How-to: run tcpdump on a kubernetes pod from standard EKS EC2 host

gistfile1.txt

# get pod node
kubectl describe pod <pod name> | grep Node

# get node instance id
AWS_PROFILE=<profile> aws ec2 describe-instances --filters Name=private-dns-name,Values=<node name> | jq -r '.Reservations[0].Instances[0].InstanceId'

# ssm to instance
AWS_PROFILE=<profile> aws ssm start-session --target <instance id>

# (optional) switch to bash
bash

# install tcpdump
sudo yum install tcpdump

# find docker container
sudo docker ps | grep <part of pod name>

# find eth adapter interface id
sudo docker exec -it <docker container> cat /sys/class/net/eth0/iflink

# find virtual ethernet adapter
ip ad | grep <eth adapter interface id>

# set dump host (the remote host we want to capture traffic from/to)
export DUMP_HOST=<ip or host name>

# start capture
sudo tcpdump -i <virtual ethernet adapter> -v -w /tmp/${DUMP_HOST}.pcap "host ${DUMP_HOST}"

# ctrl+c to stop

# cp file to s3 bucket so it can be downloaded to laptop:

    # assume role that has write perm to an s3 bucket
    aws sts assume-role --role-arn <role arn> --role-session-name s3-cp

    # cp file up
    AWS_ACCESS_KEY_ID=<key from last step> AWS_SECRET_ACCESS_KEY=<secret from last step> AWS_SESSION_TOKEN=<token from last step> aws s3 cp /tmp/${DUMP_HOST}.pcap s3://<bucket>/${DUMP_HOST}.pcap

# download from s3 to local and open with wireshark