What is eBPF?

eBPF stands for extended Berkeley Packet Filter. It is a Linux kernel technology that lets user-space programs run small verified programs inside the kernel without writing kernel modules or rebooting. Originally designed for network packet filtering (the 'BPF' in the name), modern eBPF runs on every syscall, every network event, every function entry, and every tracepoint — which is why it has become the foundation for observability, security, and testing tools that need kernel-level visibility without kernel-level risk.

An eBPF program is compiled to a tightly restricted bytecode that the kernel verifier checks before allowing it to run. The verifier proves the program terminates (no unbounded loops), stays within memory bounds, and only accesses allowed kernel helpers. Once verified, the bytecode is JIT-compiled to native instructions and attached to a hook point — a syscall entry, a network interface, a kprobe. The program runs in kernel context but with safety guarantees a kernel module does not provide, which is why tools like Cilium, Falco, and Keploy can ship eBPF programs to production without asking operators to install custom kernel code.

Four broad categories. Networking: high-performance packet filtering and load balancing (Cilium, Katran). Observability: tracing syscalls, function latency, and resource usage (BCC tools, bpftrace, Pixie). Security: runtime threat detection and policy enforcement (Falco, Tetragon). Testing: capturing real traffic and replaying it as deterministic tests without application code changes (Keploy). The common thread is kernel-level visibility with user-space programmability.

The modern eBPF feature set (CO-RE, BTF, ring buffer, verifier improvements) requires kernel 5.5 or later. Most production Linux distributions released after 2021 ship a 5.10+ kernel — Ubuntu 22.04 LTS, Debian 12, RHEL 9, Amazon Linux 2023, Fedora 36+. Older distributions (RHEL 7, Ubuntu 18.04) support eBPF but with a restricted feature set. Keploy ships CO-RE-compiled probes so a single binary works across all supported kernel versions without recompilation.

Keploy attaches eBPF programs to the system call entry points that network traffic flows through (accept, read, write, sendto, recvfrom). For every HTTP, gRPC, WebSocket, or database request your application processes, Keploy captures the full request and response pair at the kernel level — no SDK, no proxy, no application code changes. The captured traffic becomes YAML test fixtures with auto-generated mocks for every downstream dependency. During replay, Keploy serves the mocked responses back to the application from the same eBPF hooks, so the application cannot tell it is running in a test.

The eBPF verifier is one of the most thoroughly audited pieces of code in the Linux kernel specifically because it is a security boundary. Programs that do not pass verification are rejected; programs that pass are restricted to a known-safe set of operations. The loadable capabilities (CAP_BPF, CAP_PERFMON, CAP_SYS_ADMIN) are governed by standard Linux capabilities and can be granted only to specific service accounts. That said, eBPF programs run in kernel context and a verifier bug would be serious — which is why production eBPF tools undergo independent security audits and why the kernel community accepts eBPF changes with extra scrutiny.

Native eBPF is a Linux kernel feature. Windows has a separate eBPF-for-Windows project that provides a compatible API and runs eBPF programs under a user-space verifier, but it is early and only covers a subset of the Linux kernel's use cases. macOS has no native eBPF. For testing tools that depend on eBPF, the standard deployment pattern is to run them inside a Linux container or WSL 2 instance on developer workstations, and directly on Linux nodes in CI and production.

Kernel modules are fully-privileged kernel code that runs with no safety checks — a bug can panic the kernel. Modules must be compiled for the exact kernel version they target, and loading them requires root plus module signing in many distributions. eBPF programs are verified before execution, portable across kernel versions via CO-RE, and loadable with fine-grained capabilities. The trade-off is expressiveness: kernel modules can do anything; eBPF programs can only do what the verifier permits. For most observability and testing use cases, the eBPF restrictions are not a limiter.