environment; it complements projects such as libbpf, bpftool, XDP, and SystemTap used by teams at Facebook, Inc., Netflix, Inc., Google LLC, Microsoft Corporation, and Red Hat, Inc.. The project exposes APIs consumed by users of Python (programming language), Lua (programming language), and C++ to attach probes to kernel tracepoints, kprobes, uprobes, and sockets, enabling use cases pursued by researchers at University of California, Berkeley, Carnegie Mellon University, and Massachusetts Institute of Technology. bcc's tooling ecosystem interacts with observability stacks like Prometheus, Grafana, Fluentd, and ELK Stack, while also integrating with network function frameworks such as Open vSwitch and cloud platforms including Amazon Web Services, Google Cloud Platform, and Microsoft Azure.
Architecture and Components
bcc's architecture centers on a frontend that compiles embedded eBPF C into bytecode, a loader that uses bcc Python and C++ bindings to communicate with the Linux kernel via perf_event_open and netlink, and utilities that format output for tools like tcpdump and Wireshark. Core components include the eBPF emitter based on LLVM (compiler infrastructure), runtime helpers modeled on libbpf, and userland libraries that mirror designs from glibc and Boost (C++ libraries). The system interacts with kernel subsystems including kprobe/kretprobe mechanisms, tracepoint hooks, and XDP fast-path processing used by Cloudflare, Inc. and Fastly, Inc. for high-performance packet handling. bcc bundles scripts and examples that rely on BCC tools conventions and collaborate with utilities like bpftool from kernel.org maintainers.
Language Frontends and APIs
bcc provides language frontends for Python (programming language), C++, and limited support for Go (programming language) via bindings; these frontends expose APIs that allow developers at firms like Facebook, Inc., Google LLC, and Spotify Technology S.A. to load eBPF programs, manage maps, and receive perf events. The Python frontend integrates with ecosystems such as NumPy, Pandas, and scikit-learn for analytics workflows, while the C++ APIs follow idioms familiar to contributors from Intel Corporation and Red Hat, Inc.. Bindings interoperate with build toolchains including LLVM (compiler infrastructure), GCC, and package managers used by Debian Project, Ubuntu (operating system), and Fedora Project.
Use Cases and Tools
bcc powers tracing and observability tools used by operators at Netflix, Inc., Facebook, Inc., LinkedIn Corporation, and Twitter, Inc. for latency analysis, syscall tracking, and network telemetry; representative tools include examples for syscall counts, TCP latency, and file I/O sampling. Administrators integrate bcc scripts with monitoring suites like Prometheus, Grafana, and Datadog for dashboards and alerting, while security teams at SUSE, Red Hat, Inc., and CNCF projects adapt it for intrusion detection, container observability, and policy enforcement. Network operators use bcc examples alongside XDP to implement DDoS mitigation and high-performance load balancing as seen in deployments by Cloudflare, Inc. and Akamai Technologies, Inc..
Performance and Safety Considerations
bcc-generated eBPF programs are validated by the Linux kernel eBPF verifier to ensure memory safety and bound loops, reducing risk noted in historical kernel exploits examined by researchers at University of Cambridge and ETH Zurich. Performance comparisons reference LLVM-compiled native agents and in-kernel modules developed by teams at Intel Corporation and Samsung Electronics; eBPF via bcc often delivers near-native throughput for packet processing use cases pursued by Cloudflare, Inc. and Netflix, Inc., while incurring lower development cost compared to out-of-tree kernel modules documented by Linux Foundation partners. Safety practices advocated by contributors from Google LLC and Facebook, Inc. include map-size limiting, verifier-friendly code patterns, and CI integration with test suites used by kernel.org maintainers.
Development History and Governance
bcc originated from engineering efforts at Facebook, Inc. in the mid-2010s and later attracted contributors from Google LLC, Intel Corporation, Netflix, Inc., and the open-source community hosted around GitHub, Inc. and kernel.org. Governance has been informal, with major design discussions occurring in issue trackers and mailing lists frequented by developers associated with Linux Foundation projects, Cloud Native Computing Foundation, and enterprise distributions like Red Hat, Inc.. Key releases correspond with upstream Linux kernel features such as eBPF map enhancements and verifier improvements influenced by maintainers like those at kernel.org and researchers from University of California, Berkeley.
Adoption and Integration
Adoption of bcc spans cloud providers including Amazon Web Services, Google Cloud Platform, and Microsoft Azure; content delivery networks like Cloudflare, Inc.; and observability vendors such as Datadog, Inc. and New Relic, Inc.. It is integrated into orchestration and container ecosystems involving Kubernetes, Docker, Inc., and service meshes adopted by HashiCorp and CNCF projects, and it complements runtime security tooling from vendors like Aqua Security and Palo Alto Networks. Enterprises and universities leverage bcc for research and production telemetry, while newer projects increasingly migrate to libbpf-centric workflows advocated by kernel.org maintainers.