10dbedf356
* Add KFL and Network RCA skills Introduce the skills/ directory with two Kubeshark MCP skills: - network-rca: Retrospective traffic analysis via snapshots, dissection, KFL queries, PCAP extraction, and trend comparison - kfl: Complete KFL2 (Kubeshark Filter Language) reference covering all supported protocols, variables, operators, and filter patterns Update CLAUDE.md with skill authoring guidelines, structure conventions, and the list of available Kubeshark MCP tools. * Optimize skills and add shared setup reference - network-rca: cut repeated metaphor, add list_api_calls example response, consolidate use cases, remove unbuilt composability section, extract setup reference to references/setup.md (409 → 306 lines) - kfl: merge thin protocol sections, fix map_get inconsistency, add negation examples, move capture source to reference doc - kfl2-reference: add most-commonly-used variables table, add inline filter examples per protocol section - Add skills/README.md with usage and contribution guidelines * Add plugin infrastructure and update READMEs - Add .claude-plugin/plugin.json and marketplace.json for Claude Code plugin distribution - Add .mcp.json bundling the Kubeshark MCP configuration - Update skills/README.md with plugin install, manual install, and agent compatibility sections - Update mcp/README.md with AI skills section and install instructions - Restructure network-rca skill into two distinct investigation routes: PCAP (no dissection, BPF filters, Wireshark/compliance) and Dissection (indexed queries, AI-driven analysis, payload inspection) * Remove CLAUDE.md from tracked files Content now lives in skills/README.md, mcp/README.md, and the skills themselves. * Add README to .claude-plugin directory * Reorder MCP config: default mode first, URL mode for no-kubectl * Move AI Skills section to top of MCP README * Reorder manual install: symlink first * Streamline skills README: focus on usage and contributing * Enforce KFL skill loading before writing filters - network-rca: require loading KFL skill before constructing filters, suggest installation if unavailable - kfl: set user-invocable: false (background knowledge skill), strengthen description to mandate loading before any filter construction * Move KFL requirement to top of Dissection route * Add strict fallback: only use exact examples if KFL skill unavailable * Add clone step to manual installation * Use $PWD/kubeshark paths in manual install examples * Add mkdir before symlinks, simplify paths * Move prerequisites before installation --------- Co-authored-by: Alon Girmonsky <alongir@Alons-Mac-Studio.local>
Network Observability for SREs & AI Agents
Kubeshark captures cluster-wide network traffic at the speed and scale of Kubernetes, continuously, at the kernel level using eBPF. It consolidates a highly fragmented picture — dozens of nodes, thousands of workloads, millions of connections — into a single, queryable view with full Kubernetes and API context.
Network data is available to AI agents via MCP and to human operators via a dashboard.
What's captured, cluster-wide:
- L4 Packets & TCP Metrics — retransmissions, RTT, window saturation, connection lifecycle, packet loss across every node-to-node path (TCP insights →)
- L7 API Calls — real-time request/response matching with full payload parsing: HTTP, gRPC, GraphQL, Redis, Kafka, DNS (API dissection →)
- Decrypted TLS — eBPF-based TLS decryption without key management
- Kubernetes Context — every packet and API call resolved to pod, service, namespace, and node
- PCAP Retention — point-in-time raw packet snapshots, exportable for Wireshark (Snapshots →)
Get Started
helm repo add kubeshark https://helm.kubeshark.com
helm install kubeshark kubeshark/kubeshark
Dashboard opens automatically. You're capturing traffic.
Connect an AI agent via MCP:
brew install kubeshark
claude mcp add kubeshark -- kubeshark mcp
AI-Powered Network Analysis
Kubeshark exposes all cluster-wide network data via MCP (Model Context Protocol). AI agents can query L4 metrics, investigate L7 API calls, analyze traffic patterns, and run root cause analysis — through natural language. Use cases include incident response, root cause analysis, troubleshooting, debugging, and reliability workflows.
"Why did checkout fail at 2:15 PM?" "Which services have error rates above 1%?" "Show TCP retransmission rates across all node-to-node paths" "Trace request abc123 through all services"
Works with Claude Code, Cursor, and any MCP-compatible AI.
L7 API Dissection
Cluster-wide request/response matching with full payloads, parsed according to protocol specifications. HTTP, gRPC, Redis, Kafka, DNS, and more. Every API call resolved to source and destination pod, service, namespace, and node. No code instrumentation required.
L4/L7 Workload Map
Cluster-wide view of service communication: dependencies, traffic flow, and anomalies across all nodes and namespaces.
Traffic Retention
Continuous raw packet capture with point-in-time snapshots. Export PCAP files for offline analysis with Wireshark or other tools.
Features
| Feature | Description |
|---|---|
| Raw Capture | Continuous cluster-wide packet capture with minimal overhead |
| Traffic Snapshots | Point-in-time snapshots, export as PCAP for Wireshark |
| L7 API Dissection | Request/response matching with full payloads and protocol parsing |
| Protocol Support | HTTP, gRPC, GraphQL, Redis, Kafka, DNS, and more |
| TLS Decryption | eBPF-based decryption without key management |
| AI-Powered Analysis | Query cluster-wide network data with Claude, Cursor, or any MCP-compatible AI |
| Display Filters | Wireshark-inspired display filters for precise traffic analysis |
| 100% On-Premises | Air-gapped support, no external dependencies |
Install
| Method | Command |
|---|---|
| Helm | helm repo add kubeshark https://helm.kubeshark.com && helm install kubeshark kubeshark/kubeshark |
| Homebrew | brew install kubeshark && kubeshark tap |
| Binary | Download |
Contributing
We welcome contributions. See CONTRIBUTING.md.