Keploy — How eBPF Intercepts Traffic to Auto-Generate API Tests

A CNCF project written in Go. 17k+ stars. Auto-generates API tests with zero code changes.

Core Principle: eBPF Destination Redirect

Every app uses kernel syscalls to communicate externally. When connect(postgres:5432) is called, the kernel creates a TCP connection. Keploy attaches eBPF here.

The eBPF program monitors outbound connections via SockOps (cgroup-attached) and connect4/6 hooks. When the app tries to connect to postgres:5432, eBPF overwrites the destination to 127.0.0.1:proxyPort. The original destination is stored in the redirectProxyMap shared map.

The app thinks it connected to postgres. It actually connected to Keploy's proxy. The proxy looks up the original destination, forwards to the real postgres, and records all traffic in both directions.

Transparent Proxy Protocol Parsing

The proxy identifies protocols from the first bytes of each connection. HTTP, MySQL, PostgreSQL, MongoDB, Redis, Kafka, gRPC — each has a dedicated parser capturing request/response pairs.

Recording output:

• Inbound HTTP → TestCase (YAML)

• Outbound DB/external API → Mock (YAML)

• Mappings → which mock belongs to which test case

Test (Replay) Mode

Run keploy test and it replays recorded HTTP requests to the app. The app's DB calls get mock responses from the proxy. Tests run without a real database.

Limitations

Linux only — eBPF requires kernel 5.15+. macOS/Windows only via Docker.

Can't capture SQLite — communications not using network sockets don't trigger eBPF hooks. PostgreSQL/MySQL only.

Integration tests only — doesn't generate unit tests for business logic.

Fragile on schema changes — adding/removing DB columns breaks mocks. Re-recording required.

Traffic dependent — APIs you didn't call have no tests. Error cases and edge cases must be written manually.