TalosDump is a Wireshark extcap plugin that enables packet capture from Talos Linux nodes directly within Wireshark. It provides seamless integration with Wireshark's interface, allowing you to capture and analyze network traffic from remote Talos Linux machines as easily as capturing from local interfaces.
- Direct packet capture from Talos Linux nodes through Wireshark
- Support for multiple network interfaces across cluster nodes
- BPF (Berkeley Packet Filter) support for capture filtering
- Real-time packet streaming to Wireshark
- Automatic enumeration of available interfaces across all cluster members
- Wireshark installed on your local machine
- Access to a Talos Linux cluster with a valid talosconfig file
- Network connectivity to your Talos nodes
- Clone the repository:
git clone https://github.com/lion7/talosdump.git
cd talosdump- Build and install:
make installThis will compile the binary and install it to ~/.local/lib/wireshark/extcap/talosdump.
-
Download the latest release from GitHub Releases
-
Make the binary executable:
chmod +x talosdump-linux-amd64- Move it to Wireshark's extcap directory:
mkdir -p ~/.local/lib/wireshark/extcap
mv talosdump-linux-amd64 ~/.local/lib/wireshark/extcap/talosdumpTalosDump uses your Talos configuration file (talosconfig) to connect to nodes. Ensure you have a valid talosconfig in one of these locations:
~/.talos/config- Or set via the
TALOSCONFIGenvironment variable
Note: Your talosconfig must have at least one node configured. TalosDump needs explicit node configuration to enumerate and connect to cluster members.
- Launch Wireshark
- In the capture interface list, you'll see TalosDump interfaces listed as
linkname@hostname(e.g.,eth0@node1) - Select the interface you want to capture from
- Start capturing as you would with any other interface
TalosDump supports BPF filters using Wireshark's capture filter syntax.
Important: When setting capture filters, ensure you exclude the PCAP transmission traffic itself to avoid capturing the capture stream. Either use a more specific filter for your needs, or explicitly exclude port 50000 (the default Talos API port) by adding not port 50000 to your filter expression.
If you're using Wireshark installed via Flatpak, you need to enable network access for TalosDump to communicate with your Talos nodes.
- Install Flatseal (if not already installed)
- Open Flatseal and select Wireshark
- Enable "Network" permission under the Socket section
Launch Wireshark with network access enabled:
flatpak run --share=network org.wireshark.Wireshark- No TalosDump interfaces visible: Ensure the binary is in the correct extcap directory and is executable
- Connection errors: Verify your talosconfig is valid and you have network connectivity to your Talos nodes
- No packets captured: Check that the selected interface is active and has traffic
See LICENSE file in the repository for details.
Contributions are welcome! Please feel free to submit issues and pull requests on GitHub.