Display Filters (KFL2)

Kubeshark Filter Language 2 (KFL2) is the display filter system introduced in V2.00. It uses Common Expression Language (CEL) to provide powerful, flexible filtering of captured network traffic.

Display filters only affect what is shown in the dashboard. They do not impact which traffic is captured. For controlling what traffic is captured, see Capture Filters.

Using Display Filters

Enter your KFL2 filter expression in the filter input box at the top of the dashboard:

KFL2 Filter Input

Building Filters with Click-to-Add

Every element visible in the dashboard has a green + button that can be clicked to automatically add filter expressions. This helps build complex filtering statements without typing.

Click to Add Filter

Clicking the + button next to any value adds the corresponding filter expression (e.g., status_code == 200) to the filter input.

Once a filter is applied, only traffic matching the filter statement flows from the distributed Workers to the Hub to the Dashboard, reducing noise and focusing on relevant traffic.

Quick Examples

# HTTP GET requests with errors
http && method == "GET" && status_code >= 400

# Traffic to a specific namespace
dst.pod.namespace == "production"

# DNS queries for specific domains
dns && "google.com" in dns_questions

# Large HTTP responses
http && response_body_size > 10000

Supported Variables

Network-Level Variables

VariableTypeDescriptionExample
src.ipstringSource IP address"192.168.1.1"
dst.ipstringDestination IP address"10.0.0.1"
src.portintSource port number8080
dst.portintDestination port number80
protocolstringDetected protocol type"HTTP", "DNS", "TCP"

Kubernetes Variables

VariableTypeDescriptionExample
src.pod.namestringSource pod name"web-server-123"
dst.pod.namestringDestination pod name"database-456"
src.pod.namespacestringSource pod namespace"production"
dst.pod.namespacestringDestination pod namespace"default"
src.service.namestringSource service name"web-service"
dst.service.namestringDestination service name"db-service"
src.service.namespacestringSource service namespace"production"
dst.service.namespacestringDestination service namespace"default"
namespaceslistAll namespaces involved["production", "default"]
podslistAll pod names involved["web-server-123", "db-456"]
serviceslistAll service names involved["web-service", "db-service"]
node_namestringNode name"ks-node-001"
node_ipstringNode IP address"10.0.0.12"

Labels and Annotations

VariableTypeDescription
local_labelsmapK8s labels of the local peer
local_annotationsmapK8s annotations of the local peer
remote_labelsmapK8s labels of the remote peer
remote_annotationsmapK8s annotations of the remote peer
local_process_namestringProcess name on the local peer
remote_process_namestringProcess name on the remote peer

Protocol Detection

Use these boolean variables to filter by protocol:

VariableDescription
httpHTTP traffic
dnsDNS traffic
tlsTLS traffic
tcpTCP traffic
udpUDP traffic
wsWebSocket traffic
redisRedis traffic
kafkaKafka traffic
ldapLDAP traffic
amqpAMQP traffic
radiusRADIUS traffic
diameterDiameter traffic
sctpSCTP traffic
icmpICMP traffic

HTTP Variables

VariableTypeDescription
urlstringComplete URL path
methodstringHTTP method (GET, POST, etc.)
status_codeintResponse status code
http_versionstringHTTP version
pathstringURL path component
query_stringmapURL query parameters
request.headersmapRequest headers
response.headersmapResponse headers
request.cookiesmapRequest cookies
response.cookiesmapResponse cookies
request_body_sizeintRequest body size in bytes
response_body_sizeintResponse body size in bytes

DNS Variables

VariableTypeDescription
dns_questionslistDNS question names
dns_answerslistDNS answer names
dns_requestboolIs DNS request
dns_responseboolIs DNS response
dns_question_typeslistDNS record types (A, AAAA, etc.)

