The `payload` Task

Type: Source
Output: Payload

payload is an ordered unique packet payload capture task. It is equivalent to flow reassembly. The payload is captured directly from the kernel’s network subsystem to ensure we get fully reassembled flows. Payload capture works for TCP, UDP, and ICMP. The standard network 4-tuple (src/dst addr, src/dst port) is provided, along with the emitting process information.

Configuration options

payload has the following optional configuration options:

filter

filter accepts a subset of classic BPF syntax to filter which payloads to capture. It supports [src|dst] host, [ip|ip6] [src|dst] port and [ip|ip6] [src|dst] portrange. If the flow corresponding to the payload was not captured, the payload will not be published.

For example, to get payload with one of the ports on 444:

filter: port 444

skipPayload

default false By default, the payload Task publishes the raw payload as a base64 string. By setting this value to "true", the payload will not be published.

For example:

skipPayload: true

meta

default "" Meta allows you configure exactly what metadata (process, container, and pod info) will be published with the payload message. See Configuring the meta Field for more information.

For example:

meta: process.name+pod.min

fullContainer

default false Publish the full container metadata, including labels and annotations. DEPRECATED: Use meta instead.

For example:

fullContainer: true

Conditions

payload requires one of the following Conditions to be defined:

process.pid: Filtering payload to collect by Process PID.
process.name: Filtering payload to collect by Process Name.
container.id: Filtering payload to collect by Container ID/UID.
container.name: Filtering payload to collect by Container Name.
container.label: Filtering payload to collect by Container Label value or key=value.
pod.id: Filtering payload to collect by Pod ID/UID.
pod.name: Filtering payload to collect by Pod Name.
pod.namespace: Filtering payload to collect by Pod K8s Namespace.
pod.label: Filtering payload to collect by Pod Label value or key=value.

payload will not produce data without a Condition.

Output

payload: map Hold the payload output.
payload.ts: uint64 Nanosecond-precision relative timestamp of when the event was produced. It is not an absolute timestamp (not Epoch), but it can still be used for precise timestamp comparison.
payload.direction: string Direction of flow, either: RX or TX.
payload.flowID: string A unique identifier for the flow genereted by hashing the socket value.
payload.length: string The length of the flow.
payload.payload: string (optional, see configuration options) The raw payload as a base64 string.
payload.net.srcAddr: string Source IP address.
payload.net.dstAddr: string Destination IP address.
payload.net.srcPort: uint16 Source port.
payload.net.dstPort: uint16 Destination port.
payload.process: map Holds the Process information.
payload.process.pid: uint32 Process PID.
payload.process.ppid: uint32 Process Parent PID.
payload.process.name: string Process name.
payload.process.cmd: string Command line string.
payload.process.exe: string Executable name.
payload.process.ns: string Namespace in the format of {device ID}-{inode number}.
payload.process.startedAt: string Time the process started.
payload.process.container: map Container information for process (if it is a container).
payload.process.container.ID: string ID of Container.
payload.process.container.Name: string Name of Container.

The payload Task

Configuration options

Conditions

Output

The `payload` Task