业务应用使用k8s部署，要抓取具体pod的包
例如这里要抓取cee-qa命名空间下cee-gateway-web 应用的包

1 找到容器的网卡名

1.1 查pod所在的k8s节点,szidc-dev5-stand-k8snode-205-118

# kubectl get pod -n cee-qa -o wide |grep cee-gateway-web
cee-gateway-web-78d7b9874-npc2b            1/1     Running   0          5d21h   10.121.76.5      szidc-dev5-stand-k8snode-205-118   <none>           <none>

1.2 查找容器的ID

## 登录到szidc-dev5-stand-k8snode-205-118 节点，找到容器的ID
# docker ps |grep cee-gateway-web
cf56515322b4   reg.linklogis.com/cee/cee-gateway-web               "/bin/sh -c /opt/sta…"   5 days ago    Up 5 days              k8s_cee-gateway-web_cee-gateway-web-78d7b9874-npc2b_cee-qa_d7438a84-a0b5-472c-95af-53f4ca24bc80_0
d2c1a0a7fd53   reg.hrlyit.com/kubernetes/pause:3.5                 "/pause"                 5 days ago    Up 5 days              k8s_POD_cee-gateway-web-78d7b9874-npc2b_cee-qa_d7438a84-a0b5-472c-95af-53f4ca24bc80_0

1.3 通过容器ID查容器的pid

# docker inspect --format {{.State.Pid}} cf56515322b4
3132225

1.4 通过容器PID查容器网卡序号

这里的eth0@if7799 的7799就是容器网卡的序号

# nsenter -n -t 3132225 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
4: eth0@if7799: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UP group default 
    link/ether 9e:82:c6:06:c3:17 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.121.76.5/32 brd 10.121.76.5 scope global eth0
       valid_lft forever preferred_lft forever

1.5 通过容器网卡序号查容器具体网卡名

# ip addr |grep 7799
7799: califd29e49efb6@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1440 qdisc noqueue state UP group default 

查出来的califd29e49efb6 就是容器对应的网卡名

2 抓8100端口的包

tcpdump -i califd29e49efb6 port 8100 -nn -vvv -w 8100.pcap