Easy way to capture tcpdump in kubernetes

In Kubernetes clusters taking tcpdump capture can be a difficult task as there are multiple operation needed to execute for successfully getting the pcap file. Krew sniff plugin will make the things easy to deploy as it will automate the process of running the tcpdump by loading a statically compiled tcpdump file on Pods and also will save the capture file locally. Following the documentation provided by Krew developers at the official page, https://krew.sigs.k8s.io/ installation consist of running the provided script and adding the file in environment Path.

After the installation of Krew plugin manager we need to install the Sniff plugin.

kubectl krew install sniff

For a complete list of available plugins, please consult with the official documentation at the following address: https://krew.sigs.k8s.io/plugins/

There are multiple ways to run the Sniff plugin:

kubectl sniff “pod-name” -n “namespace” -c “container-name” -i “interface: -f “wireshark filter” -o “output_file_name.pcap”

kubectl sniff -p -o By adding the -p (priviledged) flag will be created a new Pod in namespace

It is also possible to execute a real time traffic capture by using tshark in WSL Environment by using the following command:

kubectl sniff azure-ip-masq-agent-t2bw9 -f “port 80” -o — | tshark -r —

Please follow the official documentation of the Sniff plugin for a complete set of commands