Wireshark/Tshark isn't reading output correctly

[Xartos]

What's the issue

When I try to sniff traffic with wireshark or tshark I get an error pcap: network type 276 unknown or unsupported or I just get

How to reproduce

$ kubectl sniff my-pod -c my-container -p -n my-namespace -o - | tshark -r -
INFO[0000] sniffing method: privileged pod
INFO[0000] sniffing on pod: 'my-pod' [namespace: 'my-namespace', container: 'my-container', filter: '', interface: 'any']
INFO[0000] creating privileged pod on node: 'my-node'
INFO[0000] pod created: &Pod{ObjectMeta:{ksniff-qxsxk ksniff- my-namespace /api/v1/namespaces/my-namespace/pods/ksniff-qxsxk 485504a2-a9be-4328-8f86-424a2b41c2e1 56758253 0 2021-02-15 15:58:08 +0100 CET <nil> <nil> map[app:ksniff] map[] [] []  []},Spec:PodSpec{Volumes:[]Volume{Volume{Name:host,VolumeSource:VolumeSource{HostPath:&HostPathVolumeSource{Path:/,Type:*Directory,},EmptyDir:nil,GCEPersistentDisk:nil,AWSElasticBlockStore:nil,GitRepo:nil,Secret:nil,NFS:nil,ISCSI:nil,Glusterfs:nil,PersistentVolumeClaim:nil,RBD:nil,FlexVolume:nil,Cinder:nil,CephFS:nil,Flocker:nil,DownwardAPI:nil,FC:nil,AzureFile:nil,ConfigMap:nil,VsphereVolume:nil,Quobyte:nil,AzureDisk:nil,PhotonPersistentDisk:nil,PortworxVolume:nil,ScaleIO:nil,Projected:nil,StorageOS:nil,CSI:nil,},},Volume{Name:container-socket,VolumeSource:VolumeSource{HostPath:&HostPathVolumeSource{Path:/var/run/docker.sock,Type:*Socket,},EmptyDir:nil,GCEPersistentDisk:nil,AWSElasticBlockStore:nil,GitRepo:nil,Secret:nil,NFS:nil,ISCSI:nil,Glusterfs:nil,PersistentVolumeClaim:nil,RBD:nil,FlexVolume:nil,Cinder:nil,CephFS:nil,Flocker:nil,DownwardAPI:nil,FC:nil,AzureFile:nil,ConfigMap:nil,VsphereVolume:nil,Quobyte:nil,AzureDisk:nil,PhotonPersistentDisk:nil,PortworxVolume:nil,ScaleIO:nil,Projected:nil,StorageOS:nil,CSI:nil,},},Volume{Name:default-token-8h6p9,VolumeSource:VolumeSource{HostPath:nil,EmptyDir:nil,GCEPersistentDisk:nil,AWSElasticBlockStore:nil,GitRepo:nil,Secret:&SecretVolumeSource{SecretName:default-token-8h6p9,Items:[]KeyToPath{},DefaultMode:*420,Optional:nil,},NFS:nil,ISCSI:nil,Glusterfs:nil,PersistentVolumeClaim:nil,RBD:nil,FlexVolume:nil,Cinder:nil,CephFS:nil,Flocker:nil,DownwardAPI:nil,FC:nil,AzureFile:nil,ConfigMap:nil,VsphereVolume:nil,Quobyte:nil,AzureDisk:nil,PhotonPersistentDisk:nil,PortworxVolume:nil,ScaleIO:nil,Projected:nil,StorageOS:nil,CSI:nil,},},},Containers:[]Container{Container{Name:ksniff-privileged,Image:docker,Command:[sh -c sleep 