eBPF for Testing

eBPF (extended Berkeley Packet Filter) is a technology that allows sandboxed programs to run inside the Linux kernel without modifying the kernel source code or loading kernel modules. Originally designed for network packet filtering, eBPF has expanded to support observability, security, and performance monitoring. It is used by projects like Cilium, Falco, and Keploy to hook into kernel-level events with minimal overhead.

eBPF attaches probes to kernel networking functions (like syscalls for send/receive) to intercept all network traffic entering and leaving an application. Because it operates at the kernel level, below the application runtime, it requires no SDK, middleware, proxy, or code instrumentation. Any application running on Linux — regardless of programming language or framework — becomes observable and testable through eBPF hooks.

Keploy attaches eBPF probes to the Linux kernel's networking stack to capture all inbound API requests, outbound dependency calls (database queries, downstream HTTP calls, message queue operations), and their responses. These captures are converted into replayable test cases with auto-generated mocks. During test execution, Keploy intercepts outbound calls via eBPF and returns recorded responses, eliminating the need for live dependencies.

eBPF programs run in a sandboxed JIT-compiled environment inside the kernel, making them highly efficient. Keploy's eBPF probes add approximately 1-3% latency overhead during traffic recording, which is negligible compared to sidecar proxies (10-30% overhead) or SDK-based instrumentation. During test replay, there is no production overhead since tests run against recorded data in CI/CD.

Sidecar proxies (like Envoy in service meshes) intercept traffic at the network layer by routing all traffic through an additional process. They add significant latency overhead (10-30%), require infrastructure configuration (Kubernetes pod injection), and only capture HTTP-level traffic. eBPF operates inside the kernel with minimal overhead, captures all network protocols (HTTP, gRPC, database wire protocols), and requires no infrastructure changes.

Yes. Because eBPF operates at the Linux kernel level, below the application runtime, it is completely language-agnostic. Keploy's eBPF-based capture works with Go, Java, Python, Node.js, Rust, C++, Ruby, PHP, and any other language that makes network calls through the Linux kernel's networking stack. There is no language-specific SDK or library to install.

The primary limitations are: Linux-only (eBPF is a Linux kernel technology, so it does not work on macOS or Windows natively — Keploy supports Docker for cross-platform development), kernel version requirements (eBPF features require Linux kernel 4.15+ with full support in 5.x+), and encrypted traffic handling (eBPF captures at the network layer, so TLS-encrypted internal traffic requires either capturing before encryption or using eBPF uprobes on TLS libraries).

Yes. eBPF captures all network traffic at the kernel level, including database wire protocols (PostgreSQL, MySQL, MongoDB, Redis), message queue protocols (Kafka, RabbitMQ, NATS), gRPC calls, and any other network communication. Keploy decodes these wire protocols to generate human-readable test cases and mocks for each dependency interaction.