From kubeshark
Provides KFL2 reference for constructing filter expressions to query Kubeshark network traffic by protocols (HTTP, DNS, Redis, Kafka), Kubernetes metadata (namespace, pod), L4 flows, and time.
npx claudepluginhub kubeshark/kubesharkThis skill uses the workspace's default tool permissions.
You are a KFL2 expert. KFL2 is built on Google's CEL (Common Expression Language)
Investigates Kubernetes network incidents with Kubeshark MCP: manages traffic snapshots, extracts PCAPs, dissects L7 API calls from historical captures, compares patterns, detects anomalies.
Searches and filters Observability logs using ES|QL for investigating spikes, errors, anomalies, volume trends, and drilling into services or containers during incidents.
References Grafana Loki LogQL syntax for log/metric queries, parsers (json/logfmt/pattern/regexp/unpack), label filters, architecture, and ingestion via Promtail/Alloy/Fluent Bit. For writing queries, configuring pipelines, troubleshooting logs.
Share bugs, ideas, or general feedback.
You are a KFL2 expert. KFL2 is built on Google's CEL (Common Expression Language) and is the query language for all Kubeshark traffic analysis. It operates as a display filter — it doesn't affect what's captured, only what you see.
Think of KFL the way you think of SQL for databases or Google search syntax for the web. Kubeshark captures and indexes all cluster traffic; KFL is how you search it.
For the complete variable and field reference, see references/kfl2-reference.md.
KFL expressions are boolean CEL expressions. An empty filter matches everything.
| Category | Operators |
|---|---|
| Comparison | ==, !=, <, <=, >, >= |
| Logical | &&, ||, ! |
| Arithmetic | +, -, *, /, % |
| Membership | in |
| Ternary | condition ? true_val : false_val |
str.contains(substring) // Substring search
str.startsWith(prefix) // Prefix match
str.endsWith(suffix) // Suffix match
str.matches(regex) // Regex match
size(str) // String length
size(collection) // List/map/string length
key in map // Key existence
map[key] // Value access
map_get(map, key, default) // Safe access with default
value in list // List membership
timestamp("2026-03-14T22:00:00Z") // Parse ISO timestamp
duration("5m") // Parse duration
now() // Current time (snapshot at filter creation)
!http // Everything that is NOT HTTP
http && status_code != 200 // HTTP responses that aren't 200
http && !path.contains("/health") // Exclude health checks
!(src.pod.namespace == "kube-system") // Exclude system namespace
Boolean flags that indicate which protocol was detected. Use these as the first filter term — they're fast and narrow the search space immediately.
| Flag | Protocol | Flag | Protocol |
|---|---|---|---|
http | HTTP/1.1, HTTP/2 | redis | Redis |
dns | DNS | kafka | Kafka |
tls | eBPF TLS interception | amqp | AMQP |
tcp | TCP | ldap | LDAP |
udp | UDP | ws | WebSocket |
sctp | SCTP | gql | GraphQL (v1+v2) |
icmp | ICMP | gqlv1 / gqlv2 | GraphQL version-specific |
grpc | gRPC (HTTP/2 sub-protocol) | mongodb | MongoDB |
mysql | MySQL | radius | RADIUS |
diameter | Diameter | conn / flow | L4 connection/flow tracking |
tcp_conn / udp_conn | Transport-specific connections |
The most common starting point. Filter by where traffic originates or terminates.
src.pod.name == "orders-594487879c-7ddxf"
dst.pod.namespace == "production"
src.service.name == "api-gateway"
dst.service.namespace == "payments"
Pod fields fall back to service data when pod info is unavailable, so
dst.pod.namespace works even for service-level entries.
Convenience variables that pick the best available identity for a peer:
src.name == "api-gateway" // pod > service > dns > process
dst.name.contains("payment") // works across identity types
src.namespace == "production" // pod namespace, falls back to service
dst.namespace != "kube-system" // exclude system namespace
Match against any direction (src or dst):
"production" in namespaces // Any namespace match
"orders" in pods // Any pod name match
"api-gateway" in services // Any service name match
map_get(local_labels, "app", "") == "checkout" // Safe access with default
map_get(remote_labels, "version", "") == "canary"
"tier" in local_labels // Label existence check
Always use map_get() for labels and annotations — direct access like
local_labels["app"] errors if the key doesn't exist.
node_name == "ip-10-0-25-170.ec2.internal"
local_process_name == "nginx"
remote_process_name.contains("postgres")
src.dns == "api.example.com"
dst.dns.contains("redis")
HTTP is the most common protocol for API-level investigation.
| Field | Type | Example |
|---|---|---|
method | string | "GET", "POST", "PUT", "DELETE" |
url | string | Full path + query: "/api/users?id=123" |
path | string | Path only: "/api/users" |
status_code | int | 200, 404, 500 |
http_version | string | "HTTP/1.1", "HTTP/2" |
request.headers | map | request.headers["content-type"] |
response.headers | map | response.headers["server"] |
request.cookies | map | request.cookies["session"] |
response.cookies | map | response.cookies["token"] |
query_string | map | query_string["id"] |
request_body_size | int | Request body bytes |
response_body_size | int | Response body bytes |
elapsed_time | int | Duration in microseconds |
// Error investigation
http && status_code >= 500 // Server errors
http && status_code == 429 // Rate limiting
http && status_code >= 400 && status_code < 500 // Client errors
// Endpoint targeting
http && method == "POST" && path.contains("/orders")
http && url.matches(".*/api/v[0-9]+/users.*")
// Performance
http && elapsed_time > 5000000 // > 5 seconds
http && response_body_size > 1000000 // > 1MB responses
// Header inspection
http && "authorization" in request.headers
http && request.headers["content-type"] == "application/json"
// GraphQL (subset of HTTP)
gql && method == "POST" && status_code >= 400
// Only eBPF-intercepted TLS traffic (decrypted HTTPS)
tls && http && status_code >= 500
Note on
tls: Thetlsflag is an alias forcapture_source == "ebpf_tls". It indicates traffic captured via eBPF TLS interception, not TLS protocol dissection.
