1.tcpdump 使用简介

$ tcpdump -h
tcpdump version 4.9.3
libpcap version 1.9.1 (with TPACKET_V3)
OpenSSL 1.1.1f  31 Mar 2020
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqStuUvxX#] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -j tstamptype ] [ -M secret ] [ --number ]
                [ -Q in|out|inout ]
                [ -r file ] [ -s snaplen ] [ --time-stamp-precision precision ]
                [ --immediate-mode ] [ -T type ] [ --version ] [ -V file ]
                [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z postrotate-command ]
                [ -Z user ] [ expression ]

# -n ：不解析地址，直接以 IP 及 port number 显示，而非主机名与服务名称
# -i ：后面接要『监听』的网络接口，例如 eth0, lo, ppp0 等等
# -c ：抓包数量，如果没有这个参数， tcpdump 会持续不断的监听，直到使用者输入 [ctrl]-c 为止   
# -e ：输出dump的报文的链路层(OSI 第二层)信息（包括源目MAC和以太类型）
# -q ：quick mode，仅列出较为简短的封包信息，每一行的内容比较精简
# -s ：抓包的长度，默认是96字节。如果要把报文保存下来分析，需配置此参数
# -A ：抓包内容以 ASCII 显示，做WWW 的网页很有用
# -X ：可以列出十六进制 (hex) 以及 ASCII 的抓包内容，对于观察内容很有用
# -r ：从后面接的文件中读取数据，这个『文件』是由 -w 所生成的
# -w ：把抓取数据保存到文件，后面接文件名
# -v ：verbose output 打印详细的输出
# -vv ：more verbose output，打印更加详细的输出

常用的expression：
● host：匹配v4/v6地址，可以匹配源和目的。
● src host：匹配源v4/v6地址
● dst host：匹配目的v4/v6地址
● ether src：匹配源MAC
● ether dst：匹配目的MAC
● net：匹配网络地址范围
● src net：匹配源网络地址范围
● dst net: 匹配目的网络地址范围
● port：匹配端口号
● src port：匹配源端口号
● dst port：匹配目的端口号
● ip proto：匹配IP协议号，可以跟数字或者知名的协议名
● ether proto: 匹配以太类型
● vlan: 匹配VLAN号
● 缩写: ip ip6 arp stp tcp udp icmp（ether proto和ip proto的缩写）
● 逻辑符：not and or，not的优先级最高，and和or的优先级相同，从左往右依次生效

tcpdump 的表达式样例：

# 1.截取 1.1.1.1 主机所有收到的和发出的的报文，并把信息打印到 stdout
$ tcpdump 'host 1.1.1.1'

# 2. 截取主机 1.1.1.1 和主机 1.1.1.2 或 192.168.111.3 的通信，并且不做解析
$ tcpdump 'host 1.1.1.1 and 1.1.1.2 or 192.168.111.3' -n

# 3.截取源 IP 为 210.2.2.4 主机给目的IP为 192.168.0.0 的报文：
$ tcpdump 'src host 210.2.2.4 and dst net 192.168.0.0'

# 4.截取主机为 210.2.2.4 和端口号为 8081 的报文：
$ tcpdump 'host 210.2.2.4 and port 8081'

# 5.截取源 IP 是 210.2.2.4 主机发送给目的 IP 和端口为 192.168.0.0:8081 的报文，并把它保存到 tcp_dump_data.cap 文件中
$ tcpdump 'src host 210.2.2.4 and dst host 192.168.0.0 and dst port 8081'  -w tcp_dump_data.cap

# 6.截取源 IP 是 210.2.2.4，发送的所有的经过 eth0 网卡的所有报文
tcpdump 'src host 210.2.2.4' -i eth0

2.在宿主机上使用 tcpdump 抓取容器的报文

关键点：在宿主机监听容器 IP 和 端口，需要利用工具 nsenter 进入容器进程的 network namesapce，例如 nsenter -t 14885 -n -p 表示进入进程 14885 的 network namespace、pid namespace

# 1.在宿主机上获取容器Id
# 查询 svc 端口
$  kubectl get svc -ntest -owide |grep flink
service-flink-jobmanager           ClusterIP   10.96.0.62    <none>        8123/TCP,8124/TCP,8089/TCP,50010/TCP                                                                 27d     app=flink,component=jobmanager

# ssh到容器所在的宿主机
$ kubectl get pod -ntest -owide |grep flink-jobmanager
flink-jobmanager-5bdf56747-g4bsj    1/1     Running   0          5d17h   10.244.3.81     worker-0010
$ ssh worker-0010
$ docker ps |grep flink-jobmanager-7b58565dc8-msgpp
04d1b1899c2a        192.168.31.37:5000/flink                      "bash -cx /opt/flink/s…"   3 weeks ago         Up 3 weeks                              k8s_flink-jobmanager-7b58565dc8-msgpp_4b6d15d8-7b54-41fb-bf46-ffa91aa33963_0
567ba6d9a31f        192.168.31.37:5000/pause:3.2                           "/pause"                 3 weeks ago         Up 3 weeks                              k8s_POD_flink-jobmanager-7b58565dc8-msgpp_4b6d15d8-7b54-41fb-bf46-ffa91aa33963_0

