"PCAP or It Didn't Happen" - Now @ Scale

Jan 14, 2023 ~ 4 min read
Kubeshark
Scalability
Performance
PCAP
TCP streams
UDP
DNS
Service Map
PCAP

Recently, we received a bug report regarding our WebSocket support. While addressing the issue, we took the opportunity to enhance our support for the WebSocket protocol. In this post, we will comprehensively explain the WebSocket protocol, how Kubeshark processes WebSocket traffic, and walk you through key aspects of our implementation.This article is organized into several sections. Feel free to navigate directly to the topics of interest:
- Connection Lifecycle
- The WebSocket Demo Application
- Kubeshark WebSocket Processing Step by Step

The WebSocket Protocol

WebSocket is a communication protocol that enables bi-directional, full-duplex communication between a client and a server over a single, long-lived connection.
This section highlights key features of the WebSocket protocol:
Full-Duplex Communication
WebSocket supports full-duplex communication, allowing both the client and server to send and receive messages independently. Unlike HTTP, which operates on a request-response cycle, WebSocket maintains an open communication channel throughout the connection's lifecycle.Low LatencyOnce established, WebSocket connections enable continuous data exchange with minimal overhead, resulting in lower latency compared to traditional HTTP protocols.Connection LifecycleThe WebSocket connection begins with an HTTP handshake, after which it upgrades to the WebSocket protocol, maintaining the connection until explicitly closed by the client or server.Support for Text and Binary DataWebSocket can transmit both text and binary data, making it suitable for a wide range of applications.Event-Driven CommunicationWebSocket supports event-driven communication, where the server can push data to the client in real time, as soon as updates are available, without requiring polling.Stateful ConnectionWebSocket maintains a stateful connection, allowing the server to keep track of client states over time, a feature that is beneficial for applications like real-time collaboration.WebSocket Connection LifecycleThe WebSocket connection lifecycle consists of several stages:Initial HTTP Request
The client initiates a WebSocket handshake by sending an HTTP GET request, specifying the desired protocol upgrade through the Upgrade: websocket header.Server Response (Switching Protocols)
The server responds with an HTTP 101 status code if it agrees to the protocol upgrade. This step includes headers such as Sec-WebSocket-Accept to ensure the request's legitimacy.Protocol Upgrade
Following a successful handshake, the communication protocol switches to WebSocket, allowing for continuous message exchange between the client and server.Data Exchange
WebSocket exchanges data in frames, which can contain text, binary, or control information. These frames allow efficient and flexible data transmission.Connection Monitoring
WebSocket includes a built-in ping/pong mechanism to verify the connection's health. Either party can send a ping frame, to which the recipient responds with a pong frame, ensuring the connection remains active.Connection Closure
Either party can close the connection by sending a close frame, which is acknowledged by the other party, ensuring a graceful disconnection.The WebSocket Demo ApplicationTo demonstrate Kubeshark's WebSocket capabilities, we use a demo application, which can be found at this GitHub link. The application connects to a server and sends a unique message every three seconds. This allows us to monitor message handling and verify that Kubeshark captures and processes all WebSocket messages accurately.Kubeshark WebSocket Processing Step by StepKubeshark captures and processes WebSocket traffic through the following steps:DNS RequestThe first step is intercepting the DNS request, which is carried over UDP. Kubeshark detects, dissects, and reassembles the UDP message as a DNS request.

Recommended