Network Sniffing

Kubeshark can sniff both encrypted and unencrypted traffic in your cluster using various methods and APIs built into Linux kernel.

Direct Packet Capture

Kubeshark’s Worker works at the Kubernetes Node level and uses direct packet capture to sniff the TCP and UDP traffic in your cluster using one of libpcap, AF_PACKET, AF_XDP and PF_RING.

The Worker continuously captures TCP and UDP packets and saves locally in a local PCAP storage that is limited in size.

Packets are dissected on-demand either by an active Dashboard connection or when scripting is used. The stored PCAP files have a very short expiration date, from seconds to a few minutes, depending on the storage limitation governed by the tap.storagelimit value.

For longer retention of traffic and offline analysis, please read the Traffic Recording & Offline Analysis section.

Workers dissect only packets that match one of the supported protocols (e.g. HTTP, AMQP, Apache Kafka, Redis, gRPC, GraphQL and DNS). Packets of other protocol will not be dissected and will be discarded, unless recorded by a script.