search

kubeshark / kubeshark

The API traffic analyzer for Kubernetes providing real-time K8s protocol-level visibility, capturing and monitoring all traffic and payloads going in, out and across containers, pods, nodes and clusters. Inspired by Wireshark, purposely built for Kubernetes
https://kubeshark.co
Apache License 2.0
10.72k stars 455 forks source link

AMQP traffic not recognized #1307

Open jahluwalia opened 1 year ago

jahluwalia commented 1 year ago

I have several RabbitMQ exchanges and queues and I know messages are being read/written to/from RabbitMQ. But kubeshark is not seeing any amqp messages. I am seeing http, dns, redis. Are there some troubleshooting steps or perhaps configuration? I'm doing a kubeshark tap -A --proxy-host 0.0.0.0.0

mertyildiran commented 1 year ago

@jahluwalia is the traffic encrypted? In other words; is the TLS support enabled in RabbitMQ instances? Because Kubeshark cannot capture encrypted AMQP traffic. The TLS capture feature of Kubeshark currently only works for HTTP(S).

jahluwalia commented 1 year ago

Hi,

I do have multiple instances of rabbit. Only one has amqps. I confirmed in rabbit management console (of one of the non amqps instances) that the connections were amqp (no tls).

Thanks, Jas On Jan 28, 2023 at 11:24 AM -0800, M. Mert Yildiran @.***>, wrote:

@jahluwalia is the traffic encrypted? In other words; is the TLS support enabled in RabbitMQ instances? Because Kubeshark cannot capture encrypted AMQP traffic. The TLS capture feature of Kubeshark currently only works for HTTP(S). — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

mertyildiran commented 1 year ago

@jahluwalia does all of the TCP connections of non-TLS AMQP instance start before Kubeshark starts? Because like Kubeshark can't really jump into the middle of a long-lasting TCP connection, understand the protocol and eventually dissect it. (and no other sniffer software can AFAIK)

I recommend either do kubeshark tap and restart the AMQP server (or its client) or start with a minimal example like this.

jahluwalia commented 1 year ago

Hi,

I tried restarting the rabbit server pod, and was able to observe various instances of connection start connection tune and connection close

But not actual messages being queued and consumed.

mertyildiran commented 1 year ago

@jahluwalia we support only a subset of AMQP methods and we support only AMQP 0-9-1. If you can share a PCAP file or a small script that contains AMQP client code which represents the problem. I can try to help.