Network Sniffing

Kubeshark can sniff both encrypted and unencrypted traffic in your cluster using various methods and APIs built into Linux kernel.

Direct Packet Capture

Kubeshark’s Worker works at the Kubernetes Node level and uses direct packet capture to sniff the TCP and UDP traffic in your cluster using one of libpcap, AF_PACKET, AF_XDP and PF_RING.

The Worker continuously captures TCP and UDP packets into a master PCAP file. This file is limited in size, flushes when limit is reached and acts as a buffer to enable on-demand offline dissection.

Packets are dissected on-demand either by an active Dashboard connection or when scripting is used. Packets that aren’t dissected will be discarded when the master file flushes.

Packets that are dissected as a result of an active Dashboard connection are retained for as long as the connection is active and aren’t impacted by the master file flushing.

You can retain traffic for longer time periods using scripting. Read more in the Forensics section.

Workers dissect only packets that match one of the supported protocols (e.g. HTTP, AMQP, Apache Kafka, Redis, gRPC, GraphQL and DNS). Packets of other protocol will not be dissected and will be discarded.

If you’d like to retain raw traffic that includes packets that aren’t dissected, follow this feature request.

The TAP Command

The TAP command of the CLI instructs Kubeshark to deploy the Hub and start tapping based on the TAP scope rules. To see the most up-to-date TAP documentation run:

kubeshark tap -h

Pods and Namespaces

While capturing all traffic is possible, it is a storage and CPU intensive operation. Kubeshark enables you to describe the scope of traffic capture with support for namespaces and PODs.

Pods selection

Specific Pod:
kubeshark tap catalogue-b87b45784-sxc8q
Set of Pods Using a Regex:

You can use a regular expression to indicate several pod names as well as dynamically changing names.

In the example below using the regex (catalo*|front-end*) will catch the following three Pods:

  • catalogue-868cc5ffd6-p9njn
  • catalogue-db-669d5dbf48-8hnrl
  • front-end-6db57bf84f-7kss9
kubeshark tap "(catalo*|front-end*)"

PODS

Namespaces

By default, Kubeshark is deployed into the default namespace. To specify a different namespace:

kubeshark tap -n sock-shop

Specify All Namespaces

The default deployment strategy of Kubeshark waits for the new Pods to be created. To simply deploy to all existing namespaces run:

kubeshark tap