Traffic tapping

Attention

Tapping can be configured on Listener and transport sockets, providing the ability to interpose on downstream and upstream L4 connections respectively.

To configure traffic tapping, add an transport socket configuration to the listener or cluster. For a plain text socket this might look like:

For a TLS socket, this will be:

Each unique socket instance will generate a trace file prefixed with . E.g. .

For buffered socket taps, Envoy will limit the amount of body data that is tapped to avoid OOM situations. The default limit is 1KiB for both received and transmitted data. This is configurable via the and max_buffered_tx_bytes settings. When a buffered socket tap is truncated, the trace will indicate truncation via the and write_truncated fields as well as the body field.

The tap transport socket supports both buffered and streaming, controlled by the streaming setting. When buffering, messages are emitted. When streaming, a series of SocketStreamedTraceSegment are emitted.

The generated trace file can be converted to , suitable for analysis with tools such as Wireshark with the utility, e.g.: