Network Sniffing

Kubeshark can sniff both encrypted and unencrypted traffic in your cluster using various methods and APIs built into Linux kernel.

Direct Packet Capture

Kubeshark’s Worker uses direct packet capture to sniff the TCP and UDP traffic in your cluster using libpcap, AF_PACKET and PF_RING. The TCP and UDP packets that are stored in a PCAP file and the packets are dissected on demand when a filter is received. The Worker works at the Kubernetes Node level.

The Worker dissects the TCP or UDP traffic on demand when a filter is received with support for popular application layer protocols like: HTTP, AMQP, Apache Kafka, Redis, gRPC, GraphQL and DNS.

The TAP Command

The TAP command of the CLI instructs Kubeshark to deploy the Hub and start tapping based on the TAP scope rules.

Learn more about the TAP scop rules in the Pods & Namespaces page.

TAP documentation can change. To see the most up-to-date TAP documentation run:

kubeshark tap -h
Usage:
  kubeshark tap [POD REGEX] [flags]

Flags:
  -A, --allnamespaces             Tap all namespaces.
  -r, --docker-registry string    The Docker registry that's hosting the images. (default "docker.io/kubeshark")
  -t, --docker-tag string         The tag of the Docker images that are going to be pulled. (default "latest")
      --dryrun                    Preview of all pods matching the regex, without tapping them.
  -h, --help                      help for tap
  -n, --namespaces strings        Namespaces selector.
  -p, --pcap string               Capture from a PCAP snapshot of Kubeshark (.tar.gz) using your Docker Daemon instead of Kubernetes.
      --proxy-front-port uint16   Provide a custom port for the front-end proxy/port-forward. (default 8899)
      --proxy-host string         Provide a custom host for the proxy/port-forward. (default "127.0.0.1")
      --proxy-hub-port uint16     Provide a custom port for the Hub proxy/port-forward. (default 8898)
      --servicemesh               Capture the encrypted traffic if the cluster is configured with a service mesh and with mTLS. (default true)
      --storagelimit string       Override the default storage limit. (per node) (default "200MB")
      --tls                       Capture the traffic that's encrypted with OpenSSL or Go crypto/tls libraries. (default true)

Global Flags:
      --config-path string   Override config file path using --config-path (default "$HOME/.kubeshark/config.yaml")
  -d, --debug                Enable debug mode.
      --set strings          Override values using --set