我如何从Kubernetes吊舱到Wireshark在本地运行的实时pcap记录?
我试图在Wireshark上看到我的一个Kubernetes吊舱中的实时网络流量。在普通的老码头工人中,我能做到这一点:
docker run --rm --net=container:app_service_1 crccheck/tcpdump -i any --immediate-mode -w - | wireshark -k -i -
这就形成了一个简单的容器,它使用所示的参数运行tcpdump,并将包捕获以pcap格式输送到stdout ( -w -参数)。然后,这个输出通过管道传输到运行在我的主机上的Wireshark,它在数据包到达时显示它们。
如何在Kubernetes中做类似的事情?
我尝试了如下应用修补程序:
template:
spec:
containers:
- name: tcpdumper
image: crccheck/tcpdump
args: ["-i", "any", "--immediate-mode", "-w", "-"]
tty: true
stdin: true我通过运行k attach -it app-service-7bdb7798c5-2lr6q | wireshark -k -i -来应用这个
但这似乎不起作用;Wireshark启动了,但它立即显示了一个错误:
Data written to the pipe is neither in a supported pcap format nor in pcapng format
回答 2
Stack Overflow用户
发布于 2020-06-11 21:46:02
我没有经常使用k8s,但码头运行得到了整个干净的标准,而我得到的印象是,k附加没有。
我不认为kubectl有一个相当于码头运行,这给你干净的标准,但你可能可以做一些与库贝克尔主管。
一个可能的测试是将输出重定向到一个文件,看看它是否是您正在运行的命令的有效输出,并且没有意外的情况。
Stack Overflow用户
发布于 2020-06-12 08:40:16
我强烈建议你读利用侧雷达分析和调试OpenShift和Kubernetes吊舱中的网络流量。
本文解释了为什么不能直接从吊舱读取流量数据,并为您提供了一个如何使用侧雷达实现流量数据的替代方法。
简而言之,容器很可能运行在内部容器平台网络上,而您的机器无法直接访问该网络。
sidecar容器是运行在与实际服务/应用程序相同的容器中,并且能够为服务/应用程序提供附加功能的容器。
有效的TCPdump在库伯内特斯是有点棘手,并要求你创建一个侧车到你的吊舱。你所面对的实际上是预期的行为。
运行好的老东西(如TCPdump或ngrep )不会产生太多有趣的信息,因为在默认情况下,您直接链接到桥接网络或覆盖。 好消息是,您可以将TCPdump容器链接到主机网络,或者更好地链接到容器网络堆栈。来源:如何有效地在码头实施TCPdump
问题是,您有两个入口点,一个是nodeIP:NodePort,另一个是集群is :Port。两者都指向kubernetes iptables上的端点集的相同的随机化规则集。
一旦它发生在任何节点上,就很难将tcpdump配置为只在一点上捕获所有有趣的通信量。
我所知道的用于这类分析的最好工具是Istio,但它主要适用于HTTP流量。
考虑到这一点,最好的解决方案是为服务背后的每个吊舱使用一个tcpdumper侧for。
让我们举个例子来说明如何实现这一点
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: web
name: web-app
spec:
replicas: 2
selector:
matchLabels:
app: web
template:
metadata:
labels:
app: web
spec:
containers:
- name: web-app
image: nginx
imagePullPolicy: Always
ports:
- containerPort: 80
protocol: TCP
- name: tcpdumper
image: docker.io/dockersec/tcpdump
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
name: web-svc
namespace: default
spec:
ports:
- nodePort: 30002
port: 80
protocol: TCP
targetPort: 80
selector:
app: web
type: NodePort在这个清单上,我们可以注意到树的重要事情。我们有一个nginx容器和一个tcpdumper容器作为侧车,我们有一个定义为NodePort的服务。
要访问sidecar,必须运行以下命令:
$ kubectl attach -it web-app-db7f7c59-d4xm6 -c tcpdumper示例:
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 13d
web-svc NodePort 10.108.142.180 <none> 80:30002/TCP 9d$ curl localhost:30002
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>$ kubectl attach -it web-app-db7f7c59-d4xm6 -c tcpdumper
Unable to use a TTY - container tcpdumper did not allocate one
If you don't see a command prompt, try pressing enter.
