Network Sniffing
Kubeshark can sniff both encrypted and unencrypted traffic in your cluster using various methods and APIs built into Linux kernel.
Direct Packet Capture
Kubeshark’s Worker works at the Kubernetes Node level and uses direct packet capture to sniff the TCP and UDP traffic in your cluster using one of libpcap, AF_PACKET, AF_XDP and PF_RING.
The Worker continuously captures TCP and UDP packets into a master PCAP file. This file is limited in size, flushes when limit is reached and acts as a buffer to enable on-demand offline dissection.
Packets are dissected on-demand either by an active Dashboard connection or when scripting is used. Packets that aren’t dissected will be discarded when the master file flushes.
Packets that are dissected as a result of an active Dashboard connection are retained for as long as the connection is active and aren’t impacted by the master file flushing.
You can retain traffic for longer time periods using scripting. Read more in the Forensics section.
Workers dissect only packets that match one of the supported protocols (e.g. HTTP, AMQP, Apache Kafka, Redis, gRPC, GraphQL and DNS). Packets of other protocol will not be dissected and will be discarded.
If you’d like to retain raw traffic that includes packets that aren’t dissected, follow this feature request.
The TAP Command
The TAP command of the CLI instructs Kubeshark to deploy the Hub and start tapping based on the TAP scope rules. To see the most up-to-date TAP documentation run:
kubeshark tap -h
Pods and Namespaces
While capturing all traffic is possible, it is a storage and CPU intensive operation. Kubeshark enables you to describe the scope of traffic capture with support for namespaces and PODs.
Pods selection
Specific Pod:
kubeshark tap catalogue-b87b45784-sxc8q
Set of Pods Using a Regex:
You can use a regular expression to indicate several pod names as well as dynamically changing names.
In the example below using the regex (catalo*|front-end*)
will catch the following three Pods:
- catalogue-868cc5ffd6-p9njn
- catalogue-db-669d5dbf48-8hnrl
- front-end-6db57bf84f-7kss9
kubeshark tap "(catalo*|front-end*)"
Namespaces
By default, Kubeshark is deployed into the default
namespace.
To specify a different namespace:
kubeshark tap -n sock-shop
Specify All Namespaces
The default deployment strategy of Kubeshark waits for the new Pods to be created. To simply deploy to all existing namespaces run:
kubeshark tap