10000000],Args:[],WorkingDir:,Ports:[]ContainerPort{},Env:[]EnvVar{},Resources:ResourceRequirements{Limits:ResourceList{},Requests:ResourceList{},},VolumeMounts:[]VolumeMount{VolumeMount{Name:container-socket,ReadOnly:true,MountPath:/var/run/docker.sock,SubPath:,MountPropagation:nil,SubPathExpr:,},VolumeMount{Name:host,ReadOnly:false,MountPath:/host,SubPath:,MountPropagation:nil,SubPathExpr:,},VolumeMount{Name:default-token-8h6p9,ReadOnly:true,MountPath:/var/run/secrets/kubernetes.io/serviceaccount,SubPath:,MountPropagation:nil,SubPathExpr:,},},LivenessProbe:nil,ReadinessProbe:nil,Lifecycle:nil,TerminationMessagePath:/dev/termination-log,ImagePullPolicy:Always,SecurityContext:&SecurityContext{Capabilities:nil,Privileged:*true,SELinuxOptions:nil,RunAsUser:nil,RunAsNonRoot:nil,ReadOnlyRootFilesystem:nil,AllowPrivilegeEscalation:nil,RunAsGroup:nil,ProcMount:nil,WindowsOptions:nil,},Stdin:false,StdinOnce:false,TTY:false,EnvFrom:[]EnvFromSource{},TerminationMessagePolicy:File,VolumeDevices:[]VolumeDevice{},StartupProbe:nil,},},RestartPolicy:Never,TerminationGracePeriodSeconds:*30,ActiveDeadlineSeconds:nil,DNSPolicy:ClusterFirst,NodeSelector:map[string]string{},ServiceAccountName:default,DeprecatedServiceAccount:default,NodeName:my-node,HostNetwork:false,HostPID:true,HostIPC:false,SecurityContext:&PodSecurityContext{SELinuxOptions:nil,RunAsUser:nil,RunAsNonRoot:nil,SupplementalGroups:[],FSGroup:nil,RunAsGroup:nil,Sysctls:[]Sysctl{},WindowsOptions:nil,},ImagePullSecrets:[]LocalObjectReference{},Hostname:,Subdomain:,Affinity:nil,SchedulerName:default-scheduler,InitContainers:[]Container{},AutomountServiceAccountToken:nil,Tolerations:[]Toleration{Toleration{Key:node.kubernetes.io/not-ready,Operator:Exists,Value:,Effect:NoExecute,TolerationSeconds:*300,},Toleration{Key:node.kubernetes.io/unreachable,Operator:Exists,Value:,Effect:NoExecute,TolerationSeconds:*300,},},HostAliases:[]HostAlias{},PriorityClassName:,Priority:*0,DNSConfig:nil,ShareProcessNamespace:nil,ReadinessGates:[]PodReadinessGate{},RuntimeClassName:nil,EnableServiceLinks:*true,PreemptionPolicy:nil,Overhead:ResourceList{},TopologySpreadConstraints:[]TopologySpreadConstraint{},EphemeralContainers:[]EphemeralContainer{},},Status:PodStatus{Phase:Pending,Conditions:[]PodCondition{},Message:,Reason:,HostIP:,PodIP:,StartTime:<nil>,ContainerStatuses:[]ContainerStatus{},QOSClass:BestEffort,InitContainerStatuses:[]ContainerStatus{},NominatedNodeName:,PodIPs:[]PodIP{},EphemeralContainerStatuses:[]ContainerStatus{},},}
INFO[0000] waiting for pod successful startup
INFO[0008] pod: 'ksniff-qxsxk' created successfully on node: 'my-node'
INFO[0008] output file option specified, storing output in: '-'
INFO[0008] starting remote sniffing using privileged pod
INFO[0008] executing command: '[docker --host unix:https:///var/run/docker.sock run --rm --name=ksniff-container-fQJpKPcY --net=container:b696c45e35a5b9dfe0152685569fb35c6331c2d1e63648ed8987f52211ba0b5f maintained/tcpdump -i any -U -w - ]' on container: 'ksniff-privileged', pod: 'ksniff-qxsxk', namespace: 'my-namespace'
tshark: The standard input contains record data that TShark doesn't support.
(pcap: network type 276 unknown or unsupported)

