Wireshark extcap provider for connecting to the Inspektor Gadget tcpdump gadget.
This requires a running installation of Inspektor Gadget (>=v0.47) either as Kubernetes Daemonset or in daemon mode (using
ig daemon).
Start Wireshark and go to its "About" dialog. Under the "folders" tab look for "Personal Extcap path" and copy the ig-extcap binary file for your specific platform there.
After restarting Wireshark, it should show you two new interfaces in the interface selection:
- Inspektor Gadget (Daemon): use this, if you're running
ig daemon - Inspektor Gadget on Kubernetes: use this, if you're running ig installed on your Kubernetes cluster
When using "Inspektor Gadget (Daemon)", make sure the remote address is configured correctly (matching the daemon configuration).
Click the "cog" icon left to the interface name to open the configuration dialog.
You can apply filters to capture traffic only on matching containers:
Here you can specify a gadget OCI image to use for capturing. Doesn't usually need to be changed.
Limits the number of bytes that should be captured from each packet. This can massively reduce the network traffic.
Again, look at the folders in Wireshark's "About" dialog and navigate to the "Personal Lua Plugins" folder. Place the dissector file in there and restart Wireshark. You should be able to see additional data when capturing traffic using Inspektor Gadget.
If you want to add this information as a column to the upper packet list, you can do so by:
- right clicking the header -> "Column Preferences"
- click "+" at the bottom
- choose a "Title", set "Type" to "Custom" and as "Custom Expression" use any of (auto-completion should be available
after capturing):
- ig.k8s.containerName
- ig.k8s.ns
- ig.k8s.pod
- ig.proc.comm
- ig.runtime.containerName
