packetparser
Captures TCP and UDP packets traveling to and from pods and nodes.
Capabilities
The packetparser plugin requires the CAP_NET_ADMIN and CAP_SYS_ADMIN capabilities.
CAP_SYS_ADMINis used to load maps and programs into the kernel and assign them to user-defined structs -LoadAndAssign()method atpacketparser_linux.go:147CAP_NET_ADMINis used for the queuing discipline kernel mechanism -getQdisc()method atpacketparser_linux.go:430
Architecture
packetparser attached a qdisc (Queuing Discipline) of type clsact to each pod's virtual interface (veth) and the host's default interface (device). This setup enabled the attachment of eBPF filter programs for both ingress and egress directions, allowing packetparser to capture individual packets traveling to and from the interfaces.
packetparser does not produce Basic metrics. In Advanced mode (refer to Metric Modes), the plugin transforms an eBPF result into an enriched Flow by adding Pod information based on IP. It then sends the Flow to an external channel, enabling several modules to generate Pod-Level metrics.
Code locations
- Plugin and eBPF code: pkg/plugin/packetparser/
- Modules for extra Advanced metrics: see section below.
Metrics
See metrics for Advanced Mode. For module information, see below.
Modules
Module: forward
Code path: pkg/module/metrics/forward.go
Metrics produced:
adv_forward_countadv_forward_bytes
Module: tcpflags
Code path: pkg/module/metrics/tcpflags.go
Metrics produced:
adv_forward_countadv_forward_bytes
Module: latency (API Server)
Code path: pkg/module/metrics/latency.go
Metrics produced:
adv_node_apiserver_latencyadv_node_apiserver_no_responseadv_node_apiserver_tcp_handshake_latency