How to perform packet captures?

Table of Contents


It's often necessary to perform packet captures to debug an issue either in production or non-production setup. This article provides the steps to do the same.


  • Be able to pull the image leodotcloud/swiss-army-knife either directly or via HTTP/HTTPS proxy or using a registry mirror or via artifactory.

High-level overview

Here is a quick overview of the process involved: Identify the container or pod where packet capture is needed. SSH to the node where this particular container or pod is running. Figure out the id of the container or the pause container for the pod. Run the debug container attaching to the network namespace of the container identified in the previous step. Exec inside the debug container. Verify the network namespace by checking the IP address of the network interface. Perform the packet capture!

docker run -itd \
  --name debug_container \
  --net=container:$CONTAINER_ID \
docker exec -it debug_container bash
tcpdump -i eth0 -w /tmp/debug_capture.pcap

Further reading

The container image leodotcloud/swiss-army-knife is packaged with many tools needed in various debugging scenarios. Source code for this container image can be found here. Docker hub page can be found here. If you find any problems with this image, please file an issue on Github. You are also more than welcome to contribute to this repo by opening a PR (Pull Request)!

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.