#TCPDUMP #NC and #K8S fun !!
This tutorial explains how to tunnel tcpdump pcap traffic from a Kubernetes cluster back to a remote workstation.
Redirect output to stdout
In the first example, tcpdump captures traffic to http port 80 and writes it to stdout (-w -). The -U makes sure the traffic is send immediately to the output (to avoid being buffered).
tcpdump -i any -n -U -w - port 80 >demo.pcapHit ctrl-c to stop the capture. We can now read the capture and no errors are displayed.
tcpdump -r demo.pcapRedirect via netcat
Open a first terminal to capture some traffic. stdout is now redirected to netcat
tcpdump -i any -n -U -w - port 80 | nc 127.0.0.1 6666In a second terminal we can redirect the stream to a file and in the meanwhile monitor the traffic
nc -l 6666 >demo.pcapYou can now read the capture
tcpdump -r demo.pcapRedirect via SSH reverse tunneling
Create an SSH session with the host your planning to run tcpdump
ssh root@remote-host -R 6666:127.0.0.1:6666And now run the capture
tcpdump -i any -n -U -w - port 80 | nc 127.0.0.1 6666On the local machine you can redirect
nc -l 6666 >demo.pcapand read the captured traffic
tcpdump -r demo.pcapApply previous concept in a Kubernetes cluster
This section will demonstrate that the techniques discussed will also work for pods (and containers). Although this is aimed at troubleshooting, it might also be an attack vector if a pod or cluster is breached
This example is based on a default commercially available managed Kubernetes cluster. Since SSH into the managed environment is not available, I opted for a variant of the Redirect via netcat example.
SSH into a reachable (for the cluster) Linux server:
ssh root@remote-host
nc -l 6666 >demo.pcapSpin up a pod on a cluster
export KUBECONFIG=./cluster-kubeconfigdemo-dupe.yaml
kubectl run --rm -it --image xxradar/hackon demo -- bashInside the container
tcpdump -i any -n -U -w - port 80 | nc remote-host 6666 &
curl www.radarhack.comOn the remote-host you can now inspect the demo.pcap file
tcpdump -r demo.pcapFor more advanced techniques on tcpdump inside containers and pods, please checkout on https://medium.com/@xxradar
GitHub how-to-tcpdump-effectively-in-kubernetes-part-1
how-to-tcpdump-effectively-in-docker
Useful information about the SSH use-case can be found in
when-ssh-and-nc-meets-k8s-networking
