Why Kubeshark

Network traffic is the ground truth of what happens in a Kubernetes cluster. It’s also nearly impossible to use: invisible (pod-to-pod traffic never hits a physical interface), enormous (gigabytes per minute), and ephemeral (IP-to-workload mappings shift constantly).

Kubeshark makes it accessible — to humans and AI agents alike.

Beyond Wireshark

Wireshark is built for a single engineer inspecting a single PCAP on a single machine. In Kubernetes, that model breaks:

• Doesn’t scale. 100 nodes = 100 tcpdump sessions, 100 files, 100x the size.
• Can’t keep up. Cluster traffic volume exceeds what a human can visually inspect.
• Missing context. Raw PCAPs have IPs and ports — not pod names, namespaces, or labels.

Kubeshark delivers cluster-wide L4/L7 traffic — structured, Kubernetes-enriched, and ready for consumption. When deep inspection is needed, it hands the right PCAP to Wireshark: small, filtered, and contextually relevant.

Decrypting Encrypted Traffic for AI and People

Most of the traffic inside a modern cluster is encrypted — and that’s where other tools go silent. Kubeshark doesn’t.

By hooking the cryptographic library inside each workload with eBPF, Kubeshark captures TLS and mTLS traffic in clear text — with no private keys, no certificates, no sidecars, no application changes. That covers nginx, HAProxy, Envoy, Istio, Traefik, Kong, APISIX, PostgreSQL, MySQL, Redis, MongoDB, RabbitMQ, and more, across OpenSSL, BoringSSL, and Go crypto/tls — dynamically or statically linked, stripped or unstripped.

Service-mesh mTLS (Istio, Cilium, Consul, Envoy-based meshes) is decrypted automatically, with no extra setup.

See how TLS decryption works →

Built for AI

Network data is the richest signal in a cluster, yet raw packets are too expensive for AI agents to process. Kubeshark closes this gap — think of it as Google Search for network data:

• Indexes cluster-wide traffic so queries are fast and low-cost
• Filters and structures data for AI-friendly token budgets
• Works in real-time and retrospectively
• Integrates into incident response and root cause analysis workflows via MCP

The result: AI-driven RCA that processes 10x the traffic in 1/10th the time.

How It Works

1. Capture — eBPF at the kernel level. No sidecars, no packet loss, minimal overhead. Raw traffic sits in short-term FIFO retention per node.
2. Snapshot & retain — Create filtered PCAP snapshots anytime; export to cloud storage (S3, Azure Blob, GCS) for long-term retention.
3. Real-time inspection — Traffic indexed on the wire at cluster speed for live monitoring and troubleshooting.
4. Retrospective indexing — Snapshots parsed into L7 protocols (HTTP, gRPC, Redis, Kafka, DNS, …), fully indexed with Kubernetes context.
5. AI access via MCP — AI agents query and correlate network data at reasonable token cost.
6. Dashboard — Wireshark-like UI with cluster-wide L4/L7 visibility.

What’s Next

• Installation — Get Kubeshark running in your cluster
• Real-time Traffic Inspection — See live traffic as it flows
• Incident Response — Investigate incidents with captured traffic
• Traffic Forensics — Reconstruct past events from recorded traffic
• AI Integration — Connect AI agents to your network data