Capturing container packets from EKS worker nodes using tcpdump

There are times where you will need to troubleshoot a network issue and have to go into the packet detail level to analyse it. To capture the packets, you will usually run tcpdump either at the source or destination, or even both. However, this gets tricky if you are using containers to run your application or microservice, which are deployed to a Kubernetes cluster such as Amazon EKS (Elastic Kubernetes Service), and if the containers might not have tcpdump installed.

This blog post will show you how you can capture the container packets from the EKS worker nodes.

Here, we assume your worker nodes to have tcpdump installed. To verify, SSH into your worker node and run the tcpdump --version command.

root@ip-10-x-x-93 ~]# tcpdump --version
tcpdump version 4.9.2
libpcap version 1.5.3
OpenSSL 1.0.2k-fips  26 Jan 2017

Identify the worker node of your pod

The first step is to find out which worker node your pod is running on so that we will know where to run tcpdump later on. In the example below, I only have one worker node and the pod I’m interested in is nginx-deployment-7f99dd46c4-s9777.

kieranyio@Kierans-MBP-2 ~ % kubectl get pods -o wide
NAME                                     READY   STATUS    RESTARTS   AGE     IP             NODE                                             NOMINATED NODE   READINESS GATES
nginx-deployment-7f99dd46c4-s9777…