1 files changed, 21 insertions, 8 deletions

diff --git a/collectors/ebpf.plugin/README.md b/collectors/ebpf.plugin/README.md
index 405eab875..1e593786b 100644
--- a/collectors/ebpf.plugin/README.md
+++ b/collectors/ebpf.plugin/README.md
@@ -123,11 +123,11 @@ To enable the collector, scroll down to the `[plugins]` section ensure the relev
    ebpf = yes
 ```
 
-You can also configure the eBPF collector's behavior by editing `ebpf.conf`.
+You can also configure the eBPF collector's behavior by editing `ebpf.d.conf`.
 
 ```bash
 cd /etc/netdata/   # Replace with your Netdata configuration directory, if not /etc/netdata/
-./edit-config ebpf.conf
+./edit-config ebpf.d.conf
 ```
 
 ### `[global]`
@@ -149,6 +149,7 @@ accepts the following values: ​
     new charts for the return of these functions, such as errors. Monitoring function returns can help in debugging
     software, such as failing to close file descriptors or creating zombie processes.
 -   `update every`:  Number of seconds used for eBPF to send data for Netdata.   
+-   `pid table size`: Defines the maximum number of PIDs stored inside the application hash table.
     
 #### Integration with `apps.plugin`
 
@@ -187,6 +188,11 @@ If you want to _disable_ the integration with `apps.plugin` along with the above
    apps = yes
 ```
 
+When the integration is enabled, eBPF collector allocates memory for each process running. The total 
+ allocated memory has direct relationship with the kernel version. When the eBPF plugin is running on kernels newer than `4.15`, 
+ it uses per-cpu maps to speed up the update of hash tables. This also implies storing data for the same PID 
+ for each processor it runs.
+
 #### `[ebpf programs]`
 
 The eBPF collector enables and runs the following eBPF programs by default:
@@ -194,6 +200,9 @@ The eBPF collector enables and runs the following eBPF programs by default:
 -   `cachestat`: Netdata's eBPF data collector creates charts about the memory page cache. When the integration with
     [`apps.plugin`](/collectors/apps.plugin/README.md) is enabled, this collector creates charts for the whole host _and_
     for each application.
+-   `dcstat` : This eBPF program creates charts that show information about file access using directory cache. It appends
+    `kprobes` for `lookup_fast()` and `d_lookup()` to identify if files are inside directory cache, outside and 
+    files are not found.
 -   `process`: This eBPF program creates charts that show information about process creation, VFS IO, and files removed.
     When in `return` mode, it also creates charts showing errors when these operations are executed.
 -   `network viewer`: This eBPF program creates charts with information about `TCP` and `UDP` functions, including the
@@ -215,6 +224,7 @@ cd /etc/netdata/   # Replace with your Netdata configuration directory, if not /
 The following configuration files are available:
 
 - `cachestat.conf`: Configuration for the `cachestat` thread.
+- `dcstat.conf`: Configuration for the `dcstat` thread.
 - `process.conf`: Configuration for the `process` thread.
 - `network.conf`: Configuration for the `network viewer` thread. This config file overwrites the global options and
   also lets you specify which network the eBPF collector monitors.
@@ -347,13 +357,16 @@ mount these filesystems on startup. More information can be found in the [ftrace
 
 ## Performance
 
-Because eBPF monitoring is complex, we are evaluating the performance of this new collector in various real-world
-conditions, across various system loads, and when monitoring complex applications.
+eBPF monitoring is complex and produces a large volume of metrics. We've discovered scenarios where the eBPF plugin 
+significantly increases kernel memory usage by several hundred MB.
+
+If your node is experiencing high memory usage and there is no obvious culprit to be found in the `apps.mem` chart, 
+consider testing for high kernel memory usage by [disabling eBPF monitoring](#configuration). Next, 
+[restart Netdata](/docs/configure/start-stop-restart.md) with `sudo systemctl restart netdata` to see if system 
+memory usage (see the `system.ram` chart) has dropped significantly.
 
-Our [initial testing](https://github.com/netdata/netdata/issues/8195) shows the performance of the eBPF collector is
-nearly identical to our [apps.plugin collector](/collectors/apps.plugin/README.md), despite collecting and displaying
-much more sophisticated metrics. You can now use the eBPF to gather deeper insights without affecting the performance of
-your complex applications at any load.
+Beginning with `v1.31`, kernel memory usage is configurable via the [`pid table size` setting](#ebpf-load-mode) 
+in `ebpf.conf`.
 
 ## SELinux