I get the same error if I save the output to a file and then try to open it with wireshark.

However if I try to run ksniff directly to wireshark I get the traffic, but it's not able to decode it correctly
(Although if you look closely you see that in the raw data there's some HTTP traffic)

$ kubectl sniff my-pod -c my-container -p -n my-namespace

Version

ksniff is built from current master (f253ce9)

$ wireshark --version
Wireshark 3.2.7 (Git v3.2.7 packaged as 3.2.7-1)

Copyright 1998-2020 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.14.2, with libpcap, with POSIX capabilities (Linux),
with libnl 3, with GLib 2.66.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares
1.16.1, with Lua 5.2.4, with GnuTLS 3.6.15 and PKCS #11 support, with Gcrypt
1.8.5, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.41.0, with
brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.10, with
QtMultimedia, without automatic updates, with SpeexDSP (using system library),
with SBC, with SpanDSP, without bcg729.

Running on Linux 5.8.0-43-generic, with Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz
(with SSE4.2), with 15709 MB of physical memory, with locale
LC_CTYPE=en_US.UTF-8, LC_NUMERIC=sv_SE.UTF-8, LC_TIME=sv_SE.UTF-8,
LC_COLLATE=en_US.UTF-8, LC_MONETARY=sv_SE.UTF-8, LC_MESSAGES=en_US.UTF-8,
LC_PAPER=sv_SE.UTF-8, LC_NAME=sv_SE.UTF-8, LC_ADDRESS=sv_SE.UTF-8,
LC_TELEPHONE=sv_SE.UTF-8, LC_MEASUREMENT=sv_SE.UTF-8,
LC_IDENTIFICATION=sv_SE.UTF-8, with libpcap version 1.9.1 (with TPACKET_V3),
with GnuTLS 3.6.15, with Gcrypt 1.8.5, with brotli 1.0.9, with zlib 1.2.11,
binary plugins supported (0 loaded).

Built using gcc 10.2.0.

[voyger8472]

I have the same problem.
I used the version installed by kubectl krew.

tshark -v
TShark (Wireshark) 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)

kubectl version
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.3",

kubectl sniff test-pod  -p -n xxxx -o - | tshark -r -
…
INFO[0013] executing command: '[docker --host unix:https:///host/var/run/docker.sock run --rm --name=ksniff-container-GrVlOwlD --net=container:eae8ba9351443b0e2b535daf9ff9ca211f25ed95dc292303068351385daxxxx maintained/tcpdump -i any -U -w - port 80]' on container: 'ksniff-privileged', pod: 'ksniff-x5wqw', namespace: 'xxxx'
tshark: The standard input contains record data that TShark doesn't support.
(pcap: network type 276 unknown or unsupported)

[bostrt]

hey @voyger8472 and @Xartos, I'll be taking a look at this issue this week to see if I can repro and fix.

[anthony-pastor]

I get the same behavior on a Google Kubernetes Engine Pod.
PS: This behavior is the same when adding directly a tcpdump sidecar container!

[bostrt]

Errors like network type 276 unknown or unsupported come up when there is a mismatch in support between the tcpdump command used to generate the capture and the tshark/wireshark used to read it. In the issues mentioned above, it looks like a rather old version of tshark and wireshark are used. However, I do acknowledge you are using LTS Ubuntu (in at least one comment).

For those of you with the option to upgrade tshark/wireshark, that's what I advise for now. I wish I could tell you a specific version but I'm having difficultly finding an audit trail for the header type 276 support was added to tshark/wireshark. I'm running Wireshark 3.4.z on Fedora 33 for what its worth.

I'll keep checking to see if there's any options for those stuck on Ubuntu LTS with no more upgrades for Wireshark.

[bostrt]

mismatch in support between the tcpdump command used to generate the capture and the tshark/wireshark used to read it

The container image and binary ksniff uses to generate the packet capture is relatively new hence the mismatch here.

[bostrt]

@Xartos would you mind checking if you have the Ethernet proto enable or disabled? In Wireshark Analyze -> Enabled Protocols -> Ethernet checkbox

[Xartos]

@bostrt Yes, the Ethernet proto is enabled.
I guess an option for Ubuntu is to add the wireshark ppa and install a newer version.

EDIT:
I can confirm that adding the wireshark ppa and upgrading fixed the issue.

sudo add-apt-repository ppa:wireshark-dev/stable
sudo apt upgrade

[anthony-pastor]

I confirm upgrading using this repository fixed my issue, thanks!

[bostrt]

Great! Thanks for the updates. As much as I'd like to support stock Ubuntu LTS I'm not sure this is feasible to resolve from ksniff side. I'll go ahead and close this with a mention in the README about your fix @Xartos.

https://github.com/eldadru/ksniff#wireshark-and-tshark-cannot-read-pcap

[voyger8472]

@bostrt

The environment in which the error occurred was the following. In this environment, I had only tshark installed.

tshark -v
TShark (Wireshark) 2.6.10 (Git v2.6.10 packaged as 2.6.10-1~ubuntu18.04.0)

When I tried a new installation of Wireshark, the error did not occur anymore.

wireshark -v
Wireshark 3.4.2 (Git v3.4.2 packaged as 3.4.2-1~ubuntu18.04.0+wiresharkdevstable1)

tshark -v
TShark (Wireshark) 3.4.2 (Git v3.4.2 packaged as 3.4.2-1~ubuntu18.04.0+wiresharkdevstable1)

Thank you. @bostrt @Xartos