|
|
当需要在容器中抓网络包时,如果容器镜像中没有tcpdump命令,抓包就会变得很困难。本文提供一种方法可以方便的抓网络包。想怎么抓就怎么抓。让容器内抓包变得so easy!
原理就是进入容器/Pod的网络命名空间(netns),然后利用宿主机上的tcpdump进行抓包。
1. 首先查到pod所在的节点。
Kubectl get pod -owide
2. 登录到pod所在的节点,将如下的函数贴到当前终端:
function e() {
set -eu
ns=${2-"default"}
pod=`kubectl -n $ns describe pod $1 | grep -Eo 'docker://.*$' | head -n 1 | sed 's/docker:\/\/\(.*\)$/\1/'`
pid=`docker inspect -f {{.State.Pid}} $pod`
echo "enter pod netns successfully for $ns/$1"
nsenter -n -u --target $pid
}
3. 输入 e POD_NAME NAMESPACE 即可进入此pod的netns,此时即可便使用宿主机上的各种命令了。
首先执行ifconfig 或 ip a 命令查看当前pod的ip。
[root@SZD-L0119857 ~]# e web-79d98584c4-7st4t test
enter pod netns successfully for test/web-79d98584c4-7st4t
**************************************************************************
* *
*Attention: Auditing process will report your every action! *
*Warning: Don't delete any files in directory /root/slogs!! *
* *
* -PING AN INSURANCE (GRP) COMPANY OF CHINA,LTD.*
**************************************************************************
Script started, file is /root/slogs/2019-08-16_15:45:51pts-1root.log
[root@web-79d98584c4-7st4t ~]#
[root@web-79d98584c4-7st4t ~]#
[root@web-79d98584c4-7st4t ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.1.39.3 netmask 255.255.255.0 broadcast 0.0.0.0
ether 02:42:ac:01:27:03 txqueuelen 0 (Ethernet)
RX packets 144937891 bytes 11905780495 (11.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 121090106 bytes 28579561835 (26.6 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@web-79d98584c4-7st4t ~]#
4. 使用tcpdump抓包
[root@web-79d98584c4-7st4t ~]# tcpdump -i eth0 -nn -vvv
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:39:38.175494 IP (tos 0x0, ttl 63, id 25519, offset 0, flags [DF], proto TCP (6), length 60)
172.1.12.0.37908 > 172.1.39.3.80: Flags [S], cksum 0x1abd (correct), seq 3998146004, win 28200, options [mss 1410,sackOK,TS val 356826747 ecr 0,nop,wscale 6], length 0
15:39:38.175567 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
172.1.39.3.80 > 172.1.12.0.37908: Flags [S.], cksum 0x8b34 (incorrect -> 0x79df), seq 3454557644, ack 3998146005, win 27960, options [mss 1410,sackOK,TS val 3897068990 ecr 356826747,nop,wscale 6], length 0
15:39:38.175832 IP (tos 0x0, ttl 63, id 25520, offset 0, flags [DF], proto TCP (6), length 52)
172.1.12.0.37908 > 172.1.39.3.80: Flags [.], cksum 0x13f7 (correct), seq 1, ack 1, win 441, options [nop,nop,TS val 356826748 ecr 3897068990], length 0
15:39:38.175915 IP (tos 0x0, ttl 63, id 25521, offset 0, flags [DF], proto TCP (6), length 141)
172.1.12.0.37908 > 172.1.39.3.80: Flags [P.], cksum 0x2277 (correct), seq 1:90, ack 1, win 441, options [nop,nop,TS val 356826748 ecr 3897068990], length 89: HTTP, length: 89
GET / HTTP/1.1
Host: web.test.svc.cluster.local
User-Agent: Wget
Connection: close
15:39:38.175925 IP (tos 0x0, ttl 64, id 53363, offset 0, flags [DF], proto TCP (6), length 52)
同样可以使用telnet,traceroute等命令,只要宿主机上安装了即可使用。
上面的命令需要宿主机上kubectl命令有相应的命令空间的权限。若没有。可使用下面的方法进入pod的netns中
1. 查看pod的CONTAINER ID 或 NAME
docker ps |grep POD_NAME
2. 获取容器中进程的Pid
docker inspect -f {{.State.Pid}} CONTAINER ID
3. 进入此容器的netns
nsenter -n -u -t Pid
[root@SZD-L0119857 ~]#
[root@SZD-L0119857 ~]# kubectl get pod -owide -n test |grep 30.23.9.105
web-79d98584c4-7st4t 1/1 Running 0 9d 172.1.39.3 30.23.9.105 <none>
web-79d98584c4-ctlc9 0/1 Terminating 0 16d 172.1.39.12 30.23.9.105 <none>
[root@SZD-L0119857 ~]#
[root@SZD-L0119857 ~]#
[root@SZD-L0119857 ~]#
[root@SZD-L0119857 ~]#
[root@SZD-L0119857 ~]# docker ps |grep web-79d98584c4-7st4t
e95decf69c10 b8efb18f159b "nginx -g 'daemon ..." 9 days ago Up 9 days k8s_web_web-79d98584c4-7st4t_test_9e0dde76-b826-11e9-b221-0680e60011a7_0
59fe8c6d5e19 pause-amd64:3.0 "/pause" 9 days ago Up 9 days k8s_POD_web-79d98584c4-7st4t_test_9e0dde76-b826-11e9-b221-0680e60011a7_0
[root@SZD-L0119857 ~]#
[root@SZD-L0119857 ~]#
[root@SZD-L0119857 ~]#
[root@SZD-L0119857 ~]# docker inspect -f {{.State.Pid}} e95decf69c10
23557
[root@SZD-L0119857 ~]#
[root@SZD-L0119857 ~]#
[root@SZD-L0119857 ~]# nsenter -n -u -t 23557
**************************************************************************
* *
*Attention: Auditing process will report your every action! *
*Warning: Don't delete any files in directory /root/slogs!! *
* *
* -PING AN INSURANCE (GRP) COMPANY OF CHINA,LTD.*
**************************************************************************
Script started, file is /root/slogs/2019-08-16_15:50:09pts-1root.log
[root@web-79d98584c4-7st4t ~]#
[root@web-79d98584c4-7st4t ~]#
[root@web-79d98584c4-7st4t ~]#
[root@web-79d98584c4-7st4t ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1450
inet 172.1.39.3 netmask 255.255.255.0 broadcast 0.0.0.0
ether 02:42:ac:01:27:03 txqueuelen 0 (Ethernet)
RX packets 144980595 bytes 11909288233 (11.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 121125791 bytes 28587982883 (26.6 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@web-79d98584c4-7st4t ~]#
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2019-11-26 11:14:22
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡
楼主