eBPF, which stands for extended Berkeley Packet Filter, is exactly what it sounds like—an extended version of the Berkeley Packet Filter (BPF). It is a feature available in Linux kernels that allows you to run an abstract virtual machine (VM) inside the kernel. By executing user-defined programs inside a sandbox in the kernel, eBPF allows you to safely load programs into the kernel, in order to customize its operation.

eBPF is typically used to enable developers to write low-level monitoring, tracing, and networking programs in Linux in a way that ensures optimal performance. With eBPF, the kernel and its behavior become highly customizable, rather than fixed.

For more information about eBPF, read our detailed guides:


Learn how XDP enables fast traffic processing in eBPF, see use cases of XDP, and learn to write and load your first XDP program.

2. eBPF: When (and when not) to use it

Is eBPF a one-stop shop solution for all of your Linux kernel needs? Learn about what eBPF does well, and how it stacks up against standard Linux iptables.

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!