{"id":13396214,"url":"https://github.com/eldadru/ksniff","last_synced_at":"2025-05-14T19:04:43.687Z","repository":{"id":37587871,"uuid":"137678747","full_name":"eldadru/ksniff","owner":"eldadru","description":"Kubectl plugin to ease sniffing on kubernetes pods using tcpdump and wireshark","archived":false,"fork":false,"pushed_at":"2024-08-02T03:16:37.000Z","size":225,"stargazers_count":3301,"open_issues_count":63,"forks_count":199,"subscribers_count":33,"default_branch":"master","last_synced_at":"2025-04-11T06:17:43.490Z","etag":null,"topics":["debugging","kubectl","kubectl-plugins","kubernetes","sniffing","wireshark"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eldadru.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-06-17T18:56:39.000Z","updated_at":"2025-04-11T01:57:01.000Z","dependencies_parsed_at":"2024-01-06T00:39:38.214Z","dependency_job_id":"c84e0603-d7c0-473c-86ee-0b4ff62776d0","html_url":"https://github.com/eldadru/ksniff","commit_stats":null,"previous_names":[],"tags_count":24,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eldadru%2Fksniff","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eldadru%2Fksniff/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eldadru%2Fksniff/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eldadru%2Fksniff/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eldadru","download_url":"https://codeload.github.com/eldadru/ksniff/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248351394,"owners_count":21089272,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debugging","kubectl","kubectl-plugins","kubernetes","sniffing","wireshark"],"created_at":"2024-07-30T18:00:42.488Z","updated_at":"2025-04-11T06:17:49.164Z","avatar_url":"https://github.com/eldadru.png","language":"Go","funding_links":[],"categories":["Kubernetes","Go","kubectl Plugins","kubernetes","Networking","\u003ca id=\"7bf0f5839fb2827fdc1b93ae6ac7f53d\"\u003e\u003c/a\u003e工具","K8S-Network","Diagnostics \u0026 Troubleshooting","Tools and Libraries","Container Security Tools"],"sub_categories":["K8s Tools","Installing plugins via awesome-kubectl-plugins","\u003ca id=\"32739127f0c38d61b14448c66a797098\"\u003e\u003c/a\u003e嗅探\u0026\u0026Sniff","Testing and Troubleshooting"],"readme":"# ksniff\n\n[![Build Status](https://travis-ci.org/eldadru/ksniff.svg?branch=master)](https://travis-ci.org/eldadru/ksniff)\n\nA kubectl plugin that utilize tcpdump and Wireshark to start a remote capture on any pod in your\n Kubernetes cluster.\n\nYou get the full power of Wireshark with minimal impact on your running pods.\n\n### Intro\n\nWhen working with micro-services, many times it's very helpful to get a capture of the network\nactivity between your micro-service and it's dependencies.\n\nksniff use kubectl to upload a statically compiled tcpdump binary to your pod and redirecting it's\noutput to your local Wireshark for smooth network debugging experience.\n\n### Demo\n![Demo!](https://i.imgur.com/hWtF9r2.gif)\n\n### Production Readiness\nKsniff [isn't production ready yet](https://github.com/eldadru/ksniff/issues/96#issuecomment-762454991), running ksniff for production workloads isn't recommended at this point.\n\n## Installation\nInstallation via krew (https://github.com/GoogleContainerTools/krew)\n\n    kubectl krew install sniff\n    \nFor manual installation, download the latest release package, unzip it and use the attached makefile:  \n\n    unzip ksniff.zip\n    make install\n\n### Wireshark\n\nIf you are using Wireshark with ksniff you must use at least version 3.4.0. Using older versions may result in issues reading captures (see [Known Issues](#known-issues) below).