Kubeshark can sniff both encrypted and unencrypted traffic in your cluster using various methods and APIs built into Linux kernel.
Direct Packet Capture
Direct packet capture sniffs the TCP traffic in your cluster using libpcap, AF_PACKET and PF_RING and records it into a PCAP file. The TCP packets that are stored in the PCAP file being dissected on demand upon querying for the folowwing application layer protocols:
Kubeshark automatically detects and includes any Envoy Proxy to its list of TCP packet capture sources. Envoy Proxy is widely used by the service meshes like Istio.
Even though the service meshes known for encrypting the traffic between regional nodes, we capture the unencrypted traffic simply by detecting their network interfaces and without doing any kernel tracing.
eBPF Based Packet Capture
eBPF based packet capture sniffs the encrypted traffic (TLS) in your cluster using eBPF without actually doing decryption. In fact, it hooks into entry and exit points in certain functions inside the OpenSSL library and Go's crypto/tls package.
See Kernel Tracing for more info.