Skip to content
/ ktcpdump Public

A simple wrapper script to run tcpdump nicely on Kubernetes

License

MIT license
7 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

PandaXass/ktcpdump

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
kube
kube
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
install.sh
install.sh
 
 
ktcpdump
ktcpdump
 
 

Repository files navigation

ktcpdump

A simple wrapper script to run tcpdump nicely on Kubernetes.

This tool will deploy a DaemonSet in the Kubernetes cluster using kubectl and run tcpdump on host network to capture network traffic.

The DaemonSet is based on praqma/network-multitool Docker image.

!! Important Note: Please use this tool in production by CAUTION !!

What's new

The script extends the tcpdump filter expressions by translating them to pcap-filter format.

  1. [namespace/]pod/pod_name
  2. [namespace/]deploy/deployment_name
  3. [namespace/]ds/daemonset_name

Some default behaviors:

  • If namespace is not specified, current namespace will be used.
  • The script runs tcpdump with some options by default, so it will not exhaust the disk space and create unnecessary DNS requests by accident.

Prerequisites

Install from source

Check out the ktcpdump repository. And then, run the provided install.sh command with the location to the prefix in which you want to install ktcpdump. By default, it installs the tool into /usr/local.

git clone https://[email protected]:PandaXass/ktcpdump.git
cd ktcpdump
sudo ./install.sh

Uninstall

# Remove the installed directory
sudo rm -r /usr/local/ktcpdump
# Remove the symlink
rm /usr/local/bin/ktcpdump

Usage examples

Some examples about how to use the tool.

# Show usage information
ktcpdump help
# Create ktcpdump DaemonSet
ktcpdump create
# Show versions (need DeamonSet to be created first)
ktcpdump version
# Capture traffic on all Kubenetes hosts
ktcpdump run
# Capture traffic on Pod and write to the file
ktcpdump run pod <pod_name> -w ktcpdump.pcap
# Capture traffic from the source Pod to the dest Pod with verbose mode
ktcpdump run -v src pod <pod1_name> and dst pod <pod2_name>
# Capture RST and FIN packets between Pod and Deployment in different Namespaces
ktcpdump run <ns1_name>/pod/<pod_name> and <ns2_name>/deploy/<deploy_name> and 'tcp[tcpflags] & (tcp-rst|tcp-fin) != 0'
# Capture all TCP packets on destination Deployment port 8080
./ktcpdump run -v dst <ns_name>/deploy/<deploy_name> and 'tcp port 8080'
# Rerun previous "run" command
ktcpdump rerun
# Show ktcpdump status
ktcpdump status
# Show ktcpdump DaemonSet logs
ktcpdump logs
# Copy ktcpdump.pcap file from DaemonSet Pods to local folder
ktcpdump cp ktcpdump.pcap
# Merge all capture files
mergecap -w outfile.pcap *.pcap
# Delete the DaemonSet
ktcpdump purge

Known Limitations

  • Running this tool could potentially generate a long tcpdump command. And the total size of the command line argument is limited to getconf ARG_MAX.
  • The tool retrieves the pods IPs in the beginning of each run. In Kubenetes, the pods (together with IPs) can be created and terminated dynamically. However those changes will not be reflected in the output. In other words, this tool might miss capturing some network packets due to pod changes.

About

A simple wrapper script to run tcpdump nicely on Kubernetes

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages