Protocol Support
Kubeshark supports a comprehensive range of network protocols across multiple layers, from low-level transport protocols to application-layer APIs.
Supported Protocols
HTTP & Web Protocols
| Protocol | Version | Description |
|---|---|---|
| HTTP/1.0 | RFC 1945 | Original HTTP protocol |
| HTTP/1.1 | RFC 2616 | Persistent connections, chunked transfer |
| HTTP/2 | RFC 7540 | Multiplexed streams, header compression |
| WebSocket | RFC 6455 | Full-duplex communication over HTTP |
| GraphQL | HTTP/1.1 & HTTP/2 | Query language for APIs |
Messaging & Streaming
| Protocol | Description |
|---|---|
| Apache Kafka | Distributed event streaming platform |
| AMQP | Advanced Message Queuing Protocol (RabbitMQ) |
| Redis | In-memory data structure store protocol |
RPC & API Protocols
| Protocol | Description |
|---|---|
| gRPC | High-performance RPC over HTTP/2 |
Authentication Protocols
| Protocol | RFC | Description |
|---|---|---|
| LDAP | RFC 4511 | Lightweight Directory Access Protocol |
| RADIUS | RFC 2865 | Remote Authentication Dial-In User Service |
| DIAMETER | RFC 6733 | Authentication, Authorization, and Accounting |
Network & Transport Layer
| Protocol | RFC | Description |
|---|---|---|
| TCP | RFC 9293 | Transmission Control Protocol |
| UDP | RFC 768 | User Datagram Protocol |
| SCTP | RFC 4960 | Stream Control Transmission Protocol |
| DNS | RFC 1035 | Domain Name System |
| ICMP | RFC 792 | Internet Control Message Protocol |
Security Protocols
| Protocol | Description |
|---|---|
| TLS | Transport Layer Security with automatic decryption |
TLS Decryption
Kubeshark captures TLS traffic in clear text by hooking into the cryptographic libraries used by applications — without requiring access to private keys. Using eBPF, it intercepts data after decryption (on read) and before encryption (on write), capturing the plain text directly from memory.
Supported Libraries
| Library | Languages / Runtimes | Requirement |
|---|---|---|
| OpenSSL | Python, Java, PHP, Ruby, Node.js | Linked as shared library |
| Go crypto/tls | Go services | Non-stripped binaries |
| BoringSSL | gRPC, Chrome, Envoy | Linked as shared library |
If your application uses one of these libraries for TLS termination, Kubeshark can display the traffic in clear text.
How It Works
Kubeshark traces both kernel-space and user-space functions using eBPF — an in-kernel virtual machine that runs programs passed from user space.
- OpenSSL — attaches uprobes to
SSL_readandSSL_write, capturing unencrypted data in any TLS/SSL connection. Covers Python, Java, PHP, Ruby, and Node.js. - Go — probes
crypto/tls.(*Conn).Readandcrypto/tls.(*Conn).Write. Supports both amd64 and arm64 with ABI0 and ABIInternal. Uses Capstone for binary disassembly and DWARF tables for Goroutine tracking. - Kernel — uses
kprobesfor address resolution and request-response matching.
These methods have minimal performance impact. The Linux kernel limits the number of eBPF instructions allowed for probing, ensuring no significant slowdown.
Service Mesh Integration
Kubeshark integrates with service mesh solutions, displaying mTLS-encrypted traffic in plaintext:
How Protocol Indexing Works
- Capture: eBPF and AF_PACKET capture Layer 4 traffic (TCP, UDP, SCTP)
- Identify: Protocol identification based on port numbers and payload inspection
- Dissect: Protocol-specific parsing reconstructs application-layer messages
- Enrich: Traffic is enriched with Kubernetes context (pods, services, namespaces)
If Kubeshark cannot identify the protocol, the traffic is still available at the L4 level with full Kubernetes and network context. Only the API context is missing. See L4 to L7 & PCAP Viewer for details.