# 2.根据容器Id查询容器在宿主机上的Pid
$ docker inspect 04d1b1899c2a |grep Pid
            "Pid": 63046,
            "PidMode": "",
            "PidsLimit": 0,

# 3.进入容器Pid所在的network namespace
$ nsenter -t 63046 -n

# 4.使用 tcpdump 抓包
tcpdump 'src host 10.244.3.81 and src port 8089'
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:54:49.563413 IP worker-0010.8089 > _gateway.20444: Flags [S.], seq 2899382800, ack 16865042, win 27960, options [mss 1410,sackOK,TS val 3697771296 ecr 1082429947,nop,wscale 7], length 0
01:54:49.563708 IP worker-0010.8089 > _gateway.20444: Flags [.], ack 262, win 227, options [nop,nop,TS val 3697771296 ecr 1082429947], length 0
01:54:49.565766 IP worker-0010.8089 > _gateway.20444: Flags [P.], seq 1:1278, ack 262, win 227, options [nop,nop,TS val 3697771298 ecr 1082429947], length 1277
01:54:49.566762 IP worker-0010.8089 > _gateway.20444: Flags [P.], seq 1278:1329, ack 355, win 227, options [nop,nop,TS val 3697771299 ecr 1082429950], length 51
01:54:49.567561 IP worker-0010.8089 > _gateway.20444: Flags [P.], seq 1329:1461, ack 509, win 236, options [nop,nop,TS val 3697771300 ecr 1082429951], length 132
01:54:49.567849 IP worker-0010.8089 > _gateway.20444: Flags [P.], seq 1461:1492, ack 541, win 236, options [nop,nop,TS val 3697771300 ecr 1082429951], length 31
01:54:51.987146 IP worker-0010.8089 > _gateway.20486: Flags [S.], seq 242954397, ack 3505559798, win 27960, options [mss 1410,sackOK,TS val 3697773720 ecr 1082432371,nop,wscale 7], length 0
01:54:51.987423 IP worker-0010.8089 > _gateway.20486: Flags [.], ack 262, win 227, options [nop,nop,TS val 3697773720 ecr 1082432371], length 0
01:54:51.989664 IP worker-0010.8089 > _gateway.20486: Flags [P.], seq 1:1278, ack 262, win 227, options [nop,nop,TS val 3697773722 ecr 1082432371], length 1277
01:54:51.990511 IP worker-0010.8089 > _gateway.20486: Flags [P.], seq 1278:1329, ack 355, win 227, options [nop,nop,TS val 3697773723 ecr 1082432374], length 51
01:54:51.991106 IP worker-0010.8089 > _gateway.20486: Flags [P.], seq 1329:1461, ack 508, win 236, options [nop,nop,TS val 3697773724 ecr 1082432374], length 132
01:54:51.991288 IP worker-0010.8089 > _gateway.20486: Flags [P.], seq 1461:1492, ack 540, win 236, options [nop,nop,TS val 3697773724 ecr 1082432375], length 31
01:54:52.925539 IP worker-0010.8089 > 10.244.3.195.54930: Flags [S.], seq 2047958668, ack 2355521248, win 27960, options [mss 1410,sackOK,TS val 2189379360 ecr 489972800,nop,wscale 7], length 0
01:54:52.927597 IP worker-0010.8089 > 10.244.3.195.54930: Flags [.], ack 317, win 227, options [nop,nop,TS val 2189379362 ecr 489972802], length 0
01:54:52.928100 IP worker-0010.8089 > 10.244.3.195.54930: Flags [P.], seq 1:148, ack 317, win 227, options [nop,nop,TS val 2189379363 ecr 489972802], length 147
01:54:52.929826 IP worker-0010.8089 > 10.244.3.195.54930: Flags [.], ack 1721, win 249, options [nop,nop,TS val 2189379364 ecr 489972804], length 0
01:54:52.944145 IP worker-0010.8089 > 10.244.3.195.54930: Flags [P.], seq 148:324, ack 2116, win 271, options [nop,nop,TS val 2189379379 ecr 489972805], length 176
01:54:52.944241 IP worker-0010.8089 > 10.244.3.195.54930: Flags [P.], seq 324:1892, ack 2116, win 271, options [nop,nop,TS val 2189379379 ecr 489972805], length 1568
01:54:52.944373 IP worker-0010.8089 > 10.244.3.195.54930: Flags [P.], seq 1892:1926, ack 2116, win 271, options [nop,nop,TS val 2189379379 ecr 489972805], length 34
01:54:52.947224 IP worker-0010.8089 > 10.244.3.195.54932: Flags [S.], seq 3172374436, ack 1388865001, win 27960, options [mss 1410,sackOK,TS val 2189379382 ecr 489972822,nop,wscale 7], length 0
01:54:52.959977 IP worker-0010.8089 > 10.244.3.195.54932: Flags [.], ack 317, win 227, options [nop,nop,TS val 2189379395 ecr 489972835], length 0
...省略

参考：
1.Linux tcpdump 命令
2.如何学习 tcpdump 表达式？