Network Sniffing
Kubeshark can sniff both encrypted and unencrypted traffic in your cluster using various methods and APIs built into Linux kernel.
Direct Packet Capture
Kubeshark’s Worker uses direct packet capture to sniff the TCP and UDP traffic in your cluster using libpcap, AF_PACKET and PF_RING. The TCP and UDP packets that are stored in a PCAP file and the packets are dissected on demand when a filter is received. The Worker works at the Kubernetes Node level.
The Worker dissects the TCP or UDP traffic on demand when a filter is received with support for popular application layer protocols like: HTTP, AMQP, Apache Kafka, Redis, gRPC, GraphQL and DNS.
The TAP Command
The TAP command of the CLI instructs Kubeshark to deploy the Hub and start tapping based on the TAP scope rules.
Learn more about the TAP scop rules in the Pods & Namespaces page.
TAP documentation can change. To see the most up-to-date TAP documentation run:
kubeshark tap -h
Usage:
kubeshark tap [POD REGEX] [flags]
Flags:
-A, --allnamespaces Tap all namespaces.
-r, --docker-registry string The Docker registry that's hosting the images. (default "docker.io/kubeshark")
-t, --docker-tag string The tag of the Docker images that are going to be pulled. (default "latest")
--dryrun Preview of all pods matching the regex, without tapping them.
-h, --help help for tap
-n, --namespaces strings Namespaces selector.
-p, --pcap string Capture from a PCAP snapshot of Kubeshark (.tar.gz) using your Docker Daemon instead of Kubernetes.
--proxy-front-port uint16 Provide a custom port for the front-end proxy/port-forward. (default 8899)
--proxy-host string Provide a custom host for the proxy/port-forward. (default "127.0.0.1")
--proxy-hub-port uint16 Provide a custom port for the Hub proxy/port-forward. (default 8898)
--servicemesh Capture the encrypted traffic if the cluster is configured with a service mesh and with mTLS. (default true)
--storagelimit string Override the default storage limit. (per node) (default "200MB")
--tls Capture the traffic that's encrypted with OpenSSL or Go crypto/tls libraries. (default true)
Global Flags:
--config-path string Override config file path using --config-path (default "$HOME/.kubeshark/config.yaml")
-d, --debug Enable debug mode.
--set strings Override values using --set