redissnoop: A Zero-Overhead Redis Traffic Profiler via eBPF
redissnoop uses eBPF to watch Redis commands at the kernel level, no MONITOR or proxy needed, reading TLS traffic before encryption while adding zero load to the server.
redissnoop is a zero-configuration eBPF profiler that shows exactly what commands are hitting a Redis server, live. Without touching the application or the Redis server itself, it attaches a kprobe to the kernel's tcp_sendmsg function and a uprobe to SSL_write inside the TLS library, letting it read both plaintext RESP traffic and encrypted traffic before it's encrypted. Unlike Redis's built-in MONITOR command, this approach adds no load to the server.
The tool presents three views: a Report tab that ranks the most important findings first, a Key Patterns tab that groups traffic by key shape (like user:*), and a Command Mix tab that groups by command and flags dangerous 'footgun' operations such as KEYS or FLUSHALL. A live status bar tracks the split between encrypted and plaintext commands as proof both capture paths are active simultaneously.
There are notable limits: only TCP connections are visible, not Unix sockets, and encrypted capture only works with dynamically linked OpenSSL, so statically linked TLS implementations (some Go builds using BoringSSL, for instance) remain invisible. It's also a traffic profiler rather than a latency profiler, and it reads command names and keys, not stored values.
For backend engineers chasing Redis slowdowns or SREs auditing shared caches in production, this offers a lightweight, non-intrusive way to see real traffic patterns, including previously opaque encrypted connections, without deploying a proxy or modifying any client code.