Skip to content

How to Capture Pod Network Traffic with nsenter and tcpdump

To capture detailed HTTP traffic inside a Kubernetes Pod using nsenter + tcpdump, you need to operate on the host (Node) where the Pod is running. This is because nsenter is a host-level tool used to enter the container's network namespace (netns).

Prerequisites

  • You have SSH access to the Node where the Pod is running
  • You have root or sudo privileges (required for nsenter and tcpdump)
  • tcpdump is installed on the host (if not, install with apt install tcpdump or yum install tcpdump)
  • You know the target Pod name and its Namespace

Identify the Node of the Pod

kubectl get pod <pod-name> -n <namespace> -o wide

Example output:

NAME        READY   STATUS    NODE       ...
my-app-7d5   1/1     Running   node-01    ...

SSH into the Node

ssh user@node-01
sudo -i  # Switch to root

Get the Container's PID

nerdctl inspect $CONTAINER_ID | grep -i pid
PID=$(crictl inspect $CONTAINER_ID -o go-template='{{.info.pid}}')
echo "PID: $PID"

Use nsenter to Enter the Container Network Namespace and Capture Traffic

nsenter -t $PID -n tcpdump -i any -nn -s 0 -A 'tcp port 80 or tcp port 443'

Parameter explanation:

  • -t $PID: Target process PID
  • -n: Enter its network namespace
  • -i any: Listen on all interfaces (usually only eth0 in the container, but any is safer)
  • -nn: Do not resolve hostnames and port names (avoid DNS lookup interference)
  • -s 0: Capture the full packet (default may truncate HTTP body)
  • -A: Print packet content in ASCII (readable HTTP requests/responses)
  • 'tcp port 80 or tcp port 443': Only capture HTTP/HTTPS traffic

Example output:

10:30:15.123456 IP 10.244.2.10.54321 > 93.184.216.34.80: Flags [P.], seq 1:200, ack 1, win 501, options [nop,nop,TS val 123456 ecr 789012], length 199: HTTP: GET /api/user HTTP/1.1
E..{..@.@...........P..P...!.............
GET /api/user HTTP/1.1
Host: api.example.com
User-Agent: curl/7.68.0
Accept: */*

Write to File

# Create a temporary directory on the host
mkdir -p /tmp/tcpdump
nsenter -t $PID -n tcpdump -i any -nn -s 0 -w /tmp/tcpdump/pod-http.pcap 'tcp port 80 or tcp port 443'

Capture Only Specific Domain or Path Traffic (Optional)

Since tcpdump cannot directly filter HTTP paths, you can use keyword matching:

# Capture requests containing "GET /login"
nsenter -t $PID -n tcpdump -i any -nn -s 0 -A | grep -A5 -B5 "GET /login"

# Or save and filter later
nsenter -t $PID -n tcpdump -i any -nn -s 0 -w /tmp/cap.pcap
tcpdump -A -r /tmp/cap.pcap | grep "Authorization"

Reference

Install crictl:

curl -L https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.28.0/crictl-v1.28.0-linux-amd64.tar.gz | tar zx -C /usr/local/bin