eBPF (extended Berkeley Packet Filter) is an in-kernel virtual machine in Linux that lets you load small, verified programs and attach them to hooks throughout the kernel — syscalls, kprobes, uprobes, tracepoints, network interfaces (XDP, tc), cgroups, LSM hooks, and more. Programs are typically written in a restricted subset of C, compiled to eBPF bytecode with Clang/LLVM, loaded via the bpf() syscall, checked by the in-kernel verifier, then JIT-compiled to native code.
The verifier is what makes eBPF interesting: it statically proves that a program terminates, doesn’t touch memory it shouldn’t, and won’t panic the kernel. That guarantee is why the kernel community is willing to run user-supplied code in kernel context. Programs communicate with userspace through maps — hash tables, arrays, ring buffers, perf buffers — which are the shared memory between the eBPF program and whatever tool is reading its output.
eBPF is the substrate under a huge amount of modern infrastructure. Cilium uses it for Kubernetes networking, load balancing, and replacing kube-proxy. Falco and Tetragon use it for runtime security observability. Pixie, Parca, and bpftrace use it for zero-instrumentation tracing and profiling. Katran (Facebook) and Cloudflare use XDP-based eBPF for DDoS mitigation and L4 load balancing at line rate. The standard toolchains are libbpf + BTF/CO-RE for portable programs, and bcc or bpftrace for ad-hoc tracing. Windows has its own eBPF-for-Windows port, but Linux is where everything real happens.