DevOps Dictionary

eBPF (extended Berkeley Packet Filter) is a Linux kernel capability for running small, sandboxed programs in the kernel so you can observe and sometimes influence system behavior, including network traffic, system calls, and process activity, with very low overhead. It addresses the need for deep, production-safe visibility and control without building custom kernel modules or restarting hosts to deploy changes. At a high level, eBPF programs are compiled in user space, loaded into the kernel, checked by a verifier to ensure they are safe and bounded, then attached to kernel hook points where they can capture events, compute lightweight summaries, and stream results back to user-space tools.

With eBPF, teams can troubleshoot performance issues and enforce fine-grained policies in real time; without it, they often rely on heavier agents, coarse logs, or riskier kernel extensions that are harder to operate safely. This gap exists because eBPF runs at the source of events while the verifier constrains what programs can do to protect kernel stability.