Tracing network traffic from Bazel to remote endpoints

Skip to first unread message

Michael Fitzner

May 24, 2024, 3:58:57 PMMay 24
to bazel-discuss

We have some issues with hanging or sometimes very slow BES uploads.

To narrow down the issues we would like to trace the network traffic between Bazel and the remote endpoints for remote caching / remote execution / bes.

The idea is to create a tcpdump trace of the SSL connection and do further analyses with Wireshark and the grpc dissector.
For doing the TLS decryption we would need a key log file from Bazel.
Up to now I haven't found any info about enabling the key log file with Bazel and would like to ask if you know any option for doing it.

Best regards,

Brian Silverman

May 24, 2024, 4:40:43 PMMay 24
to Michael Fitzner, bazel-discuss

Another option is to establish the TLS connection outside of Bazel, and then use non-TLS GRPC (probably on localhost) from Bazel. I've never tried them, but ghostunnel or stunnel look like they have a "client mode" which does this. If I was debugging this kind of problem, I'd do that because it requires less fiddling with the Bazel server process.

If you want to go the key file route, that wireshark wiki page lists two projects that work with Java programs. The Bazel server is a Java process, so using those might work. You can add the flags using "--host_jvm_args=-javaagent:<...>" in the Bazel startup options (startup section in bazelrc or between "bazel" and "build" on the command line), although Bazel may not obey assumptions those tools make about the process environment and break them.


You received this message because you are subscribed to the Google Groups "bazel-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit
Reply all
Reply to author
0 new messages