|
3 | 3 | :tcpdump: https://www.tcpdump.org/ |
4 | 4 | :mitmproxy: https://www.mitmproxy.org/ |
5 | 5 |
|
6 | | -You likely know this problem: Some tools is behaving weird, and you need to debug (often times HTTP/HTTPS or DNS) traffic between Kubernetes Pods. |
7 | | -If the tool would be running on a local machine, one would simply start {tcpdump}[`tcpdump`] and inspect the traffic. |
8 | | -Maybe use {mitmproxy}[`mitmproxy`] as a HTTPS proxy to re-encrypt the HTTPS traffic, so that it is readable. |
| 6 | +You likely know this problem: Some tool is behaving weird, and you need to debug (often times HTTP/HTTPS or DNS) traffic between Kubernetes Pods. |
| 7 | +If the tool would be running on a local machine, one would simply start {tcpdump}[`tcpdump`{external-link-icon}^] and inspect the traffic. |
| 8 | +Maybe use {mitmproxy}[`mitmproxy`{external-link-icon}^] as a HTTPS proxy to re-encrypt the HTTPS traffic, so that `mitmproxy` can inspect the decrypted traffic. |
9 | 9 |
|
10 | 10 | However, as we are running in a containerized environment, things are a bit more complicated. |
11 | 11 | This guide explains you how you can capture and inspect traffic anyway. |
12 | 12 |
|
13 | 13 | There are a few things needed: |
14 | 14 |
|
15 | | -1. A sidecar running {tcpdump}[`tcpdump`], capturing the traffic into a file. |
| 15 | +1. A sidecar running {tcpdump}[`tcpdump`{external-link-icon}^], capturing the traffic into a file. |
16 | 16 | 2. If TLS (e.g. HTTPS) traffic is involved, the product needs to be configured in such a way, that it writes the TLS session keys into a file. |
17 | 17 | The key log can be used afterwards to decrypt the TLS traffic. |
18 | 18 | 3. Wireshark to make it easier to inspect the captured traffic. |
19 | 19 | You can give it the TLS key log and it will automatically decrypt the TLS traffic. |
20 | 20 |
|
21 | 21 | == Simple usage |
22 | 22 |
|
23 | | -If you only care about unencrypted communications, you can use this snippet to dump all traffic using {tcpdump}[`tcpdump`]. |
| 23 | +If you only care about unencrypted communications, you can use this snippet to dump all traffic using {tcpdump}[`tcpdump`{external-link-icon}^]. |
24 | 24 |
|
25 | 25 | [source,yaml] |
26 | 26 | ---- |
@@ -53,7 +53,7 @@ Let's make things a bit more interesting using a real-world example. |
53 | 53 | Let's assume Superset is behaving weird and we want to debug the network traffic from Superset to Trino, which is using HTTPS. |
54 | 54 |
|
55 | 55 | As of Java 21 the JVM does not respect the `SSLKEYLOGFILE` env var and does not seem to have support to write the TLS key log. |
56 | | -So we need to use a third-party Java agent called https://github.com/neykov/extract-tls-secrets[extract-tls-secrets] for that. |
| 56 | +So we need to use a third-party Java agent called https://github.com/neykov/extract-tls-secrets[extract-tls-secrets{external-link-icon}^] for that. |
57 | 57 |
|
58 | 58 | [source,yaml] |
59 | 59 | ---- |
@@ -149,6 +149,6 @@ image::debug-network-traffic/4.png[] |
149 | 149 |
|
150 | 150 | == Follow-up tips |
151 | 151 |
|
152 | | -1. You can filter the packets in the {tcpdump}[`tcpdump`] call to reduce the capture file size. |
| 152 | +1. You can filter the packets in the {tcpdump}[`tcpdump`{external-link-icon}^] call to reduce the capture file size. |
153 | 153 | 2. If you do this on a production setup, keep in mind that the dump might contain sensitive data and the TLS keys can be used to decrypt all TLS traffic of this Pod! |
154 | 154 | 3. In case the product uses HTTP 2 (or newer), you need to use a Wireshark filter such as `http2.headers.path == "/nifi-api/flow/current-user"` |
0 commit comments