Kyanos — eBPF Network Analysis and Troubleshooting Tool

Introduction

Kyanos is an eBPF-based networking analysis tool for Linux that captures L7 request/response pairs and visualizes the time packets spend at each stage in the kernel network stack. It makes network troubleshooting more efficient by showing exactly where latency occurs — whether in the application, kernel, or network — without requiring tcpdump, Wireshark, or application-level instrumentation.

What Kyanos Does

• Captures L7 protocol requests and responses (HTTP, Redis, MySQL, DNS, and more)
• Visualizes per-packet kernel latency breakdown (socket buffer, TCP stack, NIC queue)
• Provides real-time traffic statistics with latency percentiles and throughput
• Filters traffic by PID, container, pod, port, or protocol
• Runs without any application modification or sidecar deployment

Architecture Overview

Kyanos attaches eBPF kprobes and tracepoints to kernel network functions along the packet path. It timestamps packets at multiple stages: socket send/receive, TCP processing, and NIC queue. A user-space Go process reads these timestamps from eBPF maps, correlates request/response pairs using connection tracking, and computes latency breakdowns. The result is a timeline view showing where each millisecond is spent.

Self-Hosting & Configuration

• Single binary with no dependencies — download and run with root privileges
• Requires Linux kernel 4.16+ with BTF support for CO-RE portability
• Use --pid to scope capture to a specific process
• Use --container-id or --pod-name to filter by container or Kubernetes pod
• Output results to the terminal in table, JSON, or interactive TUI mode

Key Features

• Kernel-level latency visualization: see time spent in socket buffers, TCP stack, and NIC queues
• Protocol-aware capture: parses HTTP, MySQL, Redis, DNS, PostgreSQL, and Kafka at L7
• Container and Kubernetes native: filter by pod name, namespace, or container ID
• Zero instrumentation: no agents, sidecars, or code changes needed
• Interactive TUI: real-time dashboard with sortable columns and drill-down

Comparison with Similar Tools

• tcpdump — captures raw packets but cannot show kernel-internal latency; Kyanos provides per-stage timing
• Wireshark — powerful offline analysis but requires packet capture files; Kyanos works in real-time on the host
• Kubeshark — Kubernetes API traffic viewer; Kyanos focuses on kernel-level latency root cause analysis
• bpftrace — general eBPF scripting tool; Kyanos provides a ready-to-use network analysis workflow

FAQ

Q: Does Kyanos decrypt HTTPS traffic? A: Kyanos captures at the network stack level, so it sees encrypted ciphertext. For TLS plaintext capture, use tools like eCapture that hook into SSL libraries.

Q: Can I use it in production? A: Yes. eBPF programs run in a sandboxed VM inside the kernel with safety guarantees. The overhead is minimal for typical network analysis tasks.

Q: What protocols are supported? A: HTTP/1.x, HTTP/2, MySQL, Redis, PostgreSQL, DNS, Kafka, and more protocols are being added by the community.

Q: Does it work inside containers? A: Kyanos must run on the host (or in a privileged container) since it needs access to kernel eBPF. It can then filter and display traffic from specific containers or pods.

Sources

• https://github.com/hengyoush/kyanos
• https://kyanos.io