\n\n## Build\n\nRequirements:\n1. libpcap-dev: for tcpdump compilation (Ubuntu: sudo apt-get install libpcap-dev)\n2. go 1.11 or newer\n\nCompiling:\n \n    linux:      make linux\n    windows:    make windows\n    mac:        make darwin\n \n\nTo compile a static tcpdump binary:\n\n    make static-tcpdump\n\n### Usage\n\n    kubectl \u003c 1.12:\n    kubectl plugin sniff \u003cPOD_NAME\u003e [-n \u003cNAMESPACE_NAME\u003e] [-c \u003cCONTAINER_NAME\u003e] [-i \u003cINTERFACE_NAME\u003e] [-f \u003cCAPTURE_FILTER\u003e] [-o OUTPUT_FILE] [-l LOCAL_TCPDUMP_FILE] [-r REMOTE_TCPDUMP_FILE]\n    \n    kubectl \u003e= 1.12:\n    kubectl sniff \u003cPOD_NAME\u003e [-n \u003cNAMESPACE_NAME\u003e] [-c \u003cCONTAINER_NAME\u003e] [-i \u003cINTERFACE_NAME\u003e] [-f \u003cCAPTURE_FILTER\u003e] [-o OUTPUT_FILE] [-l LOCAL_TCPDUMP_FILE] [-r REMOTE_TCPDUMP_FILE]\n    \n    POD_NAME: Required. the name of the kubernetes pod to start capture it's traffic.\n    NAMESPACE_NAME: Optional. Namespace name. used to specify the target namespace to operate on.\n    CONTAINER_NAME: Optional. If omitted, the first container in the pod will be chosen.\n    INTERFACE_NAME: Optional. Pod Interface to capture from. If omitted, all Pod interfaces will be captured.\n    CAPTURE_FILTER: Optional. specify a specific tcpdump capture filter. If omitted no filter will be used.\n    OUTPUT_FILE: Optional. if specified, ksniff will redirect tcpdump output to local file instead of wireshark. Use '-' for stdout.\n    LOCAL_TCPDUMP_FILE: Optional. if specified, ksniff will use this path as the local path of the static tcpdump binary.\n    REMOTE_TCPDUMP_FILE: Optional. if specified, ksniff will use the specified path as the remote path to upload static tcpdump to.\n\n#### Air gapped environments\nUse `--image` and `--tcpdump-image` flags (or KUBECTL_PLUGINS_LOCAL_FLAG_IMAGE and KUBECTL_PLUGINS_LOCAL_FLAG_TCPDUMP_IMAGE environment variables) to override the default container images and use your own e.g (docker):\n  \n    kubectl plugin sniff \u003cPOD_NAME\u003e [-n \u003cNAMESPACE_NAME\u003e] [-c \u003cCONTAINER_NAME\u003e] --image \u003cPRIVATE_REPO\u003e/docker --tcpdump-image \u003cPRIVATE_REPO\u003e/tcpdump\n   \n\n#### Non-Privileged and Scratch Pods\nTo reduce attack surface and have small and lean containers, many production-ready containers runs as non-privileged user\nor even as a scratch container.\n\nTo support those containers as well, ksniff now ships with the \"-p\" (privileged) mode.\nWhen executed with the -p flag, ksniff will create a new pod on the remote kubernetes cluster that will have access to the node docker daemon.\n\nksniff will than use that pod to execute a container attached to the target container network namespace \nand perform the actual network capture.\n\n#### Piping output to stdout\nBy default ksniff will attempt to start a local instance of the Wireshark GUI. You can integrate with other tools\nusing the `-o -` flag to pipe packet cap data to stdout.\n\nExample using `tshark`:\n\n    kubectl sniff pod-name -f \"port 80\" -o - | tshark -r -\n\n### Contribution\nMore than welcome! please don't hesitate to open bugs, questions, pull requests \n\n### Future Work\n1. Instead of uploading static tcpdump, use the future support of \"kubectl debug\" feature\n (https://github.com/kubernetes/community/pull/649) which should be a much cleaner solution.\n \n### Known Issues\n\n#### Wireshark and TShark cannot read pcap\n\n*Issues [100](https://github.com/eldadru/ksniff/issues/100) and [98](https://github.com/eldadru/ksniff/issues/98)*\n\nWireshark may show `UNKNOWN` in Protocol column. TShark may report the following in output:\n\n```\ntshark: The standard input contains record data that TShark doesn't support.\n(pcap: network type 276 unknown or unsupported)\n```\n\nThis issue happens when using an old version of Wireshark or TShark to read the pcap created by ksniff. Upgrade Wireshark or TShark to resolve this issue. Ubuntu LTS versions may have this problem with stock package versions but using the [Wireshark PPA will help](https://github.com/eldadru/ksniff/issues/100#issuecomment-789503442).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feldadru%2Fksniff","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feldadru%2Fksniff","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feldadru%2Fksniff/lists"}