ContextQMD
Back to Kubeshark

KFL2 Complete Variable and Field Reference

skills/kfl/references/kfl2-reference.md

72.3.8317.1 KB
Original Source

KFL2 Complete Variable and Field Reference

This is the exhaustive reference for every variable available in KFL2 filters. KFL2 is built on Google's CEL (Common Expression Language) and evaluates against Kubeshark's protobuf-based BaseEntry structure.

Most Commonly Used Variables

These are the variables you'll reach for in 90% of investigations:

VariableTypeWhat it's for
status_codeintHTTP response status (200, 404, 500)
methodstringHTTP method (GET, POST, PUT, DELETE)
pathstringURL path without query string
dst.pod.namespacestringWhere traffic is going (namespace)
dst.service.namestringWhere traffic is going (service)
src.pod.namestringWhere traffic comes from (pod)
elapsed_timeintRequest duration in microseconds
dns_questions[]stringDNS domains being queried
namespaces[]stringAll namespaces involved (src + dst)

Network-Level Variables

VariableTypeDescriptionExample
src.ipstringSource IP address"10.0.53.101"
dst.ipstringDestination IP address"192.168.1.1"
src.portintSource port number43210
dst.portintDestination port number8080
protocolstringDetected protocol type"HTTP", "DNS"

Identity and Metadata Variables

VariableTypeDescription
idintBaseEntry unique identifier (assigned by sniffer)
node_idstringNode identifier (assigned by hub)
indexintEntry index for stream uniqueness
streamstringStream identifier (hex string)
timestamptimestampEvent time (UTC), use with timestamp() function
elapsed_timeintAge since timestamp in microseconds
workerstringWorker identifier

Cross-Reference Variables

VariableTypeDescription
conn_idintL7 to L4 connection cross-reference ID
flow_idintL7 to L4 flow cross-reference ID
has_pcapboolWhether PCAP data is available for this entry

Capture Source Variables

VariableTypeDescriptionValues
capture_sourcestringCanonical capture source"unspecified", "af_packet", "ebpf", "ebpf_tls"
capture_backendstringBackend family"af_packet", "ebpf"
capture_source_codeintNumeric enum0=unspecified, 1=af_packet, 2=ebpf, 3=ebpf_tls
capturemapNested map accesscapture["source"], capture["backend"]

Protocol Detection Flags

Boolean variables indicating detected protocol. Use as first filter term for performance.

VariableProtocolVariableProtocol
httpHTTP/1.1, HTTP/2redisRedis
dnsDNSkafkaKafka
tlsTLS/SSL handshakeamqpAMQP messaging
tcpTCP transportldapLDAP directory
udpUDP transportwsWebSocket
sctpSCTP streaminggqlGraphQL (v1 or v2)
icmpICMPgqlv1GraphQL v1 only
radiusRADIUS authgqlv2GraphQL v2 only
diameterDiameterconnL4 connection tracking
flowL4 flow trackingtcp_connTCP connection tracking
tcp_flowTCP flow trackingudp_connUDP connection tracking
udp_flowUDP flow tracking

HTTP Variables

VariableTypeDescriptionExample
methodstringHTTP method"GET", "POST", "PUT", "DELETE", "PATCH"
urlstringFull URL path and query string"/api/users?id=123"
pathstringURL path component (no query)"/api/users"
status_codeintHTTP response status code200, 404, 500
http_versionstringHTTP protocol version"HTTP/1.1", "HTTP/2"
query_stringmap[string]stringParsed URL query parametersquery_string["id"]"123"
request.headersmap[string]stringRequest HTTP headersrequest.headers["content-type"]
response.headersmap[string]stringResponse HTTP headersresponse.headers["server"]
request.cookiesmap[string]stringRequest cookiesrequest.cookies["session"]
response.cookiesmap[string]stringResponse cookiesresponse.cookies["token"]
request_headers_sizeintRequest headers size in bytes
request_body_sizeintRequest body size in bytes
response_headers_sizeintResponse headers size in bytes
response_body_sizeintResponse body size in bytes

GraphQL requests have gql (or gqlv1/gqlv2) set to true and all HTTP variables available.

Example: http && method == "POST" && status_code >= 500 && path.contains("/api")

DNS Variables

VariableTypeDescriptionExample
dns_questions[]stringQuestion domain names (request + response)["example.com"]
dns_answers[]stringAnswer domain names["1.2.3.4"]
dns_question_types[]stringRecord types in questions["A"], ["AAAA"], ["CNAME"]
dns_requestboolIs DNS request message
dns_responseboolIs DNS response message
dns_request_lengthintDNS request size in bytes (0 if absent)
dns_response_lengthintDNS response size in bytes (0 if absent)
dns_total_sizeintSum of request + response sizes

Supported question types: A, AAAA, NS, CNAME, SOA, MX, TXT, SRV, PTR, ANY.

