L4 (TCP, UDP, SCTP) Traffic Recorder

Kubeshark provides cluster-wide recording of all L$ supported protocols (e.g. TCP, UDP, and SCTP) packets, including decrypted TLS and mTLS traffic. This operation resembles the popular tcpdump. This functionality can be used on clusters of any size without the need for a specific license.

Kubeshark automatically and continuously records and stores all captured traffic, managing both time window and storage limits. This enables you to export recorded traffic to your local folder at any time for retention or further analysis using Wireshark.

To export the recorded traffic locally, follow these steps:

  1. Ensure Kubeshark is installed and running.
  2. Use one of the following commands:
kubeshark pcapdump --dest=/tmp            # Export all PCAP files to a specified local directory
kubeshark pcapdump --dest=/tmp --time=5m  # Export the last 5 minutes of recorded traffic to a specified local directory
kubeshark pcapdump                        # Export all PCAP files to the current directory
kubeshark pcapdump --time=5m              # Export the last 5 minutes of recorded traffic to the current directory

The kubeshark CLI can be installed using homebrew or downloaded from GitHub

Advanced Options

Automatic & Continuous Operation

By default, the pcapdump process starts automatically when Kubeshark is deployed and traffic capture is enabled. It remains active as long as Kubeshark is running unless explicitly stopped.

Capture Filters

Traffic capture in Kubeshark operates based on configurable capture filters. Captured traffic is stored in local PCAP files on the Kubernetes node’s disk, with time window and storage limits managed automatically.

Example capture filter configuration:

tap:
  regex: .*front                    # Capture traffic for pods matching the regex
  namespaces:                       # From the specified namespaces
    - ns1
    - ns2
  excludedNamespaces:               # Exclude traffic from these namespaces
    - ns3
  bpfOverride: "net 0.0.0.0/0"      # Override with a custom BPF expression

Read more about filters in the capture filters documentation.

Time Window and Storage Management

Kubeshark ensures efficient management of storage and time limits by discarding older files outside the defined time window or exceeding the storage quota.

For example, with a time window of 24 hours and a storage limit of 50 MB, Kubeshark retains files recorded within the last 24 hours as long as the total storage remains under 50 MB. Files exceeding these constraints are automatically deleted.

Configuration

While the default configuration is typically sufficient, the following settings can be customized if needed.

You can adjust the pcapdump configuration via Helm values:

pcapdump:
  enabled: true                     # Enable or disable PCAP recording
  maxTime: 1h                       # Time window for file retention
  maxSize: 50MB                     # Maximum storage limit

pcapdump vs. Traffic Recorder

While pcapdump and the Traffic Recorder serve similar purposes, they are designed for different use cases:

  • pcapdump: A lightweight, tcpdump-like utility for capturing PCAP traffic for external analysis in Wireshark. It primarily stores Layer 4 (L4) traffic without Kubernetes context (e.g., pod, service, or namespace names).

  • Traffic Recorder: Integrated with the Kubeshark dashboard, it enables traffic capture and storage for offline analysis. It captures both Layer 4 (L4) and Layer 7 (L7) traffic, along with Kubernetes context.