Capturing Live Network Traffic from a Kubernetes Pod Link to heading

Occasionally, you need to troubleshoot network behavior inside a Kubernetes pod — maybe you’re chasing a DNS issue, testing service connectivity, or inspecting strange application traffic. tcpdump is still one of the best tools for this, but pods are intentionally minimal, and most containers won’t have it installed.

This post shows a quick and dirty way to run a live packet capture from inside a pod, without modifying your application container image.

Running an Ephemeral Container with tcpdump Link to heading

Kubernetes supports ephemeral containers, which lets you temporarily attach a debugging container to a running pod. This works even if the pod’s existing containers were started without shell utilities.

To capture traffic, we inject a debugging container based on an image that already includes tcpdump.

1. Add an ephemeral debugging container Link to heading

kubectl debug -it <POD_NAME> -n <NAMESPACE> --image=nicolaka/netshoot --target=<CONTAINER_NAME>

Explanation:

  • --image=nicolaka/netshoot — netshoot includes tcpdump and other debugging tools
  • --target — attaches to the existing container’s namespaces
  • -it — gives you an interactive shell

Once attached, you’re inside a shell with all the networking tools you need.

Capturing Packets Link to heading

List network interfaces Link to heading

ip a

Pick the interface you want to inspect. For most pods, this is eth0.

Run a live tcpdump capture Link to heading

tcpdump -i eth0 -vvv

Examples:

tcpdump -i eth0 port 53
tcpdump -i eth0 host 10.0.0.5
tcpdump -i any -nn

Save to a file:

tcpdump -i eth0 -w /tmp/capture.pcap

Download it:

kubectl cp <NAMESPACE>/<POD_NAME>:/tmp/capture.pcap ./capture.pcap

Tips for Accurate Debugging Link to heading

  • Ephemeral containers share the network namespace with your application container
  • If a pod has multiple containers, specify --target=<CONTAINER>
  • nicolaka/netshoot is a solid all-purpose troubleshooting image

Summary Link to heading

Ephemeral containers are an often-overlooked solution, ideal for debugging:

  • DNS
  • inter-service connectivity
  • latency or packet drops
  • unusual traffic patterns