# Kubeshark: Kubernetes Network Analysis at Packet and API Levels
Kubeshark is a tool for deep monitoring and analysis of traffic in Kubernetes clusters, combining Wireshark's functionality with debugging capabilities at both network packet levels (L2–L3) and application calls (L7). It allows developers and SRE engineers to visualize interactions between pods, track Kubernetes API calls, and detect anomalies in real time.
Kubeshark Architecture and How It Works
Kubeshark uses eBPF to capture network traffic directly in the Linux kernel without needing proxies or application modifications. This ensures minimal impact on cluster performance while preserving full data fidelity. Unlike tools like kubectl -v, which only show HTTP requests to the API server, Kubeshark captures the entire stack: from Ethernet frames to HTTP/HTTPS message contents (when TLS keys are available).
The tool deploys as a set of DaemonSet pods, each running on a cluster node to collect local traffic. Data aggregates into a central web interface accessible at http://localhost:8899 after running the CLI command. It supports filtering by namespaces, services, URL paths, HTTP methods, and other parameters.
Key Features for Engineers
Kubeshark's main value lies in combining detailed analysis with intuitive visualization. Here are the primary use cases:
- Debugging inter-service interactions: Tracking all requests between microservices, including headers, bodies, and response codes.
- Analyzing Kubernetes API calls: Identifying frequent or erroneous API server accesses (e.g., attempts to read secrets without permissions).
- Monitoring cloud provider metadata: Detecting calls to endpoints like
/latest/meta-dataon AWS EC2, which could signal compromise. - Creating PCAP archives: Exporting captured traffic in standard format for later analysis in Wireshark or automated systems.
- Integrating with alerting systems: Setting up triggers based on traffic patterns (e.g., 403 errors on secret access).
Practical Use: Examples
To launch Kubeshark, just run one command:
sh <(curl -Ls https://kubeshark.co/install)
kubeshark tap -A
The -A flag enables monitoring across all namespaces. To limit scope, specify a namespace:
kubeshark tap -n production
After launch, a web dashboard opens with three main views:
- Streams table — A list of all captured connections, filterable by protocol, IP, port, method, and path.
- Service map — A graphical view of dependencies between services and pods.
- Request/response details — Decoded HTTP traffic contents, including headers and body.
Useful filter examples:
http.path == "/latest/meta-data"— Detects AWS metadata calls.k8s.method == "GET" && k8s.resource == "secrets"— Shows all secret read attempts.net.host == "10.0.1.5"— Focuses on traffic from one node.
Comparison with Alternatives and Limitations
While Kubeshark uses eBPF like Cilium Tetragon or Falco, its goal isn't threat detection but understanding system behavior. It doesn't replace runtime security solutions but complements them by providing incident analysis context.
Limitations:
- Doesn't decrypt TLS traffic without certificates or keys.
- Can create significant storage load during long-term monitoring of high-traffic clusters.
- Doesn't track syscalls inside containers (unlike Falco).
That said, for debugging, training, and auditing communications, Kubeshark remains one of the most effective tools in the Kubernetes ecosystem.
Key Takeaways
- Kubeshark captures traffic at L2–L7 levels, including network packets and HTTP calls.
- Uses eBPF for non-intrusive data collection without app changes.
- Supports PCAP export and integration with external storage (S3 and others).
- Ideal for debugging and analysis, but not a runtime security replacement.
- Visual service maps and powerful filtering speed up issue diagnosis.
— Editorial Team
No comments yet.