# Kyanos — eBPF Network Analysis and Troubleshooting Tool > A networking analysis tool using eBPF that visualizes kernel-level packet timing and captures request/response pairs for efficient troubleshooting. ## Install Save in your project root: # Kyanos — eBPF Network Analysis and Troubleshooting Tool ## Quick Use ```bash # Download latest release wget https://github.com/hengyoush/kyanos/releases/latest/download/kyanos-linux-amd64.tar.gz tar xzf kyanos-linux-amd64.tar.gz # Watch HTTP traffic on port 80 sudo ./kyanos watch http --port 80 # Stat latency distribution for Redis calls sudo ./kyanos stat redis ``` ## Introduction Kyanos is an eBPF-based networking analysis tool for Linux that captures L7 request/response pairs and visualizes the time packets spend at each stage in the kernel network stack. It makes network troubleshooting more efficient by showing exactly where latency occurs — whether in the application, kernel, or network — without requiring tcpdump, Wireshark, or application-level instrumentation. ## What Kyanos Does - Captures L7 protocol requests and responses (HTTP, Redis, MySQL, DNS, and more) - Visualizes per-packet kernel latency breakdown (socket buffer, TCP stack, NIC queue) - Provides real-time traffic statistics with latency percentiles and throughput - Filters traffic by PID, container, pod, port, or protocol - Runs without any application modification or sidecar deployment ## Architecture Overview Kyanos attaches eBPF kprobes and tracepoints to kernel network functions along the packet path. It timestamps packets at multiple stages: socket send/receive, TCP processing, and NIC queue. A user-space Go process reads these timestamps from eBPF maps, correlates request/response pairs using connection tracking, and computes latency breakdowns. The result is a timeline view showing where each millisecond is spent. ## Self-Hosting & Configuration - Single binary with no dependencies — download and run with root privileges - Requires Linux kernel 4.16+ with BTF support for CO-RE portability - Use `--pid` to scope capture to a specific process - Use `--container-id` or `--pod-name` to filter by container or Kubernetes pod - Output results to the terminal in table, JSON, or interactive TUI mode ## Key Features - Kernel-level latency visualization: see time spent in socket buffers, TCP stack, and NIC queues - Protocol-aware capture: parses HTTP, MySQL, Redis, DNS, PostgreSQL, and Kafka at L7 - Container and Kubernetes native: filter by pod name, namespace, or container ID - Zero instrumentation: no agents, sidecars, or code changes needed - Interactive TUI: real-time dashboard with sortable columns and drill-down ## Comparison with Similar Tools - **tcpdump** — captures raw packets but cannot show kernel-internal latency; Kyanos provides per-stage timing - **Wireshark** — powerful offline analysis but requires packet capture files; Kyanos works in real-time on the host - **Kubeshark** — Kubernetes API traffic viewer; Kyanos focuses on kernel-level latency root cause analysis - **bpftrace** — general eBPF scripting tool; Kyanos provides a ready-to-use network analysis workflow ## FAQ **Q: Does Kyanos decrypt HTTPS traffic?** A: Kyanos captures at the network stack level, so it sees encrypted ciphertext. For TLS plaintext capture, use tools like eCapture that hook into SSL libraries. **Q: Can I use it in production?** A: Yes. eBPF programs run in a sandboxed VM inside the kernel with safety guarantees. The overhead is minimal for typical network analysis tasks. **Q: What protocols are supported?** A: HTTP/1.x, HTTP/2, MySQL, Redis, PostgreSQL, DNS, Kafka, and more protocols are being added by the community. **Q: Does it work inside containers?** A: Kyanos must run on the host (or in a privileged container) since it needs access to kernel eBPF. It can then filter and display traffic from specific containers or pods. ## Sources - https://github.com/hengyoush/kyanos - https://kyanos.io --- Source: https://tokrepo.com/en/workflows/asset-79d125cc Author: AI Open Source