Capture Live Pod Traffic with kubectl sniff: A Complete Guide

In Kubernetes, Pods are the smallest deployment unit, but network communication between them can be problematic. When services fail, latency or data anomalies occur, we need to analyze network traffic.

Traditional method: log into the node, enter the container netns, and use tcpdump. It is cumbersome. A more elegant, efficient, and secure way is the kubectl sniff plugin.

What is kubectl sniff?

ksniff is a kubectl plugin designed for Kubernetes to perform remote packet capture on Pods, combining tcpdump's capture ability with Wireshark's graphical analysis, greatly simplifying container network troubleshooting.

How it works

Upload tool : Upload a static tcpdump binary to the target container's temporary directory (e.g., /tmp/static-tcpdump).

Command execution : Execute the command inside the container to capture traffic (e.g., /tmp/static-tcpdump -i any -U -w -), streaming output via SPDY to the local machine.

Launch Wireshark : Automatically open Wireshark locally to parse the data stream.

Installation

Install the sniff plugin via krew. If krew is not installed, refer to the linked article.

<code>$ kubectl krew install sniff</code>

Tip: In some Chinese environments the installation may fail; an offline method is provided.

Offline installation

Create a plugin manifest file (sniff.yaml) and download the ksniff.zip package, then install:

<code>cat <<'EOF' | tee sniff.yaml
apiVersion: krew.googlecontainertools.github.com/v1alpha2
kind: Plugin
metadata:
  name: sniff
spec:
  version: v1.6.2
  homepage: https://github.com/eldadru/ksniff
  platforms:
  - uri: https://github.com/eldadru/ksniff/releases/download/v1.6.2/ksniff.zip
    sha256: c59b5c9ea84d6cb771096f1246c919b71389f9d4234e858f4929208957e561fd
    bin: kubectl-sniff
    files:
    - from: static-tcpdump
      to: .
    selector:
      matchLabels:
        os: linux
        arch: amd64
  shortDescription: Start a remote packet capture on pods using tcpdump and wireshark
  caveats: |
    This plugin needs the following programs:
    * wireshark (optional, used for live capture)
  description: |
    When working with micro‑services, it’s very helpful to get a capture of the network activity between your micro‑service and its dependencies.
    ksniff uses kubectl to upload a statically compiled tcpdump binary to your pod and redirects its output to your local Wireshark for smooth network debugging experience.
EOF</code>

<code>$ wget https://github.com/eldadru/ksniff/releases/download/v1.6.2/ksniff.zip</code>

<code>$ kubectl krew install --manifest sniff.yaml --archive ksniff.zip</code>

Practical sniff capture

Validate both non‑privileged and privileged modes.

Non‑privileged mode

<code>$ k sniff -n default client-84dc6fbbb-lsj6m -f "port 1234" -o test.pcap</code>

The output shows uploading the static tcpdump, verifying it, then running tcpdump inside the pod and streaming the capture to

test.pcap

.

Privileged mode

Requires pulling helper images to a registry and using a privileged pod.

<code>$ sudo docker pull docker.io/hamravesh/ksniff-helper:v3
$ sudo docker tag docker.io/hamravesh/ksniff-helper:v3 core.jiaxzeng.com/library/ksniff-helper:v3
$ sudo docker push core.jiaxzeng.com/library/ksniff-helper:v3
$ sudo docker pull docker.io/maintained/tcpdump:latest
$ sudo docker tag docker.io/maintained/tcpdump:latest core.jiaxzeng.com/library/tcpdump:4.99.1
$ sudo docker push core.jiaxzeng.com/library/tcpdump:4.99.1</code>

<code>$ k sniff -n default simple-7788cd4d7d-98rsx -p --image core.jiaxzeng.com/library/ksniff-helper:v3 --tcpdump-image core.jiaxzeng.com/library/tcpdump:4.99.1 -o test.pcap</code>

This creates a privileged pod, pulls the images, runs tcpdump, and streams the output.

Mode selection requirements

Non‑privileged: target pod runs as root and has

/bin/sh

available.

Privileged: the host can pull the images and you must manually delete the sniff pod after use.

Conclusion

In complex micro‑service architectures on Kubernetes, network issues are among the hardest to locate. kubectl sniff provides a lightweight, non‑intrusive packet capture method that greatly improves diagnostic efficiency.