PCAP-NG Export

[grampelberg]

What problem are you trying to solve?

It is difficult to debug what is happening to the network traffic for workloads on Kubernetes. Linkerd provides tap and stat to provide some glimpses into what's happening. Many times, this is enough. Unfortunately, when low level problems and protocol issues crop up, the existing tools are not enough. This causes users to inject the debug container and tcpdump traffic on a pod by pod basis.

How should the problem be solved?

Add PCAP-NG as an export format for tap. This can then be dumped locally or forwarded to Wireshark for analysis and debugging.

[tobad357]

Got linked here by @grampelberg.
We think it would be great to have pcap-ng files when having serious problems.
For more mundane problems it would be nice to have -format=HTTP
This would just dump headers, request body, response body, response codes etc in plain text

[grampelberg]

@tobad357 I assume we'd use tap for that. The reason we're thinking pcap-ng isn't for the files, but to pipe it into other tools. Imagine taking a stream from linkerd and piping it into tshark. Then you'd be able to get all the text output you want and slice and dice it as you see fit. There's just so much UI around doing analysis, it feels like we should lean on the tools that do an awesome job with it.

[tobad357]

Sounds like a good way of doing it. I didn't know about tshark and was more envisioning needing wireshark at some complete inopportune moment :)

[adnxn]

is anyone working on this?

[olix0r]

@adnxn We haven't been working on this. Tools like ksniff do this pretty well without us having to add overhead to the proxy. At this point I'd be somewhat reticent to add this feature directly to Linkerd...