Introducing Kyanos: A Lightweight eBPF‑Based Tool for Fast Network Issue Diagnosis

Why I Developed Kyanos

Kyanos (GitHub: github.com/hengyoush/kyanos) was created to solve the pain of diagnosing network latency problems when traditional tools like tcpdump are too slow and cumbersome.

Imagine you are on‑call for a backend service and an upstream team complains about request timeouts. Your own monitoring shows normal service latency, but you cannot see kernel‑ or network‑level delays. The back‑and‑forth blame game stalls the investigation.

The opposite situation occurs when you experience downstream timeouts while the remote side reports no issues.

To break this cycle you need a tool that can capture full‑stack latency quickly.

tcpdump capture is accurate but painfully slow: you must install it on production, craft filter expressions, download large pcap files, and manually sift through irrelevant data.

Ask ops to install monitoring . Modern eBPF‑based solutions (e.g., SkyWalking, Pixie, DeepFlow) provide full‑stack observability but often require a recent kernel (5.x), Kubernetes, or generate terabytes of data that need heavy storage.

Thus the question: is there a lightweight, low‑kernel‑version‑compatible tool that can efficiently diagnose network problems?

Kyanos arrives!

What Is Kyanos

Kyanos is an open‑source CLI tool that runs on kernels as low as 3.10 without any additional dependencies; you only need to download the executable from the release page.

What can Kyanos do? It captures request/response data for supported protocols and presents detailed latency breakdowns.

Running a single command such as kyanos stat http ... instantly lists the slowest HTTP requests with their latency details, something that would take minutes with tcpdump.

To view full request/response bodies you can use a similar command, and the output prints the content directly.

Kyanos is easy to install and aligns with typical backend debugging workflows because it works at the application‑layer (seven‑layer protocol) level, filtering out noisy packets and focusing on valuable information.

The main capabilities are:

Capture requests and responses for HTTP, MySQL, Redis, etc.

Aggregate captured traffic for higher‑level analysis.

Fine‑Grained Inspection – watch

The watch command lets you capture traffic using various filters without needing to know any filter syntax.

Example: to investigate HTTP requests to /foo/bar that exceed 1 second latency in a Spring Cloud service, run:

kyanos watch http --pid {your_pid} --latency 1000 --path /foo/bar

The output includes:

Request/response content (truncated at 1024 bytes).

Total latency from client request to full response.

Kernel and network latency breakdown (socket read time and network transmission time).

System‑call statistics (number of read/write calls and byte counts).

Currently watch supports HTTP, MySQL, and Redis traffic, with more protocols planned.

Global Overview – stat

The stat command complements watch by aggregating metrics across dimensions, allowing you to answer questions such as “which remote IPs have the slowest HTTP calls?”

Example to list the top 10 client‑side HTTP connections with the highest network latency every 5 seconds:

./kyanos stat http --side client -i 5 -m n -l 10 -g conn

Example to find the 10 largest HTTP responses by size:

./kyanos stat http --side client -i 5 -m p -s 10 -g none

Typical workflow:

Select the metric(s) you care about using the --metrics flag (e.g., total time t , payload size p , network time n , etc.).

Choose an aggregation dimension with --group-by or -g (e.g., conn , remote-ip , protocol , none ).

Full usage details are available on the GitHub repository.

Using tcpdump can take minutes; Kyanos delivers comparable insights in seconds.

Conclusion

While Kyanos does not aim to replace tcpdump entirely—its protocol support is currently limited and it targets problem‑diagnosis rather than full packet capture—it dramatically speeds up backend developers' troubleshooting workflows.

I have personally used Kyanos to resolve a mysterious Redis client timeout that showed no server‑side errors, pinpointing the issue within 30 minutes.

If you find Kyanos useful, consider starring the project on GitHub.

I am “烈香”, see my Redis troubleshooting column and blog for more details.