Question

<https github com capsule8 capsule8 blob master docs KProbes md> looks like the simple intro It s based on kprobes Additionally leverages cgroups so you can instrument differently at different processes

maestretti · Answer

As I recall it uses standard perf techniques instead of ebpf so broader kernel support but not as performant more context switches etc

seph · Answer

Uses kprobes My coworkers think it s performant

b0l · Answer

yes it uses kprobes and perf event open to get data from kernel ring buffer