How to Capture Pod Network Traffic with nsenter and tcpdump¶
To capture detailed HTTP traffic inside a Kubernetes Pod using nsenter + tcpdump, you need to operate on the host (Node) where the Pod is running. This is because nsenter is a host-level tool used to enter the container's network namespace (netns).
Prerequisites¶
- You have SSH access to the Node where the Pod is running
- You have root or sudo privileges (required for nsenter and tcpdump)
- tcpdump is installed on the host (if not, install with apt install tcpdump or yum install tcpdump)
- You know the target Pod name and its Namespace
Identify the Node of the Pod¶
Example output:
SSH into the Node¶
Get the Container's PID¶
Use nsenter to Enter the Container Network Namespace and Capture Traffic¶
Parameter explanation:
-t $PID: Target process PID-n: Enter its network namespace-i any: Listen on all interfaces (usually only eth0 in the container, but any is safer)-nn: Do not resolve hostnames and port names (avoid DNS lookup interference)-s 0: Capture the full packet (default may truncate HTTP body)-A: Print packet content in ASCII (readable HTTP requests/responses)- 'tcp port 80 or tcp port 443': Only capture HTTP/HTTPS traffic
Example output:
10:30:15.123456 IP 10.244.2.10.54321 > 93.184.216.34.80: Flags [P.], seq 1:200, ack 1, win 501, options [nop,nop,TS val 123456 ecr 789012], length 199: HTTP: GET /api/user HTTP/1.1
E..{..@.@...........P..P...!.............
GET /api/user HTTP/1.1
Host: api.example.com
User-Agent: curl/7.68.0
Accept: */*
Write to File¶
# Create a temporary directory on the host
mkdir -p /tmp/tcpdump
nsenter -t $PID -n tcpdump -i any -nn -s 0 -w /tmp/tcpdump/pod-http.pcap 'tcp port 80 or tcp port 443'
Capture Only Specific Domain or Path Traffic (Optional)¶
Since tcpdump cannot directly filter HTTP paths, you can use keyword matching:
# Capture requests containing "GET /login"
nsenter -t $PID -n tcpdump -i any -nn -s 0 -A | grep -A5 -B5 "GET /login"
# Or save and filter later
nsenter -t $PID -n tcpdump -i any -nn -s 0 -w /tmp/cap.pcap
tcpdump -A -r /tmp/cap.pcap | grep "Authorization"
Reference¶
Install crictl: