design·lab

DevOps & platform

eBPF

Run tiny, verified programs inside the Linux kernel to observe or secure every packet and syscall — without patching the kernel or flooding user space with raw events.

✗ The problem

Watching the kernel used to be risky or slow

To see every packet or syscall, you either patched/recompiled the kernel (risky, needs a reboot) — or copied the entire raw event stream up to a user-space agent (huge, high overhead).

Kernel
syscalls, packets, funcs
Copy EVERY event
huge raw stream
User-space agent
slow · high overhead
Kernel patches need a reboot and can crash the box. Streaming raw events chokes the CPU and the network before you even see an anomaly.
✓ How it works

Small sandboxed programs, verified safe, run inside the kernel

A verifier proves your eBPF program can't crash or loop forever before it's ever attached — no kernel changes, no reboot.

SEC("xdp")
int count_pkt(ctx) {
  // runs INSIDE the kernel
  key = proto(ctx);
  map[key]++;              // aggregate
  return XDP_PASS;
}
Your program
eBPF bytecode
Verifier
proves it's safe
Kernel hook
syscall · packet · tracepoint
Filter in-kernel
count / aggregate
Maps → user space
tiny summary only
✓ See it live

Attach a probe to the network hook — count in-kernel

Toggle the mode, then send a batch of events through the hook. Watch how much data actually reaches user space.

Kernel hook
network RX (probe attached)
User space
0
events processed
0 B
bytes to user space
ready
✓ Takeaway

Kernel programmability, without the danger

  • Safe & verified: the verifier rejects programs that could crash or hang the kernel.
  • Low overhead: filter/aggregate in-kernel — only summaries cross into user space.
  • No kernel changes: attach to syscalls, network hooks, or tracepoints at runtime.
  • Powers real tools: Cilium (networking), Pixie (profiling), Falco (security) all run on eBPF.
🎯 eBPF supercharges observability and Kubernetes networking — same kernel hooks, near-zero overhead.