Targeted Pods (Pods that are Tapped)
At the top of the screen in a blue top panel, Kubeshark lists an up-to-date list of Pods that are being tapped. As Kubeshark follows dynamically started and stopped Pods, this list can change in real-time.
Accessible via the Service Map button, the Service Map updates in real-time and can analyze dependencies of a system-wide or a subset of traffic.
The filter input is used to enter the Kubeshark Filter Language (KFL) statements. Queries are used to find specific elements in traffic or reduce the amount of traffic that is interrogated. For example, to only see HTTP responses starting with the number 4, enter http and response.status == r”4.*” and select Apply. Your traffic stream will look like this:
You can also filter by timestamp, integer, and even queryable UI elements (below). A syntax cheatsheet is available next to the query box.
NOTE: Read the filtering section to learn more about filtering.
Queryable UI Elements
When you hover over UI elements and they display a green plus sign, it means this element can be added to your query. Selecting an element with the green plus sign will add this element to the KFL in the query box. Selecting this queryable element…
… adds response.status == 201 to your KFL statement, and only displays HTTP 201 responses in the live traffic streaming.
Once you run a query, the query gets added to the dashboard’s URL. This is helpful if you’d like to bookmark or store the query for further use.
The left-pane shows the streaming traffic entries captured by the Workers and transmitted in real-time through the Hub to the dashboard. Each entry includes mostly metadata like: protocol, response code, method, source and destination IPs and Pods.
Streaming will continue until either:
- The user selected to stop streaming
- Kubeshark presents historical traffic
Here’s an example for a query that will show the streaming traffic:
timestamp >= now()
The above query is the default query when the dashboard is opened.
Here’s an example query that matches the HTTP traffic with response status code
http and response.status == 500
Scrolling up indicates you’d like to view historical traffic entries and therefore streaming will stop. The same operation can be obtained by pressing the pause button at the top of the left-pane.
When streaming is stopped it doesn’t mean traffic capture is stopped. Traffic capture continues and is stored, until Kubeshark is stopped.
To continue viewing streaming traffic, press the play button at the top of the right panel.
Traffic Entry Panel
The right panel shows the complete information related to a selected captured traffic entry.
It includes the metadata related to the protocol, the method, source and destination IPs and Pods, as well as some performance KPIs like request and response sizes and elapsed time.
TCP stream Information
Captured traffic entry belongs to a TCP stream. A TCP stream can include one or more request-response pairs. The TCP stream block includes information about the TCP stream in which the captured traffic entry belongs to. Information includes the request-response pair index, the Node, the Worker and the name of the TCP stream.
Traffic Entry Meta Data and Payload
The right panel includes the captured traffic request-response headers and payload and presented in a human readable way.