Introduction

Discover what's beneath the tip of the iceberg!

Kubeshark is an observability and monitoring tool for Kubernetes, enabling dynamic analysis of the microservices, detecting anomalies and triggering functions when certain patterns appear in runtime.

Think of Kubeshark as a Kubernetes-aware combination of Wireshark, BPF Compiler Collection (BCC) tools and beyond.

Kubeshark can sniff parts or all TCP traffic in your cluster, record it into a PCAP file and dissect the following application layer protocols:

Kubeshark recognizes gRPC over HTTP/2, GraphQL over HTTP/1.1 and GraphQL over HTTP/2.

Kubeshark uses extended BPF (eBPF) to trace function calls in both the kernel space and the user space.

Kubeshark can sniff the encrypted traffic (TLS) in your cluster using eBPF without actually doing decryption. In fact, it hooks into entry and exit points in certain functions inside the OpenSSL library and Go's crypto/tls package.

Kubeshark can recognize service mesh solutions like Istio and Linkerd that are used in your Kubernetes cluster.

Service mesh solutions use Envoy Proxy under the hood to encrypt the traffic. Therefore Kubeshark automatically detects and includes any Envoy Proxy to its list of TCP packet capture sources.