Example: dns && dns_response && status_code != 0 (failed DNS lookups)

TLS Variables

VariableTypeDescriptionExample
tlsboolTLS payload detected
tls_summarystringTLS handshake summary"ClientHello", "ServerHello"
tls_infostringTLS connection details"TLS 1.3, AES-256-GCM"
tls_request_sizeintTLS request size in bytes
tls_response_sizeintTLS response size in bytes
tls_total_sizeintSum of request + response (computed if not provided)

TCP Variables

VariableTypeDescription
tcpboolTCP payload detected
tcp_methodstringTCP method information
tcp_payloadbytesRaw TCP payload data
tcp_error_typestringTCP error type (empty if none)
tcp_error_messagestringTCP error message (empty if none)

UDP Variables

VariableTypeDescription
udpboolUDP payload detected
udp_lengthintUDP packet length
udp_checksumintUDP checksum value
udp_payloadbytesRaw UDP payload data

SCTP Variables

VariableTypeDescription
sctpboolSCTP payload detected
sctp_checksumintSCTP checksum value
sctp_chunk_typestringSCTP chunk type
sctp_lengthintSCTP chunk length

ICMP Variables

VariableTypeDescription
icmpboolICMP payload detected
icmp_typestringICMP type code
icmp_versionintICMP version (4 or 6)
icmp_lengthintICMP message length

WebSocket Variables

VariableTypeDescriptionValues
wsboolWebSocket payload detected
ws_opcodestringWebSocket operation code"text", "binary", "close", "ping", "pong"
ws_requestboolIs WebSocket request
ws_responseboolIs WebSocket response
ws_request_payload_datastringRequest payload (safely truncated)
ws_request_payload_lengthintRequest payload length in bytes
ws_response_payload_lengthintResponse payload length in bytes

Redis Variables

VariableTypeDescriptionExample
redisboolRedis payload detected
redis_typestringRedis command verb"GET", "SET", "DEL", "HGET"
redis_commandstringFull Redis command line"GET session:1234"
redis_keystringKey (truncated to 64 bytes)"session:1234"
redis_request_sizeintRequest size (0 if absent)
redis_response_sizeintResponse size (0 if absent)
redis_total_sizeintSum of request + response

Example: redis && redis_type == "GET" && redis_key.startsWith("session:")

Kafka Variables

VariableTypeDescriptionExample
kafkaboolKafka payload detected
kafka_api_keyintKafka API key number0=FETCH, 1=PRODUCE
kafka_api_key_namestringHuman-readable API operation"PRODUCE", "FETCH"
kafka_client_idstringKafka client identifier"payment-processor"
kafka_sizeintMessage size (request preferred, else response)
kafka_requestboolIs Kafka request
kafka_responseboolIs Kafka response
kafka_request_summarystringRequest summary/topic"orders-topic"
kafka_request_sizeintRequest size (0 if absent)
kafka_response_sizeintResponse size (0 if absent)

Example: kafka && kafka_api_key_name == "PRODUCE" && kafka_request_summary.contains("orders")

AMQP Variables

VariableTypeDescriptionExample
amqpboolAMQP payload detected
amqp_methodstringAMQP method name"basic.publish", "channel.open"
amqp_summarystringOperation summary
amqp_requestboolIs AMQP request
amqp_responseboolIs AMQP response
amqp_request_lengthintRequest length (0 if absent)
amqp_response_lengthintResponse length (0 if absent)
amqp_total_sizeintSum of request + response

LDAP Variables

VariableTypeDescription
ldapboolLDAP payload detected
ldap_typestringLDAP operation type (request preferred)
ldap_summarystringOperation summary
ldap_requestboolIs LDAP request
ldap_responseboolIs LDAP response
ldap_request_lengthintRequest length (0 if absent)
ldap_response_lengthintResponse length (0 if absent)
ldap_total_sizeintSum of request + response

RADIUS Variables

VariableTypeDescriptionExample
radiusboolRADIUS payload detected
radius_codeintRADIUS code (request preferred)
radius_code_namestringCode name"Access-Request"
radius_requestboolIs RADIUS request
radius_responseboolIs RADIUS response
radius_request_authenticatorstringRequest authenticator (hex)
radius_request_lengthintRequest size (0 if absent)
radius_response_lengthintResponse size (0 if absent)
radius_total_sizeintSum of request + response

