Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


This is a pure C implementation of opensnoop that uses eBPF. I put together a detailed backstory of how this came to be.

The "official" version of opensnoop that uses eBPF is written in Python, as it leverages the Python bindings from the BCC toolkit to dynamically generate the eBPF program at runtime by populating a template of C code and compiling it on the fly into eBPF instructions.

This version of opensnoop differs slightly, as it uses the BCC toolkit to generate a template for the eBPF program (as an array of eBPF instructions) at build time that can be populated directly in C. Advantages:

  • This implementation uses only libbpf at runtime whereas the original uses libbcc, which is a much larger dependency.
  • Compared to the Python version, it eliminates some code that has to be duplicated between the Python code and C code template.
  • It eliminates an extra division done in the eBPF program due to the limits of numeric precision in Python.
  • Perhaps the most important difference (and the most subjective) is that this standalone version is simpler, which makes it easier to see what is going on. For example, because it is pure C, you can step through the entire program using gdb. Similarly, an strace of the pure C version is much cleaner compared to the original verison. When I first tried to understand how opensnoop worked, I had to navigate through several layers of code: the Python bindings for BCC, libbcc, and libbpf. In this implementation, you only need to worry about what libbpf is doing. Once you understand that, go back and see how those other layers make it easier to create tools that use eBPF.

Build instructions

To build the program from scratch, you must have the BCC toolkit installed:

$ ./
$ sudo ./opensnoop

If you want to leverage the existing code that was generated from BCC (the generated code is checked into the repo to make it easier for others to study and to build), then you can just do:

$ clang opensnoop.c -lelf -O3 -o opensnoop /usr/lib/x86_64-linux-gnu/
$ sudo ./opensnoop

In both cases, the version of libbpf/libbcc that you use should be built from or later.


Because the source code embeds the value of LINUX_VERSION_CODE from <linux/version.h> into the final binary, a version that you build on your machine will not work on a colleague's machine if they are not running the exact same version of the kernel.


opensnoop in pure C using eBPF







No releases published


No packages published