Loading

How to run a tcpdump at Pod Level in RTF Appliance

Publiceringsdatum: Mar 16, 2026
Uppgift

GOAL

Steps to identify the Pod level interface name to run a tcpdump (to capture network packets). This article is similar to How to Capture Networking Traffic of an Mule Application Pod in RTF, which provides a downloadable script instead of manual steps.

Note: This article is for RTF Appliance, which is now EOL, for RTF BYOK, you can refer this article.

Steg

Pre-requisite

  • Log into the Linux node (controller/worker) where the Pod (e.g. "mule app replica") is running. Identify this using "kubectl get pods --all-namespaces -o wide". It is important to perform the network capture on the correct node where the process runs.
  • Run "gravity enter" to enter gravity.

Commands

1. docker ps | grep -i <pod_name> 
2. docker inspect <id_from_prev_output> --format '{{ .State.Pid }}'
3. nsenter -t <id_from_prev_output> -n ip addr
4. ip addr | grep "^<eth_number_from_prev_output>"
5. tcpdump -nnvp -i <veth_from_prev_output> '<filter>' [<other tcpdump options>]
​

Examples

1. Application name is "ah-rtf-hello-v1". Note down the "9d6df4501765" value in first column. 
ip-172-31-0-5:/$ docker ps | grep ah-rtf-hello-v1 
...
9d6df4501765        494141260463.dkr.ecr.us-east-1.amazonaws.com/mulesoft/poseidon-runtime-4.2.2        "/docker-entrypoint.…"   19 minutes ago      Up 19 minutes                           k8s_app_ah-rtf-hello-v1-dc55d465b-mmqg4_fff5df7b-c49d-48c9-967d-0071412717c4_b81042e5-a7b7-11eb-8163-02a1dbec8f10_0
...
You will get one line of output per each container within the pod, including the initial pause container. Any ID will suffice to continue and return the same result.
 
2. Note down 26224. 
ip-172-31-0-9:/$ docker inspect 9d6df4501765 --format '{{ .State.Pid }}'
26224
3. Ignore the loopback interface. Look for the ethernet interface (in this case eth0). In below output we will note down eth0@if189, which means interface number 189 running on eth0. 
ip-172-31-0-9:/$ nsenter -t 26224 -n ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: eth0@if189: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 8951 qdisc noqueue state UP group default
    link/ether 8a:eb:5e:97:02:81 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.244.3.26/24 brd 10.244.3.255 scope global eth0
       valid_lft forever preferred_lft forever
4. Look for the line starting with "189" that was identified in previous step. Note down the veth name veth731c8fbe@if3. 
ip-172-31-0-9:/$ ip addr | grep "^189"
189: veth731c8fbe@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 8951 qdisc noqueue master cni0 state UP group default
5. Tcpdump command will use the interface veth731c8fbe (remove @if3) identified from previous step. Example below filters for port 25 traffic and saves the output to a file. 
tcpdump -nnvp -i veth731c8fbe 'port 25' -w /ext/share/pod_capture.pcap
6. After traffic has been captured, stop the tcpdump command (e.g. control+C or kill the tcpdump process)

7. Exit gravity ("exit" command)

8. The tcpdump capture file will be located on the Linux host at /var/lib/gravity/planet/share/pod_capture.pcap. You can work with your Linux team to download the file.

 For more information about tcpdump filters and other options refer to its manual page or documentation or your infrastructure team.
Knowledge-artikelnummer

001116257

 
Laddar
Salesforce Help | Article