Traffic Recording and Offline Investigation

Jul 15, 2023 ~ 2 min read
Kubeshark
Traffic Recording
Kubernetes
Offline Investigation
DFIR
Traffic Recording

Identifying the root causes of performance issues in Kubernetes (K8s), can often feel like chasing shadows. Real-time traffic visibility provides valuable insights, but it doesn’t always capture the elusive culprits.

By rerecording traffic and making it available for offline investigation, DevOps, SREs, Platform Engineers, and Developers gain a significant advantage in their quest for comprehensive troubleshooting and debugging.

Pattern-based Traffic Recording

Kubeshark Filtering Language (KFL) acts as a filter for L4 streams, giving you control over what traffic gets recorded. You can precisely select the traffic patterns that matter, ensuring that noise and irrelevant data are filtered out effectively.

Getting Started

You can start recording traffic, and store in AWS S3, by providing the following properties in Kubeshark’s config file:

license: FT7YKAYBAEDUY2LD.. your license here .. 65JQRQMNSYWAA=
scripting:
  env:
    AWS_REGION: us-east-2-this-is-an-example
    S3_BUCKET: give-it-a-name
    RECORDING_KFL: "http or dns" # To deactivated remove this field.
  source: "/path/to/a/local/scripts/folder"
  watchScripts: true

Get the script and more detailed instructions from here.

Long Term Retention

The recorded traffic is securely uploaded to an AWS S3 bucket dedicated to long-term retention. This ensures that the recorded data remains accessible and available for thorough analysis even after significant time has passed.

The recorded traffic holds valuable insights that can be analyzed over time to uncover hidden patterns and recurring issues.

On-demand Offline Investigation

The true power of recording K8s traffic lies in the ability to conduct offline investigations on-demand.

Use the following command, to investigate the recorded traffic that is stored and retained in the AWS S3 bucket:

kubeshark tap --pcap s3://my-bucket/

The above command initiates Kubeshark’s offline mode, enabling you to explore the contents of the S3 bucket without the need for direct access to your cluster.

The convenience of offline investigation empowers professionals to dig deeper into the recorded traffic, perform comprehensive analysis, and unveil valuable insights for resolving complex issues.

Streamlined Investigation

Kubeshark’s dashboard allows you to visualize and explore the recorded traffic using powerful filtering, searching, and analytical capabilities. With this user-friendly interface, you can navigate through the recorded data more efficiently, saving precious time and effort.

Deactivating Recording

Remove the RECORDING_KFL property from Kubeshark’s config file to deactivate the recording.

Conclusion

DevOps, SREs, Platform Engineers, and Developers can leverage the ability to record K8s traffic and perform offline investigations to hunt down performance and security culprits with ease.

Traffic recording and offline investigation can lead to faster issue resolution, improved performance, and enhanced security, unraveling the intricate web of interactions within K8s.

Happy investigating!

Recommended

Kubeshark Google Cloud Storage (GCS) Integration
Record Traffic and Store in Google Cloud Storage (GCS)
Learn how to record network traffic in Kubernetes and store it in Google Cloud Storage with Kubeshark. Enhance your cloud forensics and offline investigation with easy-to-follow steps.
Nov 22, 2023 - 6 min read
Actionable Network Observability
Actionable Network Observability
Kubeshark automates the detection of suspicious network behaviors and triggers actions by using Javascript in conjunction with L4 and L7 hooks.
Mar 23, 2023 ~ 5 min read