> web-app-db7f7c59-d4xm6.80: Flags [P.], seq 1:78, ack 1, win 222, options [nop,nop,TS val 300957902 ecr 300958061], length 77: HTTP: GET / HTTP/1.1
12:03:16.884512 IP web-app-db7f7c59-d4xm6.80 > 192.168.250.64.1336: Flags [.], ack 78, win 217, options [nop,nop,TS val 300958061 ecr 300957902], length 0
12:03:16.884651 IP web-app-db7f7c59-d4xm6.80 > 192.168.250.64.1336: Flags [P.], seq 1:240, ack 78, win 217, options [nop,nop,TS val 300958061 ecr 300957902], length 239: HTTP: HTTP/1.1 200 OK
12:03:16.884705 IP web-app-db7f7c59-d4xm6.80 > 192.168.250.64.1336: Flags [P.], seq 240:852, ack 78, win 217, options [nop,nop,TS val 300958061 ecr 300957902], length 612: HTTP
12:03:16.884743 IP 192.168.250.64.1336 > web-app-db7f7c59-d4xm6.80: Flags [.], ack 240, win 231, options [nop,nop,TS val 300957902 ecr 300958061], length 0
12:03:16.884785 IP 192.168.250.64.1336 > web-app-db7f7c59-d4xm6.80: Flags [.], ack 852, win 240, options [nop,nop,TS val 300957902 ecr 300958061], length 0
12:03:16.889312 IP 192.168.250.64.1336 > web-app-db7f7c59-d4xm6.80: Flags [F.], seq 78, ack 852, win 240, options [nop,nop,TS val 300957903 ecr 300958061], length 0
12:03:16.889351 IP web-app-db7f7c59-d4xm6.80 > 192.168.250.64.1336: Flags [F.], seq 852, ack 79, win 217, options [nop,nop,TS val 300958062 ecr 300957903], length 0
12:03:16.889535 IP 192.168.250.64.1336 > web-app-db7f7c59-d4xm6.80: Flags [.], ack 853, win 240, options [nop,nop,TS val 300957903 ecr 300958062], length 0
12:08:10.336319 IP6 fe80::ecee:eeff:feee:eeee > ff02::2: ICMP6, router solicitation, length 16
12:15:47.717966 IP 192.168.250.64.2856 > web-app-db7f7c59-d4xm6.80: Flags [S], seq 3314747302, win 28400, options [mss 1420,sackOK,TS val 301145611 ecr 0,nop,wscale 7], length 0
12:15:47.717993 IP web-app-db7f7c59-d4xm6.80 > 192.168.250.64.2856: Flags [S.], seq 2539474977, ack 3314747303, win 27760, options [mss 1400,sackOK,TS val 301145769 ecr 301145611,nop,wscale 7], length 0
12:15:47.718162 IP 192.168.250.64.2856 > web-app-db7f7c59-d4xm6.80: Flags [.], ack 1, win 222, options [nop,nop,TS val 301145611 ecr 301145769], length 0
12:15:47.718164 IP 192.168.250.64.2856 > web-app-db7f7c59-d4xm6.80: Flags [P.], seq 1:78, ack 1, win 222, options [nop,nop,TS val 301145611 ecr 301145769], length 77: HTTP: GET / HTTP/1.1
12:15:47.718191 IP web-app-db7f7c59-d4xm6.80 > 192.168.250.64.2856: Flags [.], ack 78, win 217, options [nop,nop,TS val 301145769 ecr 301145611], length 0
12:15:47.718339 IP web-app-db7f7c59-d4xm6.80 > 192.168.250.64.2856: Flags [P.], seq 1:240, ack 78, win 217, options [nop,nop,TS val 301145769 ecr 301145611], length 239: HTTP: HTTP/1.1 200 OK
12:15:47.718403 IP web-app-db7f7c59-d4xm6.80 > 192.168.250.64.2856: Flags [P.], seq 240:852, ack 78, win 217, options [nop,nop,TS val 301145769 ecr 301145611], length 612: HTTP
12:15:47.718451 IP 192.168.250.64.2856 > web-app-db7f7c59-d4xm6.80: Flags [.], ack 240, win 231, options [nop,nop,TS val 301145611 ecr 301145769], length 0
12:15:47.718489 IP 192.168.250.64.2856 > web-app-db7f7c59-d4xm6.80: Flags [.], ack 852, win 240, options [nop,nop,TS val 301145611 ecr 301145769], length 0
12:15:47.723049 IP 192.168.250.64.2856 > web-app-db7f7c59-d4xm6.80: Flags [F.], seq 78, ack 852, win 240, options [nop,nop,TS val 301145612 ecr 301145769], length 0
12:15:47.723093 IP web-app-db7f7c59-d4xm6.80 > 192.168.250.64.2856: Flags [F.], seq 852, ack 79, win 217, options [nop,nop,TS val 301145770 ecr 301145612], length 0
12:15:47.723243 IP 192.168.250.64.2856 > web-app-db7f7c59-d4xm6.80: Flags [.], ack 853, win 240, options [nop,nop,TS val 301145612 ecr 301145770], length 0
12:15:50.493995 IP 192.168.250.64.31340 > web-app-db7f7c59-d4xm6.80: Flags [S], seq 124258064, win 28400, options [mss 1420,sackOK,TS val 301146305 ecr 0,nop,wscale 7], length 0
12:15:50.494022 IP web-app-db7f7c59-d4xm6.80 > 192.168.250.64.31340: Flags [S.], seq 3544403648, ack 124258065, win 27760, options [mss 1400,sackOK,TS val 301146463 ecr 301146305,nop,wscale 7], length 0
12:15:50.494189 IP 192.168.250.64.31340 > web-app-db7f7c59-d4xm6.80: Flags [.], ack 1, win 222, options 您还可以查看克斯尼夫工具,这是一个kubectl插件,它利用tcpdump和Wireshark在Kubernetes集群中的任何吊舱上启动远程捕获。
https://stackoverflow.com/questions/62333136
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号