#TCPDUMP #NC and #K8S fun !!

This tutorial explains how to tunnel tcpdump pcap traffic from a Kubernetes cluster back to a remote workstation.

Redirect output to stdout

In the first example, tcpdump captures traffic to http port 80 and writes it to stdout (-w -). The -U makes sure the traffic is send immediately to the output (to avoid being buffered).

tcpdump -i any -n -U -w - port 80 >demo.pcap

Hit ctrl-c to stop the capture. We can now read the capture and no errors are displayed.

tcpdump -r demo.pcap

Redirect via netcat

Open a first terminal to capture some traffic. stdout is now redirected to netcat

tcpdump -i any -n -U -w - port 80 | nc 127.0.0.1 6666

In a second terminal we can redirect the stream to a file and in the meanwhile monitor the traffic

nc -l 6666 >demo.pcap

You can now read the capture

tcpdump -r demo.pcap

Redirect via SSH reverse tunneling

Create an SSH session with the host your planning to run tcpdump

ssh root@remote-host -R 6666:127.0.0.1:6666

And now run the capture

tcpdump -i any -n -U -w - port 80 | nc 127.0.0.1 6666

On the local machine you can redirect

nc -l 6666 >demo.pcap

and read the captured traffic

tcpdump -r demo.pcap

Apply previous concept in a Kubernetes cluster

This section will demonstrate that the techniques discussed will also work for pods (and containers). Although this is aimed at troubleshooting, it might also be an attack vector if a pod or cluster is breached
This example is based on a default commercially available managed Kubernetes cluster. Since SSH into the managed environment is not available, I opted for a variant of the Redirect via netcat example.

SSH into a reachable (for the cluster) Linux server:

ssh root@remote-host
nc -l 6666 >demo.pcap

Spin up a pod on a cluster

export KUBECONFIG=./cluster-kubeconfigdemo-dupe.yaml
kubectl run --rm -it --image xxradar/hackon demo -- bash

Inside the container

tcpdump -i any -n -U -w - port 80 | nc remote-host 6666 &
curl www.radarhack.com

On the remote-host you can now inspect the demo.pcap file

tcpdump -r demo.pcap

For more advanced techniques on tcpdump inside containers and pods, please checkout on https://medium.com/@xxradar

GitHub how-to-tcpdump-effectively-in-kubernetes-part-1
how-to-tcpdump-effectively-in-docker

Useful information about the SSH use-case can be found in
when-ssh-and-nc-meets-k8s-networking

 by the author.

--

--

--

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Reduce Cost and Increase Productivity with Value Added IT Services from buzinessware — {link} -

A beginner’s guide to writing good code!

SubQuery расширяется в экосистему Avalanche и отмечает эту интеграцию с Airdrop Competition.

Supporting Dark Mode in Your iOS App

How to build a content recommendation engine with Ruby on Rails

class my_adventure_with_python():

Understand: How the components of the Hadoop ecosystem fit in with the data processing lifecyclE?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Philippe Bogaerts

Philippe Bogaerts

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!

More from Medium

Cilium Now Integrates with Mirantis Kubernetes Engine

Health Checkups for your OpenShift Cluster

Second Cycle as a Kubernetes Release Shadow

Kubernetes Architecture Terminology in a 3 min read. Professional Friendly.