Run tcpdump for OpenShift Workloads

Have you ever wondered how to inspect network traffic from within an OpenShift cluster? We're going to take a look at this today.

Using tcpdump from within a network namespace on OpenShift

  1. If you're using a Single Node OpenShift (SNO) deployment, you can copy and paste the following variable as is. If you're running tcpdump from a multi-node environment, be sure that the NODE_NAME variable is formatted like NODE_NAME="node/host01".

    NODE_NAME=$(oc get no -o name)
    oc debug $NODE_NAME
    
  2. Elevated privileges (chroot /host) using the following command.

    chroot /host
    
  3. Now start a toolbox container, and set the following variables within that environment.

    toolbox
    
  4. Set the following variables. Please note the comments before making changes.

    NAME=assisted-image-service   # <---- This is the name of the POD
    NAMESPACE=multicluster-engine # <---- This is the namespace
    INTERFACE=eth0                # <---- DO NOT CHANGE THIS (unless you really know what you're doing)
    pod_id=$(chroot /host crictl pods --namespace ${NAMESPACE} --name ${NAME} -q)
    ns_path="/host$(chroot /host bash -c "crictl inspectp $pod_id | jq '.info.runtimeSpec.linux.namespaces[]|select(.type==\"network\").path' -r")"
    nsenter_parameters="--net=${ns_path}"
    
  5. Now run tcpdump from within that network namespace (via the nsenter command).

    nsenter $nsenter_parameters -- tcpdump -nn -i ${INTERFACE} -w /host/var/tmp/${HOSTNAME}_$(date +\%d_%m_%Y-%H_%M_%S-%Z).pcap ${TCPDUMP_EXTRA_PARAMS}
    
  6. When you are complete with your packet capture, you can collect the .pcap files from the /host/var/tmp/ directory.

    [root@roderika tmp]# ls -asl *.pcap
      84 -rw-r--r--. 1 tcpdump tcpdump   83001 Nov  6 19:23 roderika_06_11_2024-19_22_24-UTC.pcap
    1428 -rw-r--r--. 1 tcpdump tcpdump 1461653 Nov  6 20:09 roderika_06_11_2024-19_46_25-UTC.pcap
     116 -rw-r--r--. 1 tcpdump tcpdump  118331 Nov 15 19:46 roderika_15_11_2024-19_44_18-UTC.pcap
       8 -rw-r--r--. 1 tcpdump tcpdump    4143 Nov 15 19:48 roderika_15_11_2024-19_46_42-UTC.pcap
    [root@roderika tmp]#
    
  7. Finally, you can review them either on the box with the command below, or you can transfer them to a local machine and leverage friendly tools such as Wireshark.

    Simple view:

    tcpdump -r roderika_15_11_2024-19_46_42-UTC.pcap
    

    Detailed view:

    tcpdump -qns 0 -A -r roderika_15_11_2024-19_46_42-UTC.pcap | more
    

Other Useful Information

  • If you want to view the available interfaces within the pod, you can enter the following command after running the varables above (please pay special note below, and change the variables for NAME and NAMESPACE).

    NAME=fakefish-ztp-node0-jinkit-vms-66c754bc85-2ltgw   # <---- This is the name of the POD
    NAMESPACE=jinkit-vms                                  # <---- This is the namespace
    
    pod_id=$(chroot /host crictl pods --namespace ${NAMESPACE} --name ${NAME} -q)
    ns_path="/host$(chroot /host bash -c "crictl inspectp $pod_id | jq '.info.runtimeSpec.linux.namespaces[]|select(.type==\"network\").path' -r")"
    nsenter_parameters="--net=${ns_path}"
    
  • The following will give you a list of pod IP addresses assigned to the pod, and the associated interface name:

    nsenter $nsenter_parameters -- chroot /host ip a
    

    This next command will give you a list of interfaces that can be used for tcpdump:

    nsenter $nsenter_parameters -- tcpdump -D