Packet Capture using tcpdump on Kubernetes Pods in Azure AKS
Contents
Assuming the target containers can actually install new software (apt install is available) what follows is a quick and very dirty method to run tcpdump on k8s/AKS containers in Azure.
If you’re running Kubernetes 1.23 and up, please read this instead:
https://downey.io/blog/kubernetes-ephemeral-debug-container-tcpdump/
Install some needed utilities
Use whatever pod label is required to target the right pods.
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- apt-get -y update
Install tcpdump, screen, psmisc, and rclone
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- \
apt-get -y install tcpdump screen psmisc rclone
Check
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- tcpdump --version
Start tcpdump in a screen
Use whatever tcpdump <FILTER> here as needed.
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- \
bash -c "screen -d -m tcpdump -nn <FILTER> -w /\$(hostname).out"
Kill tcpdump sessions
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- killall -9 tcpdump
rclone the capture files off
Change the Account Name and Key as needed
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- rclone --progress copy \
--azureblob-account <ACCOUNTNAME> \
--azureblob-key "<KEY>" \
--include "/*.out" / :azureblob:/
Cleanup
kubectl get pods -l <LABEL> -o name | \
xargs -I{} kubectl exec {} -- bash -c "rm -f /*.out"