容器里没有tcpdump工具, 如何对其抓包?
要对其抓包,要找到对应容器的veth接口。
要找到这个接口,需要知道容器的mac地址
要知道容器的mac地址, 可以先找到容器的ip
容器的ip可以通过kubectl 获取。
顺着梳理一遍,步骤如下:
1. kubectl get pods -o wide (或者其它方式)可以获取到pod的ip和对应的宿主机信息
kubectl get pods -o wide | grep task
falcon-task-2690661743-71hcf 1/1 Running 0 29d 192.168.5.200 szb-l0038260
-
进入到pod对应的宿主机里
ssh szb-l0038260
-
通过ip neigh 查找邻居表获取pod 对应的mac地址
[root@SZB-L0038260 ~]# ip neigh show | grep 192.168.5.200
192.168.5.200 dev docker0 lladdr 02:42:c0:a8:05:c8 REACHABLE
这个mac和到容器里使用ip addr show eth0获取到的容器mac一致
[root@falcon-task-2690661743-71hcf task]# ip addr show eth0
29: eth0@if30: mtu 1450 qdisc noqueue state UP
link/ether 02:42:c0:a8:05:c8 brd ff:ff:ff:ff:ff:ff
inet 192.168.5.200/26 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::42:c0ff:fea8:5c8/64 scope link
valid_lft forever preferred_lft forever
-
通过bridge fdb命令查看mac转发表,获取该mac对应的网络接口
[root@SZB-L0038260 ~]# bridge fdb show | grep 02:42:c0:a8:05:c8
02:42:c0:a8:05:c8 dev veth90f29ee master docker0 -
获取到容器对应的veth后, 用tcpdump对该接口抓包
[root@SZB-L0038260 ~]# tcpdump -i veth90f29ee -nn
tcpdump: WARNING: veth90f29ee: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on veth90f29ee, link-type EN10MB (Ethernet), capture size 65535 bytes
14:20:27.171174 IP 192.168.5.200.59336 > 10.10.0.111.12057: Flags [S], seq 4206736718, win 28200, options [mss 1410,sackOK,TS val 2585505500 ecr 0,nop,wscale 7], length 0
14:20:29.163866 IP 192.168.5.200.50726 > 10.20.20.52.12079: Flags [P.], seq 432793338:432793546, ack 1771709290, win 1393, options [nop,nop,TS val 2585507492 ecr 4157544124], length 208