DevOps & platform
eBPF
Run tiny, verified programs inside the Linux kernel to observe or secure every packet and syscall — without patching the kernel or flooding user space with raw events.
✗ The problem
→
→
Watching the kernel used to be risky or slow
To see every packet or syscall, you either patched/recompiled the kernel (risky, needs a reboot) — or copied the entire raw event stream up to a user-space agent (huge, high overhead).
Kernel
syscalls, packets, funcs
Copy EVERY event
huge raw stream
User-space agent
slow · high overhead
Kernel patches need a reboot and can crash the box. Streaming raw events chokes
the CPU and the network before you even see an anomaly.
✓ How it works
↓
↓
↓
↓
Small sandboxed programs, verified safe, run inside the kernel
A verifier proves your eBPF program can't crash or loop forever before it's ever attached — no kernel changes, no reboot.
SEC("xdp")
int count_pkt(ctx) {
// runs INSIDE the kernel
key = proto(ctx);
map[key]++; // aggregate
return XDP_PASS;
}
Your program
eBPF bytecode
Verifier
proves it's safe
Kernel hook
syscall · packet · tracepoint
Filter in-kernel
count / aggregate
Maps → user space
tiny summary only
✓ See it live
↓
Attach a probe to the network hook — count in-kernel
Toggle the mode, then send a batch of events through the hook. Watch how much data actually reaches user space.
Kernel hook
network RX (probe attached)
User space
—
0
events processed
0 B
bytes to user space
ready
✓ Takeaway
Kernel programmability, without the danger
- Safe & verified: the verifier rejects programs that could crash or hang the kernel.
- Low overhead: filter/aggregate in-kernel — only summaries cross into user space.
- No kernel changes: attach to syscalls, network hooks, or tracepoints at runtime.
- Powers real tools: Cilium (networking), Pixie (profiling), Falco (security) all run on eBPF.
🎯 eBPF supercharges observability
and Kubernetes networking — same kernel hooks, near-zero overhead.
Back to all topics →