Skip to main content
Version: latest

tcpdump

The tcpdump gadget captures packets in container contexts and allows applying pcap-compatible filters. This is usually combined with the pcap-ng output mode and piped to the tcpdump command or to a file - see the guide below.

Getting started

Running the gadget:

$ kubectl gadget run ghcr.io/inspektor-gadget/gadget/tcpdump:latest [flags]

Flags

--snaplen

Sets the maximum number of bytes to capture from a packet.

Default value: 0

Guide

Piping to tcpdump

If you want to let tcpdump analyze the captured traffic directly, you can use the pcap-ng output mode and pipe IG's output directly to tcpdump like so:

$ ig run tcpdump:latest --host --pf "port 80" -o pcap-ng | tcpdump -nvr -
14:18:23.386163 IP (tos 0x0, ttl 64, id 59190, offset 0, flags [DF], proto TCP (6), length 60)
172.17.0.2.53618 > 13.107.253.67.80: Flags [S], cksum 0xb6f0 (incorrect -> 0x68f7), seq 1211089028, win 64240, options [mss 1460,sackOK,TS val 3404957675 ecr 0,nop,wscale 7], length 0
14:18:23.405108 IP (tos 0x0, ttl 127, id 3783, offset 0, flags [none], proto TCP (6), length 48)
13.107.253.67.80 > 172.17.0.2.53618: Flags [S.], cksum 0x988a (correct), seq 2080464456, ack 1211089029, win 32768, options [mss 1460,wscale 1,nop], length 0
14:18:23.405212 IP (tos 0x0, ttl 64, id 59191, offset 0, flags [DF], proto TCP (6), length 40)
172.17.0.2.53618 > 13.107.253.67.80: Flags [.], cksum 0xb6dc (incorrect -> 0x425a), ack 1, win 502, length 0
14:18:23.405869 IP (tos 0x0, ttl 64, id 59192, offset 0, flags [DF], proto TCP (6), length 116)
172.17.0.2.53618 > 13.107.253.67.80: Flags [P.], cksum 0xb728 (incorrect -> 0x4206), seq 1:77, ack 1, win 502, length 76: HTTP
14:18:23.406531 IP (tos 0x0, ttl 127, id 3784, offset 0, flags [none], proto TCP (6), length 40)
13.107.253.67.80 > 172.17.0.2.53618: Flags [.], cksum 0x0404 (correct), ack 77, win 16384, length 0
14:18:23.433402 IP (tos 0x0, ttl 127, id 3785, offset 0, flags [none], proto TCP (6), length 319)
13.107.253.67.80 > 172.17.0.2.53618: Flags [P.], cksum 0x98ef (correct), seq 1:280, ack 77, win 16384, length 279: HTTP, length: 279
HTTP/1.1 307 Temporary Redirect
Date: Wed, 30 Jul 2025 12:18:23 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Location: https://microsoft.com/
X-Cache: CONFIG_NOCACHE

14:18:23.433435 IP (tos 0x0, ttl 64, id 59193, offset 0, flags [DF], proto TCP (6), length 40)
172.17.0.2.53618 > 13.107.253.67.80: Flags [.], cksum 0xb6dc (incorrect -> 0x40f8), ack 280, win 501, length 0
14:18:23.434372 IP (tos 0x0, ttl 64, id 59194, offset 0, flags [DF], proto TCP (6), length 40)
172.17.0.2.53618 > 13.107.253.67.80: Flags [F.], cksum 0xb6dc (incorrect -> 0x40f7), seq 77, ack 280, win 501, length 0
14:18:23.436706 IP (tos 0x0, ttl 127, id 3786, offset 0, flags [none], proto TCP (6), length 40)
13.107.253.67.80 > 172.17.0.2.53618: Flags [.], cksum 0x02ec (correct), ack 78, win 16384, length 0
14:18:23.466609 IP (tos 0x0, ttl 127, id 3787, offset 0, flags [none], proto TCP (6), length 40)
13.107.253.67.80 > 172.17.0.2.53618: Flags [F.], cksum 0x02eb (correct), seq 280, ack 78, win 16384, length 0
14:18:23.466629 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
172.17.0.2.53618 > 13.107.253.67.80: Flags [.], cksum 0x40f6 (correct), ack 281, win 501, length 0