Diameter Variables

VariableTypeDescription
diameterboolDiameter payload detected
diameter_methodstringMethod name (request preferred)
diameter_summarystringOperation summary
diameter_requestboolIs Diameter request
diameter_responseboolIs Diameter response
diameter_request_lengthintRequest size (0 if absent)
diameter_response_lengthintResponse size (0 if absent)
diameter_total_sizeintSum of request + response

L4 Connection Tracking Variables

VariableTypeDescriptionExample
connboolConnection tracking entry
conn_statestringConnection state"open", "in_progress", "closed"
conn_local_pktsintPackets from local peer
conn_local_bytesintBytes from local peer
conn_remote_pktsintPackets from remote peer
conn_remote_bytesintBytes from remote peer
conn_l7_detected[]stringL7 protocols detected on connection["HTTP", "TLS"]
conn_group_idintConnection group identifier

Example: conn && conn_state == "open" && conn_local_bytes > 1000000 (high-volume open connections)

L4 Flow Tracking Variables

Flows extend connections with rate metrics (packets/bytes per second).

VariableTypeDescription
flowboolFlow tracking entry
flow_statestringFlow state ("open", "in_progress", "closed")
flow_local_pktsintPackets from local peer
flow_local_bytesintBytes from local peer
flow_remote_pktsintPackets from remote peer
flow_remote_bytesintBytes from remote peer
flow_local_ppsintLocal packets per second
flow_local_bpsintLocal bytes per second
flow_remote_ppsintRemote packets per second
flow_remote_bpsintRemote bytes per second
flow_l7_detected[]stringL7 protocols detected on flow
flow_group_idintFlow group identifier

Example: tcp_flow && flow_local_bps > 5000000 (high-bandwidth TCP flows)

Kubernetes Variables

Pod and Service (Directional)

VariableTypeDescription
src.pod.namestringSource pod name
src.pod.namespacestringSource pod namespace
dst.pod.namestringDestination pod name
dst.pod.namespacestringDestination pod namespace
src.service.namestringSource service name
src.service.namespacestringSource service namespace
dst.service.namestringDestination service name
dst.service.namespacestringDestination service namespace

Fallback behavior: Pod namespace/name fields automatically fall back to service data when pod info is unavailable. This means dst.pod.namespace works even when only service-level resolution exists.

Example: src.service.name == "api-gateway" && dst.pod.namespace == "production"

Aggregate Collections (Non-Directional)

VariableTypeDescription
namespaces[]stringAll namespaces (src + dst, pod + service)
pods[]stringAll pod names (src + dst)
services[]stringAll service names (src + dst)

Labels and Annotations

VariableTypeDescription
local_labelsmap[string]stringKubernetes labels of local peer
local_annotationsmap[string]stringKubernetes annotations of local peer
remote_labelsmap[string]stringKubernetes labels of remote peer
remote_annotationsmap[string]stringKubernetes annotations of remote peer

Use map_get(local_labels, "key", "default") for safe access that won't error on missing keys.

Example: map_get(local_labels, "app", "") == "checkout" && "production" in namespaces

Node Information

VariableTypeDescription
nodemapNested: node["name"], node["ip"]
node_namestringNode name (flat alias)
node_ipstringNode IP (flat alias)
local_node_namestringNode name of local peer
remote_node_namestringNode name of remote peer

Process Information

VariableTypeDescription
local_process_namestringProcess name on local peer
remote_process_namestringProcess name on remote peer

DNS Resolution

VariableTypeDescription
src.dnsstringDNS resolution of source IP
dst.dnsstringDNS resolution of destination IP
dns_resolutions[]stringAll DNS resolutions (deduplicated)

Resolution Status

VariableTypeValues
local_resolution_statusstring"" (resolved), "no_node_mapping", "rpc_error", "rpc_empty", "cache_miss", "queue_full"
remote_resolution_statusstringSame as above

Default Values

When a variable is not present in an entry, KFL2 uses these defaults:

TypeDefault
string""
int0
boolfalse
list[]
map{}
bytes[]

Protocol Variable Precedence

For protocols with request/response pairs (Kafka, RADIUS, Diameter), merged fields prefer the request side. If no request exists, the response value is used. Size totals are always computed as request_size + response_size.

CEL Language Features

KFL2 supports the full CEL specification:

  • Short-circuit evaluation: && stops on first false, || stops on first true
  • Ternary: condition ? value_if_true : value_if_false
  • Regex: str.matches("pattern") uses RE2 syntax
  • Type coercion: Timestamps require timestamp(), durations require duration()
  • Null safety: Use in operator or map_get() before accessing map keys

For the full CEL specification, see the CEL Language Definition.