search

eldadru / ksniff

Kubectl plugin to ease sniffing on kubernetes pods using tcpdump and wireshark
Apache License 2.0
3.13k stars 186 forks source link

WTAP_ENCAP = 0 #138

Closed TomyLobo closed 2 years ago

TomyLobo commented 2 years ago

Environment

I'm running a 2-node k3s cluster. Both nodes run on k3os. I installed krew and then ksniff, as described here:

Client OS is Kubuntu 18.04. WireShark version is 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0). kubectl is installed from a snap.

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.3", GitCommit:"c92036820499fedefec0f847e2054d824aea6cd1", GitTreeState:"clean", BuildDate:"2021-10-29T02:41:56Z", GoVersion:"go1.16.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.7+k3s1", GitCommit:"aa768cbdabdb44c95c5c1d9562ea7f5ded073bc0", GitTreeState:"clean", BuildDate:"2021-05-20T01:07:13Z", GoVersion:"go1.15.12", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.22) and server (1.20) exceeds the supported minor version skew of +/-1

Repro

I ran the following command:

kubectl sniff --namespace my-grafana my-grafana-6cc8b4687-tg4hk -p --socket /run/k3s/containerd/containerd.sock --container grafana

(-p was necessary because the Grafana container isn't privileged, while the --socket was necessary because k3s has its containerd.sock elsewhere)

This command correctly started up Wireshark and the packets are flowing in. However, none of them are being dissected correctly. they show with as "WTAP_ENCAP = 0" in the Info column. If I cause some unencrypted traffic, I can read it in the lower pane.

If I try to save the captured packets to a file, I get the following error:

Frame 1 has a network type that can't be saved in a "HP-UX nettl trace" file.

WireShark doesn't allow me to save as any other file type other than "HP-UX nettl trace".

I also tried capturing to a file:

kubectl sniff --namespace my-grafana my-grafana-6cc8b4687-tg4hk -p --socket /run/k3s/containerd/containerd.sock --container grafana -o /tmp/foo.pcap

Opening that file in Wireshark yields the following error:

The file "foo.pcap" contains record data that Wireshark doesn't support.
(pcap: network type 276 unknown or unsupported)
TomyLobo commented 2 years ago

ok, I think I figured it out. This commit from WireShark 3.3.0 adds support for network type 276 (LINKTYPE_LINUX_SLL2): https://github.com/wireshark/wireshark/commit/7e7db3e91ce50f1f3ba35f88aff83c66b5f9bf97 So basically I either need to upgrade WireShark or tell ksniff to write as Linux "cooked" capture encapsulation v1 instead if v2.

TomyLobo commented 2 years ago

ok, I confirmed that updating WireShark to 3.4.8 (using the official PPA) fixes this issue.

But can you still add something to pass extra arguments to tcpdump? That'd probably help someone else who is either unwilling or unable to update their WireShark. It might also help with future issues or special applications.

Also, can you please add a version requirement of 3.3.0 for WireShark in README.md?

bostrt commented 2 years ago

There's a mention of wireshark in the known issues section of readme but I think adding a clearer version requirement is needed. I'll get that in!

bostrt commented 2 years ago

https://github.com/eldadru/ksniff/blob/master/README.md#wireshark