May 2, 2026 / 1 min read

eBPF Tracing Notes for Runtime Latency

A practical outline for using eBPF to observe syscall latency, scheduler pressure, and runtime behavior with minimal application changes.

Observation Without Rebuilds

eBPF is useful when the system is already running and the question lives below the application boundary. It can attach to kernel tracepoints, uprobes, kprobes, and perf events to expose behavior that logging rarely captures.

Useful Signals

syscall duration histograms
scheduler run queue pressure
TCP retransmits and connection churn
block I/O latency
allocator and runtime hotspots

Minimal Probe Sketch

bpftrace -e 'tracepoint:syscalls:sys_enter_write { @[comm] = count(); }'

This is not a full observability strategy. It is a fast way to move from suspicion to evidence.

Production Constraint

Keep probes narrow, measure overhead, and prefer histograms over per-event logging when the workload is hot.