DNS issues are often the hidden root cause of outages.
| Field | Type | Description |
|---|---|---|
dns_questions | []string | Question domain names |
dns_answers | []string | Answer domain names |
dns_question_types | []string | Record types: A, AAAA, CNAME, MX, TXT, SRV, PTR |
dns_request | bool | Is request |
dns_response | bool | Is response |
dns_request_length | int | Request size |
dns_response_length | int | Response size |
dns && "api.external-service.com" in dns_questions
dns && dns_response && status_code != 0 // Failed lookups
dns && "A" in dns_question_types // A record queries
dns && size(dns_questions) > 1 // Multi-question
redis && redis_type == "GET" // Command type
redis && redis_key.startsWith("session:") // Key pattern
redis && redis_command.contains("DEL") // Command search
redis && redis_total_size > 10000 // Large operations
kafka && kafka_api_key_name == "PRODUCE" // Produce operations
kafka && kafka_client_id == "payment-processor" // Client filtering
kafka && kafka_request_summary.contains("orders") // Topic filtering
kafka && kafka_size > 10000 // Large messages
mongodb && mongodb_command == "find" // Find operations
mongodb && mongodb_collection == "users" // Collection filtering
mongodb && mongodb_database == "mydb" // Database filtering
mongodb && !mongodb_success // Failed operations
mongodb && mongodb_error_code != 0 // Error code filtering
mongodb && mongodb_total_size > 10000 // Large operations
mysql && mysql_command == "COM_QUERY" // SQL queries
mysql && mysql_query.contains("SELECT") // SELECT statements
mysql && mysql_database == "orders_db" // Database filtering
mysql && !mysql_success // Failed queries
mysql && mysql_error_code != 0 // Error code filtering
mysql && mysql_total_size > 10000 // Large queries
gRPC is a sub-protocol of HTTP/2. All HTTP variables are also available on gRPC entries.
grpc && grpc_method == "SayHello" // Method filtering
grpc && grpc_status != 0 // Non-OK status codes
grpc && grpc_status == 14 // UNAVAILABLE
grpc && grpc_method.contains("Create") // Method pattern
grpc && elapsed_time > 1000000 // Slow gRPC calls (>1s)
amqp && amqp_method == "basic.publish" // AMQP publish
ldap && ldap_type == "bind" // LDAP bind requests
radius && radius_code_name == "Access-Request" // RADIUS auth
diameter && diameter_method.contains("Credit") // Diameter credit control
For the full variable list for these protocols, see references/kfl2-reference.md.
tcp && tcp_error_type != "" // TCP errors
udp && udp_length > 1000 // Large UDP packets
conn && conn_state == "open" // Active connections
conn && conn_local_bytes > 1000000 // High-volume
conn && "HTTP" in conn_l7_detected // L7 protocol detection
tcp_conn && conn_state == "closed" // Closed TCP connections
flow && flow_local_pps > 1000 // High packet rate
flow && flow_local_bps > 1000000 // High bandwidth
flow && flow_state == "closed" && "TLS" in flow_l7_detected
tcp_flow && flow_local_bps > 5000000 // High-throughput TCP
src.ip == "10.0.53.101"
dst.ip.startsWith("192.168.")
src.port == 8080
dst.port >= 8000 && dst.port <= 9000
timestamp > timestamp("2026-03-14T22:00:00Z")
timestamp >= timestamp("2026-03-14T22:00:00Z") && timestamp <= timestamp("2026-03-14T23:00:00Z")
timestamp > now() - duration("5m") // Last 5 minutes
elapsed_time > 2000000 // Latency > 2 seconds
The most effective investigation technique — start broad, add constraints:
// Step 1: Protocol + namespace
http && dst.pod.namespace == "production"
// Step 2: Add error condition
http && dst.pod.namespace == "production" && status_code >= 500
// Step 3: Narrow to service
http && dst.pod.namespace == "production" && status_code >= 500 && dst.service.name == "payment-service"
// Step 4: Narrow to endpoint
http && dst.pod.namespace == "production" && status_code >= 500 && dst.service.name == "payment-service" && path.contains("/charge")
// Step 5: Add timing
http && dst.pod.namespace == "production" && status_code >= 500 && dst.service.name == "payment-service" && path.contains("/charge") && elapsed_time > 2000000
http && ... is faster than ... && httpstartsWith/endsWith over contains — prefix/suffix checks are fasterdst.port == 80 is cheaper than url.contains(...)map_get for labels — avoids errors on missing keys&&, so put cheap checks firstKFL2 is statically typed. Common gotchas:
status_code is int, not string — use status_code == 200, not "200"elapsed_time is in microseconds — 5 seconds = 5000000timestamp requires timestamp() function — not a raw stringkey in map or map_get() firstvalue in list — not list.contains(value)