It's such a pain when you have a container without root permissions and you can't install tcpdump to sniff traffic. How to deal with it? I found a small tool called ksniff which can easily do that for you. Let's take a look at this tool.

How to install it?

The easiest way is to install using krew package manager:

$ kubectl krew install sniff # for Kubernetes platform
$ oc krew install sniff # for OpenShift platform

Where to read more about it?

You can find the source code and documentation with examples on Github.

Some examples

I use Openshift platform for my example, but it will work the same way for Kubernetes.

So imagine we have a pod called example:

$ oc get pods
NAME                                   READY   STATUS    RESTARTS   AGE
example                                1/1     Running   0          103s

And also we have 1 container inside called httpd:

$ oc get pod example -o jsonpath='{.spec.containers[*].name}'
httpd

The only thing missing is an image with tcpdump, but don't worry, I created one for you. But if you would like to build it by yourself, here is a Dockerfile:

FROM alpine:3.16.2

VOLUME  [ "/data" ]
RUN apk add --no-cache tcpdump coreutils

ENTRYPOINT [ "/usr/bin/tcpdump" ]
CMD [ "-C", "1000", "-W", "100", "-v", "-w", "/data/dump" ]

This image is needed if your container doesn't have root permissions.

Now we can sniff traffic from the pod:

$ oc sniff example -c httpd -n default --tcpdump-image docker.io/fmorte/tcpdump -p -o ~/dump

Let's see the command in detail:

$ oc sniff <pod_name> -c <container_name> -n <namespace> --tcpdump-image <image_with_tcpdump> -p -o <path_to_output_file>

If you run the container without root permissions, then you need to use the -p option and also provide an image with tcpdump. It will create a pod with tcpdump in the cluster and sniff the target container.

Now you can open Wireshark and analyse the file with traffic.

Conclusion

ksniff is a nice and easy tool which I use in my work quite often. I hope this small article will be helpful for you :) Stay tuned for more posts!