CONCEPT Cited by 1 source
TCP tracepoint¶
TCP tracepoints are stable kernel hook points for observing TCP socket state transitions. They were added to Linux around the 4.15-4.16 era (Brendan Gregg's TCP Tracepoints post is the canonical external reference cited by the Netflix source).
Unlike kprobes on TCP internal functions — whose signatures change
across kernel versions — TCP tracepoints (tcp:tcp_*,
sock:inet_sock_set_state, etc.) expose a stable contract that
eBPF programs can attach to with confidence across
distributions. This makes them the load-bearing primitive for
fleet-wide TCP observability in production.
What observers get¶
TCP tracepoints fire on state transitions — connection established, RTT update, retransmit, state change to CLOSE — giving eBPF programs access to the socket structure, the peer addresses, timing, and counters without needing unstable internal offsets.
Canonical use in flow logs¶
FlowExporter attaches to TCP tracepoints to monitor socket state. When a socket closes, FlowExporter emits a flow-log record with IPs, ports, timestamps, and socket statistics. On average this produces ~5M records/sec fleet-wide.
Related¶
- systems/ebpf · concepts/ebpf-verifier
- systems/netflix-flowexporter
- patterns/sidecar-ebpf-flow-exporter
Seen in¶
- sources/2025-04-08-netflix-how-netflix-accurately-attributes-ebpf-flow-logs — explicitly names "TCP tracepoints" (with link to Brendan Gregg's 2018 primer) as the substrate FlowExporter attaches to.
- sources/2024-09-11-netflix-noisy-neighbor-detection-with-ebpf —
uses scheduler tracepoints (
sched_wakeup,sched_switch) for run-queue-latency observation, the sibling kernel tracepoint family.