eBPF has become a prominent tool to easily and quickly monitor processes. However, I was not able to find how would one compute the impact of the probe itself on the performance. I'm sure if I hook every syscall and push some information in a map, there must be some impact, nothing is free, but how would I properly compute this added latency?
The only solution I have thought is to run the same programs several times with both the probes active and not, and check the system execution time difference, but this seems to me like it would be influenced by various factors which could add a lot of variance and therefore not give very solid results.
There was a talk on this topic by Bryce Kahle at the eBPF Summit. It's the most complete answer to this question I'm aware of.
To summarize, you have several options:
kernel.bpf_stats_enabled
statistics collected by the kernel.bpftool prog profile
.BPF_PROG_TEST_RUN
hook, e.g., via bpftool prog run
.The talk doesn't mention one last option: you can now attach BPF programs at the entry and exit of other BPF programs with BPF trampoline.