TLS Variables

VariableTypeDescription
tls_summarystringTLS handshake summary
tls_infostringTLS connection details
tls_request_sizeintTLS request size in bytes
tls_response_sizeintTLS response size in bytes

Redis Variables

VariableTypeDescription
redis_typestringRedis command verb (GET, SET, etc.)
redis_commandstringFull Redis command line
redis_keystringThe Redis key
redis_request_sizeintRequest size in bytes
redis_response_sizeintResponse size in bytes

Kafka Variables

VariableTypeDescription
kafka_api_keyintKafka API key number
kafka_client_idstringKafka client identifier
kafka_sizeintMessage size
kafka_requestboolIs Kafka request
kafka_responseboolIs Kafka response

Timestamp Variables

VariableTypeDescription
timestamptimestampEvent time (UTC)
elapsed_timeintAge since timestamp in microseconds

Filter Examples

Basic Network Filtering

# Filter by destination port
dst.port == 80

# Filter by IP address prefix
src.ip.startsWith("192.168.")

# Filter by multiple ports
dst.port == 80 || dst.port == 443 || dst.port == 8080

# Port range
dst.port >= 8000 && dst.port <= 9000

Kubernetes Filtering

# Traffic from a specific pod
src.pod.name == "web-server-123"

# Traffic to a specific namespace
dst.pod.namespace == "production"

# Inter-service communication
src.service.name == "api-gateway" && dst.service.name == "user-service"

# Traffic involving production namespace
"production" in namespaces

# Filter by pod labels
local_labels.app == "payments" || remote_labels.app == "payments"

# Filter by process name
local_process_name == "nginx"

HTTP Filtering

# GET requests
http && method == "GET"

# API endpoints
http && url.contains("/api")

# Client errors (4xx)
http && status_code >= 400 && status_code < 500

# Server errors (5xx)
http && status_code >= 500

# Specific header present
http && "authorization" in request.headers

# Header value match
http && request.headers["content-type"] == "application/json"

# URL pattern matching
http && url.matches(".*/api/v[0-9]+/.*")

# Large responses
http && response_body_size > 1000000

DNS Filtering

# DNS requests only
dns && dns_request

# Specific domain queries
dns && "google.com" in dns_questions

# DNS responses with answers
dns && dns_response && size(dns_answers) > 0

Database Filtering

# Redis GET commands
redis && redis_type == "GET"

# Redis key pattern
redis && redis_key.startsWith("session:")

# Large Kafka messages
kafka && kafka_size > 10000

# Large Redis responses
redis && redis_response_size > 8192

Complex Filters

# HTTP API requests from internal network
src.ip.startsWith("192.168.") && http && method == "POST" && url.contains("/api")

# Error conditions across protocols
http && status_code >= 500 || (tcp && tcp_error_type != "")

# Production namespace with HTTP errors
src.pod.namespace == "production" && http && status_code >= 400

# Cross-namespace communication
src.service.namespace != dst.service.namespace

# Time-based filtering
timestamp > timestamp("2024-11-14T22:00:00Z")

# Recent traffic (last 5 minutes)
elapsed_time <= 300000000

CEL Language Reference

KFL2 uses Common Expression Language (CEL) syntax.

Operators

TypeOperators
Comparison==, !=, <, <=, >, >=
Logical&&, `
Arithmetic+, -, *, /, %
Membershipin

String Functions

FunctionDescription
contains(substring)Check if string contains substring
startsWith(prefix)Check if string starts with prefix
endsWith(suffix)Check if string ends with suffix
matches(regex)Match against regular expression
size()Get string length

Collection Functions

FunctionDescription
size(collection)Get collection size
inCheck membership ("value" in list)
[index]Access element by index
[key]Access map value by key

Examples

# String operations
url.contains("/api")
src.ip.startsWith("10.")
url.matches(".*\\.(jpg|png|gif)$")

# Collection operations
"production" in namespaces
size(dns_questions) > 1
request.headers["content-type"]

# Map key checking
"authorization" in request.headers

Performance Tips

  1. Use protocol detection first - More efficient to check http && before checking HTTP-specific fields
  2. Port filtering is fast - dst.port == 80 is very efficient
  3. Prefer startsWith/endsWith over contains for prefix/suffix matching
  4. Empty filters match all - An empty filter string matches all traffic

KFL2 vs Capture Filters

AspectDisplay Filters (KFL2)Capture Filters
PurposeFilter what is displayedFilter what is captured
ImpactDashboard view onlyResource consumption
AppliedAfter captureBefore capture
SyntaxCEL expressionsHelm values / Dashboard settings

For those familiar with Wireshark, KFL2 is analogous to Wireshark’s Display Filters, while Capture Filters are analogous to Wireshark’s BPF filters.